Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Can't find a way to connect to my server using wireguard

Post Reply
 
hmdrnj98
just joined
Topic Author
Posts: 3
Joined: Fri May 10, 2024 11:14 am

Can't find a way to connect to my server using wireguard

Fri May 10, 2024 11:38 am

Hello everyone,
I had a plan to create a setup for RB951 in workplace so I could connect server to router using ethernet and other client could locally use ethernet and wifi and remote users could use a wireguard vpn and connect to network and access the server.

I used documentations in https://help.mikrotik.com/docs/display/ ... figuration for local connections and it simply works,
and used https://help.mikrotik.com/docs/display/ROS/WireGuard to access the network over internet but I can't connect to server

here is my router config
Code: Select all
# 2024-05-10 12:04:49 by RouterOS 7.12.1
# software id = 514M-UAVZ
#
# model = RB951Ui-2HnD
# serial number = **
add name=local
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=myProfile \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=iran disabled=no distance=indoors mode=ap-bridge security-profile=\
    myProfile ssid=*** wireless-protocol=802.11
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local name=dhcp1
/interface bridge port
add bridge=local interface=ether2
add bridge=local interface=wlan1
/interface wireguard peers
add allowed-address=192.168.100.2/24 interface=wireguard1 public-key=\
    ***
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.100.0/24
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP(ping)" in-interface=ether1 \
    protocol=icmp
add action=accept chain=input comment="allow winbox" in-interface=ether1 port=\
    8291 protocol=tcp
add action=accept chain=input comment="allow rdp connection" in-interface=\
    ether1 port=3389 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat in-interface=ether1 port=3389 protocol=tcp \
    to-addresses=192.168.88.254
/system clock
set time-zone-name=Asia/Tehran
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
Last edited by BartoszP on Fri May 10, 2024 11:42 am, edited 1 time in total.
Reason: serial remove
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19916
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Can't find a way to connect to my server using wireguard

Fri May 10, 2024 6:45 pm

Do your have public IPV4 address, or do you have an upstream ISP router with public IP address that can forward ports to your device?
Top
 
hmdrnj98
just joined
Topic Author
Posts: 3
Joined: Fri May 10, 2024 11:14 am

Re: Can't find a way to connect to my server using wireguard

Fri May 10, 2024 6:48 pm

I have public ip and setted mikrotik as a dmz on my router already.
Top
 
rplant
Member
Member
Posts: 358
Joined: Fri Sep 29, 2017 11:42 am

Re: Can't find a way to connect to my server using wireguard

Sat May 11, 2024 7:38 am

Hi,

If you have set it up as dmz of your existing router, you should probably rethink your firewall rules completely. and quickly.
Go back to factory default rules and add your changes.

You seem to have no block rules, so devices on the internet can presumably access the Mikrotik with no restraint.
There is no default block rule at the end, you need to add one manually.

Wireguard:
Monitoring the packet counters on the 13231 firewall rule is useful to see if they are getting in at all.
You can add a passthrough firewall rule on the output chain from udp 13231 monitoring any outbound wg traffic, (with logging when
needed)

if coming in, You can then look at rx,tx, counters and last handshake time on the Mikrotik and your remote client to see if it is getting in/out.
If handshake and tx, rx Can you ping from remote client to mikrotik's wireguard IP address.

You need correct public keys at each end. (Often a cause of failure)
Similar time on devices at both ends. (Usually not a problem but...)

If wireguard working, you may need to add ip address range of your server to your wireguard clients allowed ip addresses.
Top
 
hmdrnj98
just joined
Topic Author
Posts: 3
Joined: Fri May 10, 2024 11:14 am

Re: Can't find a way to connect to my server using wireguard

Sat May 11, 2024 8:57 am

Hi,

If you have set it up as dmz of your existing router, you should probably rethink your firewall rules completely. and quickly.
Go back to factory default rules and add your changes.

You seem to have no block rules, so devices on the internet can presumably access the Mikrotik with no restraint.
There is no default block rule at the end, you need to add one manually.

Wireguard:
Monitoring the packet counters on the 13231 firewall rule is useful to see if they are getting in at all.
You can add a passthrough firewall rule on the output chain from udp 13231 monitoring any outbound wg traffic, (with logging when
needed)

if coming in, You can then look at rx,tx, counters and last handshake time on the Mikrotik and your remote client to see if it is getting in/out.
If handshake and tx, rx Can you ping from remote client to mikrotik's wireguard IP address.

You need correct public keys at each end. (Often a cause of failure)
Similar time on devices at both ends. (Usually not a problem but...)

If wireguard working, you may need to add ip address range of your server to your wireguard clients allowed ip addresses.
Thanks for your concern rplant <3

I have mikrotik ip ping, and handshake timer changes by the time I try the connection, also the tx,rx are changing but I can't ping the server on other range
Top
 
rplant
Member
Member
Posts: 358
Joined: Fri Sep 29, 2017 11:42 am

Re: Can't find a way to connect to my server using wireguard

Sat May 11, 2024 2:27 pm

If your server is on the 192.168.88.0/24 range

Try to ping 192.168.88.1 from your wireguard client.
If this doesn't work, 192.168.88.0/24 likely needs to be added to your wireguard client configuration.

When this is working, try to ping your server from your wireguard client.

If this doesn't work:

Try to ping your server from the mikrotik but using the Mikrotik's wireguard address.

ping address=your-server-ip src-address=192.168.100.1

If this does not work, you may need to adjust firewall rules on the server.
Or apply some source nat onto the 192.168.88.0/24 range.

add action=masquerade src-address=192.168.100.0/24 chain=srcnat out-interface=local

Can you now ping the server now from using the Mikrotik's wireguard address?

ping address=your-server-ip src-address=192.168.100.1

Then try from your wireguard client.

If your server is on the wan interface's IP.
Make sure you can ping the mikrotik's ether1 ip address from the wireguard client.

Rest is Similar to above. (except you already have a nat rule)
Top
 
rplant
Member
Member
Posts: 358
Joined: Fri Sep 29, 2017 11:42 am

Re: Can't find a way to connect to my server using wireguard

Sun May 12, 2024 2:23 am

Note:
If your client is a Mikrotik or other router, you will likely need to add some static routes into it.
Ordinary clients will automatically set up routes from the allowed ip settings.
Top
 
Blancatel
just joined
Posts: 3
Joined: Fri May 10, 2024 2:18 pm

Re: Can't find a way to connect to my server using wireguard

Mon May 13, 2024 6:59 pm

Template, for example:
___________________________________________________

ROUTER 1 - SERVER
__________________________________________________
Code: Select all
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-server

/interface wireguard peers
add allowed-address=100.100.100.2/32,192.168.88.0/24 comment=ROUTER2-CLIENT \
    interface=wireguard-server persistent-keepalive=30s public-key=\
    "PutHereYourKey"

/ip address
add address=100.100.100.1/24 interface=wireguard-server network=100.100.100.0

/ip firewall filter
add action=accept chain=input comment="Port Wireguard Server" dst-port=\
    13231 protocol=udp

/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=100.100.100.2 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
___________________________________________________

ROUTER 2 - CLIENT
___________________________________________________
Code: Select all
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-client

/interface wireguard peers
add allowed-address=100.100.100.1/32,192.168.77.0/24 endpoint-address=\
    name_cloud_mikrotik.sn.mynetname.net endpoint-port=13231 interface=\
    wireguard-client persistent-keepalive=30s public-key=\
    "PutHereYourKey"

/ip address
add address=100.100.100.2/24 interface=wireguard-client network=100.100.100.0

/ip route
add disabled=no dst-address=192.168.77.0/24 gateway=100.100.100.1 routing-table=\
    main suppress-hw-offload=no

In the code:
1. Change name_cloud_mikrotik.sn.mynetname.net >>> Put the WAN IP public of router Server MikroTik.
2. Cange the public-key in Router1 Server and Router2 Client.

In youtube (This is Spanish, but it is following the steps):
https://www.youtube.com/watch?v=--p_Qiv_ctA
https://www.youtube.com/watch?v=zSmfk0qUXo8

Greetings.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19916
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Can't find a way to connect to my server using wireguard

Mon May 13, 2024 10:08 pm

@Blancatel... Dont agree....

More like:
SERVER

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-server

/interface wireguard peers
add allowed-address=100.100.100.2/32,192.168.88.0/24 comment=ROUTER2-CLIENT \
interface=wireguard-server public-key=\ { no keep alive required on server for handshake!! }
"PutHereYourKey"

/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wireguard-server \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10

CLIENT

Code: Select all

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-client

/interface wireguard peers
add allowed-address=100.100.100.0/24,192.168.77.0/24 endpoint-address=\
name_cloud_mikrotik.sn.mynetname.net endpoint-port=13231 interface=\
wireguard-client persistent-keepalive=30s public-key=\
"PutHereYourKey"

/ip route
add disabled=no dst-address=192.168.77.0/24 gateway=wireguard-client routing-table=\
main suppress-hw-offload=no
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 31 guests
  4. RouterOS
  5. Beginner Basics