Community discussions

MikroTik App
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Cant get Wireguard client to work

Sat Nov 09, 2024 3:36 pm

Hello everyone.
My router has dhcp wan connection, 1 ether port with client. All i want to do is to route all traffic to VPN.

I tried multiple guides from like a dozen similar questions but cant make all my traffic route throught the wireguard tunnel: it is either shows real ip or dont have internet access at all.

Please advice what am i doing wrong.
# 2024-11-09 16:27:51 by RouterOS 7.16.1
# software id = 4NIX-BDJQ
#
# model = RBD52G-5HacD2HnD
# serial number = 92F109F00470
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.188.2-192.168.188.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 interface=bridge1 name=dhcp1 \
    server-address=192.168.188.1
/routing table
add disabled=no fib name=rtab-wg
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=_SERVER-IP_ endpoint-port=\
    51820 interface=wireguard1 name=peer1 persistent-keepalive=25s \
    preshared-key="key" private-key=\
    "key=" public-key=\
    "key"
/ip address
add address=192.168.188.1/24 interface=bridge1 network=192.168.188.0
add address=10.7.0.2/24 comment=wg interface=wireguard1 network=10.7.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.188.1 disabled=no interface=wlan1 name=relay1
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=192.168.188.1 gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=drop chain=input in-interface=!bridge1
add action=accept chain=forward in-interface=bridge1 src-address=\
    192.168.188.0/24
add action=accept chain=input in-interface=bridge1 src-address=\
    192.168.188.0/24
add action=drop chain=forward in-interface=!bridge1
add action=accept chain=input comment="WG HANDSHAKE" dst-port=13231 protocol=\
    udp
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=rtab-wg \
    passthrough=no src-address=192.168.188.2-192.168.188.255
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard1
add action=masquerade chain=srcnat out-interface=ether1
/ip nat-pmp
set enabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    wireguard1 routing-table=rtab-wg scope=30 suppress-hw-offload=no \
    target-scope=10
/ip upnp
set enabled=yes
/routing rule
add action=lookup-only-in-table disabled=no routing-mark=rtab-wg table=\
    rtab-wg
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21700
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cant get Wireguard client to work

Sat Nov 09, 2024 3:41 pm

What are you connecting to
a. a third party server?
b. another MT router?

You dont need to BOTH mangle and use Routing Rules...... one or the other.
Assuming that you have selected default route in IP DHCP client?
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Sat Nov 09, 2024 4:14 pm

What are you connecting to
a. a third party server?
b. another MT router?

You dont need to BOTH mangle and use Routing Rules...... one or the other.
Assuming that you have selected default route in IP DHCP client?
I'm connecting to private server. Got another router (Unifi) which uses same config without troubles - im mentioning this as a proof that server itself is working.
I tried mangle without routing rule first - no luck. Now i tried only routing rule - it shows my real ip.
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Sat Nov 09, 2024 4:22 pm

Assuming that you have selected default route in IP DHCP client?
Not quite sure. How do i check this? I dont see such an option in dhcp client menu
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21700
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cant get Wireguard client to work

Sat Nov 09, 2024 4:37 pm

The reason I state this is because your router FIRST has to establish the tunnel with the other end............. then wireguard traffic can flow.
If there is no route, then the tunnel will never happen.........
Since you are getting internet locally it must exist..
...
Screenshot 2024-11-09 103534.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21700
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cant get Wireguard client to work

Sat Nov 09, 2024 4:39 pm

1. RRules
a. disable all mangles
b. change routing rules to the following

/routing rule
add action=lookup-only-in-table min-prefix=0 table=main comment="permits local traffic"
add action=lookup-only-in-table src-address=192.168.188.0/24 table=rtab-wg
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Sat Nov 09, 2024 4:48 pm

The reason I state this is because your router FIRST has to establish the tunnel with the other end............. then wireguard traffic can flow.
If there is no route, then the tunnel will never happen.........
Since you are getting internet locally it must exist..
...

Screenshot 2024-11-09 103534.png
Yep, my dhcp config looks the same.
1. RRules
a. disable all mangles
b. change routing rules to the following

/routing rule
add action=lookup-only-in-table min-prefix=0 table=main comment="permits local traffic"
add action=lookup-only-in-table src-address=192.168.188.0/24 table=rtab-wg
Done, internet's gone.
Ping from PC says 192.168.188.1 (router) is unreachable or Request time out. 50/50
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Sat Nov 09, 2024 5:49 pm

It now seems like a problem with WG. Last handshake shows 0:00:00.

Also Route 0.0.0.0/0 to wireguard1 have Unreachable status
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21700
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cant get Wireguard client to work

Sat Nov 09, 2024 8:11 pm

Very strange indeed.
So you confirm the following
a. ip dhcp client has default route=yes?
b. with RRules disabled and mangle disabled you go out the local internet (local WAN) no problem?
c. while testing b, please attempt to ping the remote address you have entered in 1 below !!!

Assuming yes to these then we have to assume there is a problem with wireguard settings next.

LOCAL MT

/ip wireguard peer settings
1 - is the endpoint address correct to reach the other side?
2 - is the endpoint port correctly assigned ( matches listening port on other end )
3 - is the public key generated by the other side correctly copied to the MT device

OTHER END
4 - Does the listening port match the entry in the peer settings found in 2 above.
5 - Does the device have an input chain 'Like" rule to allow incoming wireguard traffic
6 - is the public key generated by the MT device (when creating the tunnel initially) correctly copied to this device
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Mon Nov 11, 2024 7:17 pm

Very strange indeed.
So you confirm the following
a. ip dhcp client has default route=yes?
b. with RRules disabled and mangle disabled you go out the local internet (local WAN) no problem?
c. while testing b, please attempt to ping the remote address you have entered in 1 below !!!

Assuming yes to these then we have to assume there is a problem with wireguard settings next.

LOCAL MT

/ip wireguard peer settings
1 - is the endpoint address correct to reach the other side?
2 - is the endpoint port correctly assigned ( matches listening port on other end )
3 - is the public key generated by the other side correctly copied to the MT device

OTHER END
4 - Does the listening port match the entry in the peer settings found in 2 above.
5 - Does the device have an input chain 'Like" rule to allow incoming wireguard traffic
6 - is the public key generated by the MT device (when creating the tunnel initially) correctly copied to this device
Yes, i do confirm
a. ip dhcp client has default route=yes - YES
b. with RRules disabled and mangle disabled you go out the local internet (local WAN) no problem? - YES
c. while testing b, please attempt to ping the remote address you have entered in 1 below !!! Yes, can ping WG server IP from MT and cant ping from local machine.

1 - is the endpoint address correct to reach the other side? Yes
2 - is the endpoint port correctly assigned ( matches listening port on other end ) Yes
3 - is the public key generated by the other side correctly copied to the MT device Yes. In case i mess up with a key, i get error in UI saying that key is invalid.

4 - Does the listening port match the entry in the peer settings found in 2 above. Yes, same settings work on other device.
5 - Does the device have an input chain 'Like" rule to allow incoming wireguard traffic Yes
6 - is the public key generated by the MT device (when creating the tunnel initially) correctly copied to this device Yes

I checked and double checked everything, recreated WG profiles and rules. Here is my current config:
# 2024-11-11 20:09:12 by RouterOS 7.16.1
# software id = 4NIX-BDJQ
#
# model = RBD52G-5HacD2HnD
# serial number = 92F109F00470
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no installation=indoor mode=\
    ap-bridge ssid="PieFi setup" wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.188.2-192.168.188.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 interface=bridge1 name=dhcp1 \
    server-address=192.168.188.1
/routing table
add disabled=no fib name=rtab-wg
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=::/0,0.0.0.0/0 endpoint-address=_IP_ \
    endpoint-port=51820 interface=wireguard1 name=peer3 persistent-keepalive=\
    25s preshared-key="KEY" \
    public-key="KEY"
/ip address
add address=192.168.188.1/24 interface=bridge1 network=192.168.188.0
add address=10.7.0.2/24 comment=wg interface=wireguard1 network=10.7.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.188.1 disabled=no interface=wlan1 name=relay1
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=192.168.188.1 gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=accept chain=input comment="WG HANDSHAKE" dst-port=13231 protocol=\
    udp
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=drop chain=input in-interface=!bridge1
add action=accept chain=forward in-interface=bridge1 src-address=\
    192.168.188.0/24
add action=accept chain=input in-interface=bridge1 src-address=\
    192.168.188.0/24
add action=drop chain=forward in-interface=!bridge1
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    rtab-wg passthrough=no src-address=192.168.188.2-192.168.188.255
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard1
/ip nat-pmp
set enabled=yes
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    wireguard1 routing-table=rtab-wg scope=30 suppress-hw-offload=no \
    target-scope=10
/ip upnp
set enabled=yes
/routing rule
add action=lookup-only-in-table comment="permites local traffic" disabled=no \
    min-prefix=0 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.188.0/24 \
    table=rtab-wg
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no

 
jaclaz
Forum Guru
Forum Guru
Posts: 1888
Joined: Tue Oct 03, 2023 4:21 pm

Re: Cant get Wireguard client to work

Mon Nov 11, 2024 8:11 pm

Should not be related, but:
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=wireguard1 list=LAN

wireguard1 should be WAN conceptually.
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Mon Nov 11, 2024 9:14 pm

Should not be related, but:
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=wireguard1 list=LAN

wireguard1 should be WAN conceptually.
Thanks, changed that. No luck.

What concerns me is status of wg connection:
Rx: 0 B
Last handshake: 0:00:00
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21700
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cant get Wireguard client to work

Mon Nov 11, 2024 9:54 pm

Should not be related, but:
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=wireguard1 list=LAN

wireguard1 should be WAN conceptually.
The concept is..........to be clear, that the traffic from the router has to have one SOURCE IP to a third party server ............ that way the third party server does not have to anticipate and handle incoming traffic that is not the prescribed wireguard IP of the source. Critical in 3rdparty Wireguard VPN servers that provide a single IP. A private server under ones control does not require this move, unless it helps simplify matters. How is this accomplished.
EASY
By the OPs current rule.
add action=masquerade chain=srcnat out-interface=wireguard1

The main reason you sometimes see the wg interface added to the WAN, is to ACHIEVE the same effect since the default sourcenat rule is
add chain=srcnat action=masquerade out--interface-list=WAN

Hence if you make the wg interface part of the WAN interface list, the same effect of one wg IP arriving at destination is the result.
The reason this is done for third party servers, preferentially over the method used by the OP, is because there is no return traffic!!!

However he is connecting to a private Server and thus likely there may be traffic BACK to this router and probably the admin via the SERVER to configure this router or to access subnets or perhaps to even access the internet and thus LAN interface list is actually a more logical choice.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21700
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cant get Wireguard client to work

Mon Nov 11, 2024 9:58 pm

Dont see anything obvious yet.

1. Change this to LAN
/ip neighbor discovery-settings
set discover-interface-list=all

/ip neighbor discovery-settings
set discover-interface-list=LAN


2. POSSIBLE ISSUE look at this config
/interface wireguard peers
add allowed-address=::/0,0.0.0.0/0 endpoint-address=_IP_ \
endpoint-port=51820 interface=wireguard1 name=peer3 persistent-keepalive=\
25s preshared-key="KEY" public-key="KEY"


Change to
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=_IP_ \
endpoint-port=51820 interface=wireguard1 name=peer3 persistent-keepalive=\
25s preshared-key="KEY" public-key="KEY"


3. You can remove this rule in the input chain, wireguard traffic for handshake is outbound TO server, not inbound!!!
add action=accept chain=input comment="WG HANDSHAKE" dst-port=13231 protocol=udp

4. not a fan of your firewall rules but will just reorder them for easy reading and add one rule.

/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else" { ensure you put this rule in last }
++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface=bridge1 src-address=\
192.168.188.0/24
add action=accept chain=input in-interface=bridge1 src-address=\
192.168.188.0/24
add action=drop chain=forward in-interface=!bridge1

add action=accept chain=forward comment="local internet access" in-interface-list=LAN out-interface-list=WAN { disabled =yes if you DONT want users going out local WAN)
add action=accept chain=forward comment="wireguard acess" src-address=192.168.88.0/24 out-interface=wireguard1
add action=drop chain=forward comment="drop all else"


DISCUSSION:
The rule in orange is removed as its a duplicate and obvious when you have rules ordered properly
add action=drop chain=input in-interface=!bridge1
add action=accept chain=input in-interface=bridge1 src-address=\
192.168.188.0/24


The second rule is not needed as you are already allowing it by the first rule. The first rule states block any traffic TO the router except bridge1 traffic.
Since the subnet address is the bridge address its rather silly.

The normal way to do this, is the following (clear, concise)
add action=accept chain=input in-interface-list=LAN
and then after that is in place put
add action=drop chain=input comment="drop all else"

Now in the forward chain I see what you have done, wide open rules.......again, no need.
There are not other subnets on the router and they only need to be allowed to wireguard if pushed out that way.
The rules in place are not that clear and are very non-standard (but not wrong).
add action=accept chain=forward in-interface=bridge1 src-address=\
192.168.188.0/24
add action=accept chain=input in-interface=bridge1 src-address=\
192.168.188.0/24
add action=drop chain=forward in-interface=!bridge1


BETTER imho.
add action=accept chain=forward comment="local internet access" in-interface-list=LAN out-interface-list=WAN disabled =yes { assuming no local WAN allowed }
add action=accept chain=forward comment="wireguard access" src-address=192.168.88.0/24 out-interface=wireguard1
add action=drop chain=forward comment="drop all else"


5. What is the purpose of this rule????
Perhaps disable for testing purposes? Not sure if works thru wg ??
/ip nat-pmp
set enabled=yes


6. Same same with this rule, purpose, not sure will work thru wg>> disable for now
/ip upnp
set enabled=yes
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Tue Nov 12, 2024 9:55 am

Dont see anything obvious yet.

1. Change this to LAN
/ip neighbor discovery-settings
set discover-interface-list=all

/ip neighbor discovery-settings
set discover-interface-list=LAN


2. POSSIBLE ISSUE look at this config
/interface wireguard peers
add allowed-address=::/0,0.0.0.0/0 endpoint-address=_IP_ \
endpoint-port=51820 interface=wireguard1 name=peer3 persistent-keepalive=\
25s preshared-key="KEY" public-key="KEY"


Change to
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=_IP_ \
endpoint-port=51820 interface=wireguard1 name=peer3 persistent-keepalive=\
25s preshared-key="KEY" public-key="KEY"


3. You can remove this rule in the input chain, wireguard traffic for handshake is outbound TO server, not inbound!!!
add action=accept chain=input comment="WG HANDSHAKE" dst-port=13231 protocol=udp

4. not a fan of your firewall rules but will just reorder them for easy reading and add one rule.

/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="Drop all else" { ensure you put this rule in last }
++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface=bridge1 src-address=\
192.168.188.0/24
add action=accept chain=input in-interface=bridge1 src-address=\
192.168.188.0/24
add action=drop chain=forward in-interface=!bridge1

add action=accept chain=forward comment="local internet access" in-interface-list=LAN out-interface-list=WAN { disabled =yes if you DONT want users going out local WAN)
add action=accept chain=forward comment="wireguard acess" src-address=192.168.88.0/24 out-interface=wireguard1
add action=drop chain=forward comment="drop all else"


DISCUSSION:
The rule in orange is removed as its a duplicate and obvious when you have rules ordered properly
add action=drop chain=input in-interface=!bridge1
add action=accept chain=input in-interface=bridge1 src-address=\
192.168.188.0/24


The second rule is not needed as you are already allowing it by the first rule. The first rule states block any traffic TO the router except bridge1 traffic.
Since the subnet address is the bridge address its rather silly.

The normal way to do this, is the following (clear, concise)
add action=accept chain=input in-interface-list=LAN
and then after that is in place put
add action=drop chain=input comment="drop all else"

Now in the forward chain I see what you have done, wide open rules.......again, no need.
There are not other subnets on the router and they only need to be allowed to wireguard if pushed out that way.
The rules in place are not that clear and are very non-standard (but not wrong).
add action=accept chain=forward in-interface=bridge1 src-address=\
192.168.188.0/24
add action=accept chain=input in-interface=bridge1 src-address=\
192.168.188.0/24
add action=drop chain=forward in-interface=!bridge1


BETTER imho.
add action=accept chain=forward comment="local internet access" in-interface-list=LAN out-interface-list=WAN disabled =yes { assuming no local WAN allowed }
add action=accept chain=forward comment="wireguard access" src-address=192.168.88.0/24 out-interface=wireguard1
add action=drop chain=forward comment="drop all else"


5. What is the purpose of this rule????
Perhaps disable for testing purposes? Not sure if works thru wg ??
/ip nat-pmp
set enabled=yes


6. Same same with this rule, purpose, not sure will work thru wg>> disable for now
/ip upnp
set enabled=yes
Anav, thanks so much for your help. I followed your guideline, changed everything as you suggested. Btw my firewall rules are mostly from other similar posts so i dont mind changing any and all of them :)

Current status: no connection to wan or wg from local machine, router still pings remote server easily.
Here's update cfg
# 2024-11-12 10:51:39 by RouterOS 7.16.1
# software id = 4NIX-BDJQ
#
# model = RBD52G-5HacD2HnD
# serial number = 92F109F00470
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no installation=indoor mode=\
    ap-bridge ssid="PieFi setup" wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.188.2-192.168.188.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 interface=bridge1 name=dhcp1 \
    server-address=192.168.188.1
/routing table
add disabled=no fib name=rtab-wg
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=wireguard1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=ip endpoint-port=\
    51820 interface=wireguard1 name=peer3 persistent-keepalive=25s \
    preshared-key="key" public-key=\
    "key"
/ip address
add address=192.168.188.1/24 interface=bridge1 network=192.168.188.0
add address=10.7.0.2/24 comment=wg interface=wireguard1 network=10.7.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.188.1 disabled=no interface=wlan1 name=relay1
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=192.168.188.1 gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment="wireguard access" out-interface=\
    wireguard1 src-address=192.168.88.0/24
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="local internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward disabled=yes in-interface=bridge1 \
    src-address=192.168.188.0/24
add action=accept chain=input disabled=yes in-interface=bridge1 src-address=\
    192.168.188.0/24
add action=drop chain=forward disabled=yes in-interface=!bridge1
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    rtab-wg passthrough=no src-address=192.168.188.2-192.168.188.255
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    wireguard1 routing-table=rtab-wg scope=30 suppress-hw-offload=no \
    target-scope=10
/routing rule
add action=lookup-only-in-table comment="permites local traffic" disabled=no \
    min-prefix=0 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.188.0/24 \
    table=rtab-wg
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no

 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21700
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cant get Wireguard client to work

Tue Nov 12, 2024 5:09 pm

I suspect an issue with DNS and so lets try some things........before I get there some more work required on firewall rules.

1. You need access as admin to the router so we need to add that to the input chain rules.
To do this the easiest method is to identify the admins devices on the network wired and wifi.]
Go to DHCP leases and make those devices leases STATIC/fixed.
We should also add any of your devices using wireguard when remote and away from the router (laptop/iphone etc..)

/ip firewall address-list
add address=192.168.188.X list=AUTHORIZED comment="local admin desktop"
add address=192.168.188.Y list=AUTHORIZED comment="local admin wifi"
add address=10.7.0.Z list=AUTHORIZED comment="remote admin laptop/smartphone"


and then add the rule to your input chain..............not sure how you access it now as according to the rules there should be no access LOL
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp

add action=accept chain=input comment="admin access" src-address-list=AUTHORIZED
add action=drop chain=input


2. FORWARD CHAIN, you have the first rule out of place needs to be properly placed in order and get rid of the useless rules NOISE, vice disable.

add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="local internet access" \
in-interface-list=LAN out-interface-list=WAN

add action=accept chain=forward comment="users to wg" src-address=192.168.188.0/24 out-interface=wireguard1
add action=drop chain=forward comment="drop all else"


We might not even need the rule to allow the lan subnet out wireguard because we have the rule above that allowing LAN to WAN interfaces
and since WG is part of WAN interface list, its is already allowed to hit the wireguard interface.................
Once we have it up and running we can add a log rule to the second rule and if not hits, confirm our logic and then can remove the presumably extra rule.

3. MODIFY IP DNS TO ( remove remote requests ) ALSO find out what dns servers are in use at the private server !!!1
/ip dns
set servers=8.8.8.8,8.8.4.4,1.1.1.1


4. MODIFY /ip DHCP network server
FROM:
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=192.168.188.1 gateway=192.168.188.1


TO:
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=10.7.0.1 gateway=192.168.188.1
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Tue Nov 12, 2024 7:48 pm

I suspect an issue with DNS and so lets try some things........before I get there some more work required on firewall rules.

1. You need access as admin to the router so we need to add that to the input chain rules.
To do this the easiest method is to identify the admins devices on the network wired and wifi.]
Go to DHCP leases and make those devices leases STATIC/fixed.
We should also add any of your devices using wireguard when remote and away from the router (laptop/iphone etc..)

/ip firewall address-list
add address=192.168.188.X list=AUTHORIZED comment="local admin desktop"
add address=192.168.188.Y list=AUTHORIZED comment="local admin wifi"
add address=10.7.0.Z list=AUTHORIZED comment="remote admin laptop/smartphone"


and then add the rule to your input chain..............not sure how you access it now as according to the rules there should be no access LOL
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp

add action=accept chain=input comment="admin access" src-address-list=AUTHORIZED
add action=drop chain=input


2. FORWARD CHAIN, you have the first rule out of place needs to be properly placed in order and get rid of the useless rules NOISE, vice disable.

add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="local internet access" \
in-interface-list=LAN out-interface-list=WAN

add action=accept chain=forward comment="users to wg" src-address=192.168.188.0/24 out-interface=wireguard1
add action=drop chain=forward comment="drop all else"


We might not even need the rule to allow the lan subnet out wireguard because we have the rule above that allowing LAN to WAN interfaces
and since WG is part of WAN interface list, its is already allowed to hit the wireguard interface.................
Once we have it up and running we can add a log rule to the second rule and if not hits, confirm our logic and then can remove the presumably extra rule.

3. MODIFY IP DNS TO ( remove remote requests ) ALSO find out what dns servers are in use at the private server !!!1
/ip dns
set servers=8.8.8.8,8.8.4.4,1.1.1.1


4. MODIFY /ip DHCP network server
FROM:
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=192.168.188.1 gateway=192.168.188.1


TO:
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=10.7.0.1 gateway=192.168.188.1
Okay, done. Doesnt work.
8.8.8.8 and 8.8.4.4 - are server dns.
and i access router via mac address, didnt have problem with it.
Also fixed one typo: add action=accept chain=forward comment="wireguard access" out-interface=\
wireguard1 src-address=192.168.188.0/24
I see a problem with thid part:
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    wireguard1 routing-table=rtab-wg scope=30 suppress-hw-offload=no \
    target-scope=10
- its status is unreachable and inactive

Updated config:
# 2024-11-12 19:25:57 by RouterOS 7.16.1
# software id = 4NIX-BDJQ
#
# model = RBD52G-5HacD2HnD
# serial number = 92F109F00470
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no installation=indoor mode=\
    ap-bridge ssid="PieFi setup" wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.188.2-192.168.188.5
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 interface=bridge1 name=dhcp1 \
    server-address=192.168.188.1
/routing table
add disabled=no fib name=rtab-wg
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=wireguard1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=ip endpoint-port=\
    51820 interface=wireguard1 name=peer3 persistent-keepalive=25s \
    preshared-key="key" public-key=\
    "key"
/ip address
add address=192.168.188.1/24 interface=bridge1 network=192.168.188.0
add address=10.7.0.2/24 comment=wg interface=wireguard1 network=10.7.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.188.1 disabled=no interface=wlan1 name=relay1
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=10.7.0.1 gateway=192.168.188.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.188.2 list=AUTHORIZED
add address=192.168.188.3 list=AUTHORIZED
add address=192.168.188.4 list=AUTHORIZED
add address=192.168.188.5 list=AUTHORIZED
add address=10.7.0.2 list=AUTHORIZED
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=\
    AUTHORIZED
add action=drop chain=input
add action=accept chain=forward comment="wireguard access" disabled=yes \
    out-interface=wireguard1 src-address=192.168.188.0/24
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="local internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="users to wg" out-interface=\
    wireguard1 src-address=192.168.188.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    rtab-wg passthrough=no src-address=192.168.188.2-192.168.188.255
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    wireguard1 routing-table=rtab-wg scope=30 suppress-hw-offload=no \
    target-scope=10
/routing rule
add action=lookup-only-in-table comment="permites local traffic" disabled=no \
    min-prefix=0 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.188.0/24 \
    table=rtab-wg
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no

 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Tue Nov 12, 2024 10:32 pm

At some point, Mikrotik has added the min-prefix parameter to routing rules, but the explanation in Mikrotik manual just refers to the name of the feature as used in general Linux, and references I could find are also not very verbose regarding "side effects" (putting that in quotes as those effects may actually be intended).

In your configuration, there is the following:

/routing rule
add action=lookup-only-in-table min-prefix=0 table=main
add action=lookup-only-in-table src-address=192.168.188.0/24 table=rtab-wg


What the first rule actually says is: if there is any route in table main that matches the destination address of the packet better than the default one, use that table for the packet. Otherwise, skip to the next rule. So the handshake packet the router itself sends to the address of the Wireguard server definitely will skip to the next rule. The next rule matches on src-address=192.168.188.0/24 so that handshake packet will skip it too as its address is the WAN one. And here comes the question - is routing table main still the default/falback choice even though the first rule has already acted and its action was not just lookup (which permits fallback) but lookup-only-in-table? Before I can test that here, I suggest you add a third routing rule that says just action=lookup-only-in-table table=main (without min-prefix) and see whether that helps.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21700
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cant get Wireguard client to work

Tue Nov 12, 2024 10:37 pm

Hi Sindy since order is specific, should it be.....
/routing rule
add action=lookup-only-in-table table=main
add action=lookup-only-in-table min-prefix=0 table=main disabled=yes { disabled as to test your thinking }
add action=lookup-only-in-table src-address=192.168.188.0/24 table=rtab-wg
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Tue Nov 12, 2024 10:40 pm

No. When I say the new rule should be added as a third one, I mean it literally. The description before gives the reasons.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21700
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cant get Wireguard client to work

Tue Nov 12, 2024 10:49 pm

Okay you mean.
/routing rule
add action=lookup-only-in-table min-prefix=0 table=main
add action=lookup-only-in-table src-address=192.168.188.0/24 table=rtab-wg
add action=lookup-only-in-table table=main


It would seem min-prefix interpretation widely understood is not that accurate.
I thought it was akin to a mangle rule
add action=accept chain=prerouting src-address=192.168.188.0/24 dst-traffic-type=local

somehow though you are saying that the min-prefix rule is interfering with the ROUTER service attempting to initiate a handshake out the main WAN.

+++++++
@ Ramazzan Please try the routing rule fix above and see if you have success.

IF NOT then try this set of two routing rules
/routing rule
add action=lookup-only-in-table dst-address=192.168.188.0/24 table=main
add action=lookup-only-in-table src-address=192.168.188.0/24 table=rtab-wg


Easy way to do this in winbox is to choose the first rule and modify it so it looks like the first rule here.
Then just delete the last rule..... voila done.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Wed Nov 13, 2024 9:34 pm

So I've made a test on 7.16.1 and no, the rule with action=lookup-only-in-table table=main min-prefix=0 does not remove the default routing table choice, so if the packet whose destination address only matches the default route in main does not match to the second rule and thus it doesn't get routed using another table, it ultimately does get routed using the default route in main even if no further routing rules exist.

I did find a configuration issue, though - once you set the min-prefix value for a routing rule, you can remove it from the configuration using unset min-prefix or set !min-prefix, but internally it stays in place. To get rid of it, you have to remove the whole rule and recreate it.
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Wed Nov 13, 2024 9:51 pm

Show must go on (c)
At some point, Mikrotik has added the min-prefix parameter to routing rules, but the explanation in Mikrotik manual just refers to the name of the feature as used in general Linux, and references I could find are also not very verbose regarding "side effects" (putting that in quotes as those effects may actually be intended).

In your configuration, there is the following:

/routing rule
add action=lookup-only-in-table min-prefix=0 table=main
add action=lookup-only-in-table src-address=192.168.188.0/24 table=rtab-wg


What the first rule actually says is: if there is any route in table main that matches the destination address of the packet better than the default one, use that table for the packet. Otherwise, skip to the next rule. So the handshake packet the router itself sends to the address of the Wireguard server definitely will skip to the next rule. The next rule matches on src-address=192.168.188.0/24 so that handshake packet will skip it too as its address is the WAN one. And here comes the question - is routing table main still the default/falback choice even though the first rule has already acted and its action was not just lookup (which permits fallback) but lookup-only-in-table? Before I can test that here, I suggest you add a third routing rule that says just action=lookup-only-in-table table=main (without min-prefix) and see whether that helps.

So first i tried Sindy's option, added third rule to routing. No effect. Can ping remote wg server from router, but no internet or wg connection from local machine.
Okay you mean.
/routing rule
add action=lookup-only-in-table min-prefix=0 table=main
add action=lookup-only-in-table src-address=192.168.188.0/24 table=rtab-wg
add action=lookup-only-in-table table=main


It would seem min-prefix interpretation widely understood is not that accurate.
I thought it was akin to a mangle rule
add action=accept chain=prerouting src-address=192.168.188.0/24 dst-traffic-type=local

somehow though you are saying that the min-prefix rule is interfering with the ROUTER service attempting to initiate a handshake out the main WAN.

+++++++
@ Ramazzan Please try the routing rule fix above and see if you have success.

IF NOT then try this set of two routing rules
/routing rule
add action=lookup-only-in-table dst-address=192.168.188.0/24 table=main
add action=lookup-only-in-table src-address=192.168.188.0/24 table=rtab-wg


Easy way to do this in winbox is to choose the first rule and modify it so it looks like the first rule here.
Then just delete the last rule..... voila done.
After that i deleted completely first rule (with min_prefix) and tried Anav's two rule option. Same result.

Current config:
# 2024-11-13 22:46:32 by RouterOS 7.16.1
# software id = 4NIX-BDJQ
#
# model = RBD52G-5HacD2HnD
# serial number = 92F109F00470
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no installation=indoor mode=\
    ap-bridge ssid="PieFi setup" wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.188.2-192.168.188.5
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 interface=bridge1 name=dhcp1 \
    server-address=192.168.188.1
/routing table
add disabled=no fib name=rtab-wg
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=wireguard1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=ip endpoint-port=\
    51820 interface=wireguard1 name=peer3 persistent-keepalive=25s \
    preshared-key="key" public-key=\
    "key"
/ip address
add address=192.168.188.1/24 interface=bridge1 network=192.168.188.0
add address=10.7.0.2/24 comment=wg interface=wireguard1 network=10.7.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.188.1 disabled=no interface=wlan1 name=relay1
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=10.7.0.1 gateway=192.168.188.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.188.2 list=AUTHORIZED
add address=192.168.188.3 list=AUTHORIZED
add address=192.168.188.4 list=AUTHORIZED
add address=192.168.188.5 list=AUTHORIZED
add address=10.7.0.2 list=AUTHORIZED
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=\
    AUTHORIZED
add action=drop chain=input
add action=accept chain=forward comment="wireguard access" disabled=yes \
    out-interface=wireguard1 src-address=192.168.188.0/24
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="local internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="users to wg" out-interface=\
    wireguard1 src-address=192.168.188.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    rtab-wg passthrough=no src-address=192.168.188.2-192.168.188.255
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    wireguard1 routing-table=rtab-wg scope=30 suppress-hw-offload=no \
    target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.188.0/24 \
    table=main
add action=lookup-only-in-table disabled=no src-address=192.168.188.0/24 \
    table=rtab-wg
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no

P.S. I really appreciate your help and involvement guys!
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Fri Nov 15, 2024 11:09 pm

It's the check-gateway setting on the only manually configured route via wireguard1 that breaks things. There is no way to ping an interface, you can only ping an IP address. But apparently there is a bug in RouterOS that indeed makes the route inactive in this situation rather than ignoring this incompatible combination of settings, or at least showing a bold red warning about that.

So keep the mangle rule and the routing rules exactly as in the export above, and remove the check-gateway=ping setting from that route - either change it to none or remove that paarmeter completely, which should be the same thing but it isn't. Try again, report back.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21700
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cant get Wireguard client to work

Sat Nov 16, 2024 4:51 am

Good pickup, missed that entirely :-((
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1385
Joined: Tue Jun 23, 2015 2:35 pm

Re: Cant get Wireguard client to work

Sat Nov 16, 2024 7:00 am

@sindy

what is the point addign min-prefix=0?

Even if you specificate once you click apply, there is no value, that only makes sense if it is +1, from what i can see.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Sat Nov 16, 2024 11:53 am

I'm not sure where to even start with this. The name of this parameter in Linux is suppress_prefixlength, which is pythic enough too but at least it is not outright misleading like min-prefix, since the latter suggests that the condition matches for prefixes of N bits or longer, whereas it actually only matches for the longer ones. So to make it match on any prefix except the 0.0.0.0/0 one, the value must be 0, whilst the parameter name would suggest 1 to be the correct value you need to obtain the desired result. Due to this, there is no way to make this condition match also on /0 prefixes, so if you want the whole rule to match on them, you must be completely remove the condition from it.

Apparently the communication between the command line developers and the Winbox developers has failed again, so Winbox treats min-prefix=0 as equal to its complete absence so it doesn't bother to render the 0 value (whilst it does add it to the actual configuration as export shows).

And, as mentioned earlier in this topic, even using command line you cannot actually remove the min-prefix condition from the rule - although it disappears from the visible configuration, it remains in the running one until you remove the whole rule.

As if the functionality itself wasn't mind-blowing enough - similarly to the ipsec-policy match condition used in firewall rules, min-prefix is also a macro for a complex external function, and on top of that, it breaks the simple understanding that the table name specified in the rule is only an output parameter of the rule. Because the macro takes the table indicated in the rule, looks up a route in that table, and returns a match if the dst-address prefix of that route is long enough. If the prefix is too short, the macro returns a non-match so the processing proceeds to the next rule.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21700
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cant get Wireguard client to work

Sat Nov 16, 2024 3:21 pm

So Sindy, the rule is not a problem if we remove the check-gateway=ping? Or are you saying its still causing issues and its better simply to define the local subnets that need to be reached (old method using dst-address=subnet)
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Sat Nov 16, 2024 5:25 pm

If you mean the routing rule with min-prefix=0, it is indeed not the reason why the whole thing does not work. But I'd not hurry to revert to that approach, let's wait for confirmation that the removal of the check-gateway indeed helped.
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Sat Nov 16, 2024 11:04 pm

If you mean the routing rule with min-prefix=0, it is indeed not the reason why the whole thing does not work. But I'd not hurry to revert to that approach, let's wait for confirmation that the removal of the check-gateway indeed helped.
Hi Sindy,

I first disabled, then removed ping option, still nothing. Meanwhile i got another server to test the problem (first one was private, this one is commercial and provides config file so i didnt mess up settings).

Here's current config, please advice what else might be wrong.
# 2024-11-16 23:49:30 by RouterOS 7.16.1
# software id = 4NIX-BDJQ
#
# model = RBD52G-5HacD2HnD
# serial number = 92F109F00470
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no installation=indoor mode=\
    ap-bridge ssid="PieFi setup" wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireguard
add listen-port=58254 mtu=1420 name=wg1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.188.2-192.168.188.5
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 interface=bridge1 name=dhcp1 \
    server-address=192.168.188.1
/routing table
add disabled=no fib name=rtab-wg
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=wg1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.whiskergalaxy.com \
    endpoint-port=123 interface=wg1 name=peer5 preshared-key=\
    "key" public-key=\
    "key"
/ip address
add address=192.168.188.1/24 interface=bridge1 network=192.168.188.0
add address=100.72.7.16 interface=wg1 network=100.72.7.0
/ip dhcp-client
add interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.188.1 disabled=no interface=wlan1 name=relay1
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=10.255.255.3 gateway=192.168.188.1
/ip dns
set servers=10.255.255.3
/ip firewall address-list
add address=192.168.188.2 list=AUTHORIZED
add address=192.168.188.3 list=AUTHORIZED
add address=192.168.188.4 list=AUTHORIZED
add address=192.168.188.5 list=AUTHORIZED
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=\
    AUTHORIZED
add action=drop chain=input
add action=accept chain=forward comment="wireguard access" disabled=yes \
    out-interface=*A src-address=192.168.188.0/24
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="local internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="users to wg" out-interface=wg1 \
    src-address=192.168.188.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    rtab-wg passthrough=no src-address=192.168.188.2-192.168.188.255
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wg1
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    *A routing-table=rtab-wg scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.188.0/24 \
    table=main
add action=lookup-only-in-table disabled=no src-address=192.168.188.0/24 \
    table=rtab-wg
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no

 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Sun Nov 17, 2024 11:51 am

Two things regarding this export:
  • at some point, you have removed and recreated the Wireguard interface. Even though you've used the same name for it, for the system, it is nevertheless another interface, the old one is gone. But RouterOS incorporates no crystal ball so the route keeps referring to the old one: gateway=*A. So you have to manually update the route with the new Wireguard interface, otherwise it is equally useless as when there was check-gateway set to ping.
  • I don't think the idea of using port 123 for Wireguard at server side is as clever as they think it is. The protocol for which it is officially reserved, NTP, is quite an old one and there were attacks using that port, so there may be some bandwidth limitations on the path between your site and the remote peer.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Sun Nov 17, 2024 3:18 pm

...and the same issue has to be corrected also in the firewall rule: out-interface=*A
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Sun Nov 17, 2024 6:44 pm

Two things regarding this export:
  • at some point, you have removed and recreated the Wireguard interface. Even though you've used the same name for it, for the system, it is nevertheless another interface, the old one is gone. But RouterOS incorporates no crystal ball so the route keeps referring to the old one: gateway=*A. So you have to manually update the route with the new Wireguard interface, otherwise it is equally useless as when there was check-gateway set to ping.
  • I don't think the idea of using port 123 for Wireguard at server side is as clever as they think it is. The protocol for which it is officially reserved, NTP, is quite an old one and there were attacks using that port, so there may be some bandwidth limitations on the path between your site and the remote peer.
Yeah, i noticed this the very moment i posted previous config. And fixed that immediately. But it didnt help.
I clean all the bugs i found and current status is: i cant access any web site from local machine, but i can ping various IPs and increased latency gives me hope that wireguard is working. So my guess is something wrong with DNS.

Current config:
# 2024-11-17 18:23:59 by RouterOS 7.16.1
# software id = 4NIX-BDJQ
#
# model = RBD52G-5HacD2HnD
# serial number = 92F109F00470
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no installation=indoor mode=\
    ap-bridge ssid="PieFi setup" wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireguard
add listen-port=58254 mtu=1420 name=wg1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.188.2-192.168.188.5
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 interface=bridge1 name=dhcp1 \
    server-address=192.168.188.1
/routing table
add disabled=no fib name=rtab-wg
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes
/ipv6 settings
set disable-ipv6=yes forward=no
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=wg1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.whiskergalaxy.com \
    endpoint-port=123 interface=wg1 name=peer5 preshared-key=\
    "key" public-key=\
    "key"
/ip address
add address=192.168.188.1/24 interface=bridge1 network=192.168.188.0
add address=100.72.7.16 interface=wg1 network=100.72.7.16
/ip dhcp-client
add interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.188.1 interface=wlan1 name=relay1
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=10.255.255.3 gateway=192.168.188.1
/ip dns
set servers=10.255.255.3
/ip firewall address-list
add address=192.168.188.2 list=AUTHORIZED
add address=192.168.188.3 list=AUTHORIZED
add address=192.168.188.4 list=AUTHORIZED
add address=192.168.188.5 list=AUTHORIZED
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=\
    AUTHORIZED
add action=drop chain=input
add action=accept chain=forward comment="wireguard access" disabled=yes \
    out-interface=wg1 src-address=192.168.188.0/24
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="local internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="users to wg" out-interface=wg1 \
    src-address=192.168.188.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    rtab-wg passthrough=no src-address=192.168.188.2-192.168.188.255
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wg1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 routing-table=\
    rtab-wg scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.188.0/24 \
    table=main
add action=lookup-only-in-table disabled=no src-address=192.168.188.0/24 \
    table=rtab-wg
/system clock
set time-zone-name=Europe/London
/system identity
set name="WG tunnel "
/system note
set show-at-login=no

 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Sun Nov 17, 2024 7:42 pm

So my guess is something wrong with DNS.
That, or an MTU issue, or the VPN playing games with TTL to prevent people from using routers instead of individual devices.

So first, from where does the 10.255.255.3 DNS server address come? Because you use it both for the router itself, which needs to be able to resolve the address of the VPN server while the tunnel is still down, and for the clients who should access their DNS via the tunnel. So one of these uses is wrong.
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Sun Nov 17, 2024 7:56 pm

So my guess is something wrong with DNS.
That, or an MTU issue, or the VPN playing games with TTL to prevent people from using routers instead of individual devices.

So first, from where does the 10.255.255.3 DNS server address come? Because you use it both for the router itself, which needs to be able to resolve the address of the VPN server while the tunnel is still down, and for the clients who should access their DNS via the tunnel. So one of these uses is wrong.
It was provided in WG config, and i didnt find any other place to put it. Changed to ISP / google DNS - no effect. However my local pc now shows that my network has internet, but i still cant rach any url.
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Sun Nov 17, 2024 8:12 pm

It was provided in WG config, and i didnt find any other place to put it.
Well, you have actually put it to two places, that's what I was concerned about. In the /ip dhcp-server network, it has to be the 10.255.255.3 because that's what the clients should use; in /ip dns, it must be a public DNS server or one assigned by your ISP so that the router could use it to resolve the fqdn of the Wireguard server to its IP address. It is quite likely that your ISP sends you its DNS servers as part of the the DHCP lease - if so, the router simply tries with the statically configured 10.255.255.3, gets no response, and switches to one of the dynamically assigned ones. Which would explain why the Wireguard tunnel even starts.

OK, so put the 10.255.255.3 back to the /ip dhcp-server network settings, disconnect and reconnect a test PC to make sure that it gets the updated DHCP lease, and then use nslookup myip.wtf in the command line of that PC - what answer do you get? If you get a timeout, open a terminal (command line) window in Winbox (or use SSH), make it as wide as your screen allows, and run the following command:
/tool sniffer quick interface=wg1 port=53
The PCs should generate a lot of DNS requests on their own, but if they don't, try the nslookup myip.wtf again. You should see in the sniff the requests from 100.72.7.16:someport to 10.255.255.3:53 and responses from 10.255.255.3:53 to 100.72.7.16:someport. Is that the case?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21700
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Cant get Wireguard client to work

Sun Nov 17, 2024 8:29 pm

Interesting the OP stated that he is connecting to a private server.
I did ask what DNS the private server was using..........
No idea when the idea of using 10.255.255.3 popped into the head??????

Firstly set DETECT INTERNET TO NONE,,,,,,,,its known to cause issues.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Also IP DCHP server settings dont indicate that he is using PEER DNS ???

As long as the router sees
IP DNS
set server=1.1.1.1,8.8.8.8


Should not the router be able to (from its wireguard service) go out to one of these IPs and have the access needed to negotiate the handshake??
The Subnet does not need DNS access locally is what I am saying.

However it depends,
a. does the user want local subnet DNS to leak out local router, and then for traffic go out wireguard
OR
b. does the user want all traffic including DNS to go out wireguard ( to me this is preferential in most cases ).

So for subnet.

/ip dhcp-server network
add address=192.168.188.0/24 dns-server=100.72.7.1 gateway=192.168.188.1

Should be all that is required.! ( the wireguard gateway )...........
To ensure this happens.
One could.
/ip firewall nat
add chain=dstnat action=dst-nat src-address=192.168.88.0/24 dst-port=53 protocol=udp to-address=100.72.7.1
add chain=dstnat action=dst-nat src-address=192.168.88.0/24 dst-port=53 protocol=tcp to-address=100.72.7.1
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Tue Nov 19, 2024 9:35 pm

It was provided in WG config, and i didnt find any other place to put it.
Well, you have actually put it to two places, that's what I was concerned about. In the /ip dhcp-server network, it has to be the 10.255.255.3 because that's what the clients should use; in /ip dns, it must be a public DNS server or one assigned by your ISP so that the router could use it to resolve the fqdn of the Wireguard server to its IP address. It is quite likely that your ISP sends you its DNS servers as part of the the DHCP lease - if so, the router simply tries with the statically configured 10.255.255.3, gets no response, and switches to one of the dynamically assigned ones. Which would explain why the Wireguard tunnel even starts.

OK, so put the 10.255.255.3 back to the /ip dhcp-server network settings, disconnect and reconnect a test PC to make sure that it gets the updated DHCP lease, and then use nslookup myip.wtf in the command line of that PC - what answer do you get? If you get a timeout, open a terminal (command line) window in Winbox (or use SSH), make it as wide as your screen allows, and run the following command:
/tool sniffer quick interface=wg1 port=53
The PCs should generate a lot of DNS requests on their own, but if they don't, try the nslookup myip.wtf again. You should see in the sniff the requests from 100.72.7.16:someport to 10.255.255.3:53 and responses from 10.255.255.3:53 to 100.72.7.16:someport. Is that the case?
So i set up DNS as you stated above, and tried commands.
nslookup myip.wtf gave me
C:\Users\Ramazzan>nslookup myip.wtf
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  10.255.255.3

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
Here is some results from /tool sniffer quick interface=wg1 port=53. Do i understand right that i dont get any responses?
wg1        35.822  108  ->   100.72.7.16:5678 (discovery)  8.8.8.8:53 (dns)  ip:udp      64    3
wg1        36.383  109  ->   100.72.7.16:5678 (discovery)  8.8.4.4:53 (dns)  ip:udp      64    3
wg1        36.814  110  ->   100.72.7.16:5678 (discovery)  1.1.1.1:53 (dns)  ip:udp      64    3
wg1        36.825  111  ->   100.72.7.16:5678 (discovery)  8.8.8.8:53 (dns)  ip:udp      64    3
wg1        37.386  112  ->   100.72.7.16:5678 (discovery)  8.8.4.4:53 (dns)  ip:udp      64    3
Interesting the OP stated that he is connecting to a private server.
I did ask what DNS the private server was using..........
No idea when the idea of using 10.255.255.3 popped into the head??????

Firstly set DETECT INTERNET TO NONE,,,,,,,,its known to cause issues.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Also IP DCHP server settings dont indicate that he is using PEER DNS ???

As long as the router sees
IP DNS
set server=1.1.1.1,8.8.8.8


Should not the router be able to (from its wireguard service) go out to one of these IPs and have the access needed to negotiate the handshake??
The Subnet does not need DNS access locally is what I am saying.

However it depends,
a. does the user want local subnet DNS to leak out local router, and then for traffic go out wireguard
OR
b. does the user want all traffic including DNS to go out wireguard ( to me this is preferential in most cases ).

So for subnet.

/ip dhcp-server network
add address=192.168.188.0/24 dns-server=100.72.7.1 gateway=192.168.188.1

Should be all that is required.! ( the wireguard gateway )...........
To ensure this happens.
One could.
/ip firewall nat
add chain=dstnat action=dst-nat src-address=192.168.88.0/24 dst-port=53 protocol=udp to-address=100.72.7.1
add chain=dstnat action=dst-nat src-address=192.168.88.0/24 dst-port=53 protocol=tcp to-address=100.72.7.1
New DNS (10.255.255.3) is coming from alternative server i got for test purposes, it provides DNS.
I've tried suggested firewall rules, but my DNS address is different. Are you sure i should use 100.72.7.1? It is not provided anywhere in config files.

Sadly, result is still the same. I can ping IPs from local machine, but cant visit web.

Here is my current config:
# 2024-11-19 22:24:32 by RouterOS 7.16.1
# software id = 4NIX-BDJQ
#
# model = RBD52G-5HacD2HnD
# serial number = 92F109F00470
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no installation=indoor mode=\
    ap-bridge ssid="PieFi setup" wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface wireguard
add listen-port=58254 mtu=1420 name=wg1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.188.2-192.168.188.5
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 interface=bridge1 name=dhcp1 \
    server-address=192.168.188.1
/routing table
add disabled=no fib name=rtab-wg
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-source-route=yes
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=wg1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.whiskergalaxy.com \
    endpoint-port=123 interface=wg1 name=peer5 persistent-keepalive=25s \
    preshared-key="key" public-key=\
    "key"
/ip address
add address=192.168.188.1/24 interface=bridge1 network=192.168.188.0
add address=100.72.7.16 interface=wg1 network=100.72.7.16
/ip dhcp-client
add interface=ether1
/ip dhcp-relay
add dhcp-server=192.168.188.1 disabled=no interface=wlan1 name=relay1
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=10.255.255.3 gateway=192.168.188.1
/ip firewall address-list
add address=192.168.188.2 list=AUTHORIZED
add address=192.168.188.3 list=AUTHORIZED
add address=192.168.188.4 list=AUTHORIZED
add address=192.168.188.5 list=AUTHORIZED
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="admin access" src-address-list=\
    AUTHORIZED
add action=drop chain=input
add action=accept chain=forward comment="wireguard access" disabled=yes \
    out-interface=wg1 src-address=192.168.188.0/24
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="local internet access" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="users to wg" out-interface=wg1 \
    src-address=192.168.188.0/24
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    rtab-wg passthrough=no src-address=192.168.188.2-192.168.188.255
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=wg1
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=\
    192.168.88.0/24 to-addresses=100.72.7.1
add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=\
    192.168.88.0/24 to-addresses=100.72.7.1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 routing-table=\
    rtab-wg scope=30 suppress-hw-offload=no target-scope=10
/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.188.0/24 \
    table=main
add action=lookup-only-in-table disabled=no src-address=192.168.188.0/24 \
    table=rtab-wg
/system clock
set time-zone-name=Europe/London
/system identity
set name="WG tunnel "
/system note
set show-at-login=no
If something wrong with config, may be i should try reset with no default settings and only input minimalistic config that should work?
Based on what we discussed here.
What version should it be based on?
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Tue Nov 19, 2024 9:49 pm

Here is some results from /tool sniffer quick interface=wg1 port=53. Do i understand right that i dont get any responses?
wg1        35.822  108  ->   100.72.7.16:5678 (discovery)  8.8.8.8:53 (dns)  ip:udp      64    3
wg1        36.383  109  ->   100.72.7.16:5678 (discovery)  8.8.4.4:53 (dns)  ip:udp      64    3
wg1        36.814  110  ->   100.72.7.16:5678 (discovery)  1.1.1.1:53 (dns)  ip:udp      64    3
wg1        36.825  111  ->   100.72.7.16:5678 (discovery)  8.8.8.8:53 (dns)  ip:udp      64    3
wg1        37.386  112  ->   100.72.7.16:5678 (discovery)  8.8.4.4:53 (dns)  ip:udp      64    3
Indeed, however, this result also shows that you have not disabled the /interface/detect-internet process as @anav has recommended you - so in the ton of discovery messages that RouterOS sends on its own, you may have missed any eventual one sent by the PC. So under /interface/detect-internet, set all four items to none and try the whole procedure again. If you see nothing at all that way, repeat the procedure, but instead of /tool sniffer quick interface=wg1 port=53, run /tool sniffer quick ip-address=10.255.255.3

I don't think there is any point in trashing the current configuration and starting from scratch, the current one is not that complicated that it would justify such a serious action.
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Tue Nov 19, 2024 10:49 pm

Here is some results from /tool sniffer quick interface=wg1 port=53. Do i understand right that i dont get any responses?
wg1        35.822  108  ->   100.72.7.16:5678 (discovery)  8.8.8.8:53 (dns)  ip:udp      64    3
wg1        36.383  109  ->   100.72.7.16:5678 (discovery)  8.8.4.4:53 (dns)  ip:udp      64    3
wg1        36.814  110  ->   100.72.7.16:5678 (discovery)  1.1.1.1:53 (dns)  ip:udp      64    3
wg1        36.825  111  ->   100.72.7.16:5678 (discovery)  8.8.8.8:53 (dns)  ip:udp      64    3
wg1        37.386  112  ->   100.72.7.16:5678 (discovery)  8.8.4.4:53 (dns)  ip:udp      64    3
Indeed, however, this result also shows that you have not disabled the /interface/detect-internet process as @anav has recommended you - so in the ton of discovery messages that RouterOS sends on its own, you may have missed any eventual one sent by the PC. So under /interface/detect-internet, set all four items to none and try the whole procedure again. If you see nothing at all that way, repeat the procedure, but instead of /tool sniffer quick interface=wg1 port=53, run /tool sniffer quick ip-address=10.255.255.3

I don't think there is any point in trashing the current configuration and starting from scratch, the current one is not that complicated that it would justify such a serious action.
I did disabled detect internet via interface. But repeated this step via commind line anyway. Now as you supposed i didnt get anything for /tool sniffer quick interface=wg1 port=53 but got this output for /tool sniffer quick ip-address=10.255.255.3:
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL
INTERFA  TIME   NU  DI  SRC-MAC            DST-MAC            SRC-ADDRESS          DST-ADDRESS            PROTOC
wlan1    0.519   1  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:65436  10.255.255.3:53 (dns)  ip:udp
bridge1  0.519   2  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:65436  10.255.255.3:53 (dns)  ip:udp
ether1   0.519   3  ->  B8:69:F4:03:7B:0C  10:7B:EF:40:C7:51  192.168.90.16:65436  10.255.255.3:53 (dns)  ip:udp
wlan1    1.001   4  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:57542  10.255.255.3:53 (dns)  ip:udp
bridge1  1.001   5  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:57542  10.255.255.3:53 (dns)  ip:udp
ether1   1.001   6  ->  B8:69:F4:03:7B:0C  10:7B:EF:40:C7:51  192.168.90.16:57542  10.255.255.3:53 (dns)  ip:udp
wlan1    1.233   7  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:56623  10.255.255.3:53 (dns)  ip:udp
bridge1  1.233   8  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:56623  10.255.255.3:53 (dns)  ip:udp
ether1   1.233   9  ->  B8:69:F4:03:7B:0C  10:7B:EF:40:C7:51  192.168.90.16:56623  10.255.255.3:53 (dns)  ip:udp
wlan1    1.526  10  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:65436  10.255.255.3:53 (dns)  ip:udp
bridge1  1.526  11  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:65436  10.255.255.3:53 (dns)  ip:udp
ether1   1.527  12  ->  B8:69:F4:03:7B:0C  10:7B:EF:40:C7:51  192.168.90.16:65436  10.255.255.3:53 (dns)  ip:udp
wlan1    2.147  13  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:53061  10.255.255.3:53 (dns)  ip:udp
bridge1  2.147  14  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:53061  10.255.255.3:53 (dns)  ip:udp
ether1   2.147  15  ->  B8:69:F4:03:7B:0C  10:7B:EF:40:C7:51  192.168.90.16:53061  10.255.255.3:53 (dns)  ip:udp
However still no access to web.
This site can’t be reached
www.myip.com’s DNS address could not be found. Diagnosing the problem.
DNS_PROBE_POSSIBLE
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Tue Nov 19, 2024 11:01 pm

The sniffing shows that the routing rules do not work as expected - the source address 192.168.188.4 and destination address 10.255.255.3 do not match the first rule below and do match the second, yet the packet leaves via ether1:

/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.188.0/24 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.188.0/24 table=rtab-wg


Since the action is lookup-only-in-table, if the route via wg1 was down, the packet should get nowhere at all; as it did leave via ether1, it seems as if the routing rules do not currently look the same like in your last export, or maybe some mangle rules have been added?
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Wed Nov 20, 2024 10:21 pm

I didn't change anything not mentioned here.
Is there something particular missing or edited?
Routing rules are exaclty like you posted above
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Wed Nov 20, 2024 10:34 pm

If so, I suggest that you copy-paste the following:
/routing rule
remove [find]
add action=lookup-only-in-table dst-address=192.168.188.0/24 table=main
add action=lookup-only-in-table src-address=192.168.188.0/24 table=rtab-wg

and try the DNS query and sniffing using /tool sniffer quick ip-address=10.255.255.3 again.

The idea behind is that maybe some changes of the existing routing rules actually did not happen internally, much like what I have described above regarding changing the min-prefix, and therefore the rules have to be completely dropped (removed) and re-created.
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Fri Nov 22, 2024 5:31 pm

If so, I suggest that you copy-paste the following:
/routing rule
remove [find]
add action=lookup-only-in-table dst-address=192.168.188.0/24 table=main
add action=lookup-only-in-table src-address=192.168.188.0/24 table=rtab-wg

and try the DNS query and sniffing using /tool sniffer quick ip-address=10.255.255.3 again.

The idea behind is that maybe some changes of the existing routing rules actually did not happen internally, much like what I have described above regarding changing the min-prefix, and therefore the rules have to be completely dropped (removed) and re-created.
Done, sniffer shows results now, but DNS requests still fails (web pages not opening).
[admin@WG tunnel ] /routing/rule> /tool sniffer quick ip-address=10.255.255.3
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL
INTERFA  TIME   NU  DI  SRC-MAC            DST-MAC            SRC-ADDRESS          DST-ADDRESS            PROTOC
wlan1    1.035   1  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:59843  10.255.255.3:53 (dns)  ip:udp
bridge1  1.035   2  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:59843  10.255.255.3:53 (dns)  ip:udp
wg1      1.035   3  ->                                        100.72.7.16:59843    10.255.255.3:53 (dns)  ip:udp
wlan1    4.481   4  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:53523  10.255.255.3:53 (dns)  ip:udp
bridge1  4.481   5  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:53523  10.255.255.3:53 (dns)  ip:udp
wg1      4.481   6  ->                                        100.72.7.16:53523    10.255.255.3:53 (dns)  ip:udp
wlan1    4.482   7  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:63589  10.255.255.3:53 (dns)  ip:udp
bridge1  4.482   8  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:63589  10.255.255.3:53 (dns)  ip:udp
wg1      4.483   9  ->                                        100.72.7.16:63589    10.255.255.3:53 (dns)  ip:udp
wlan1    5.038  10  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:59843  10.255.255.3:53 (dns)  ip:udp
bridge1  5.038  11  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:59843  10.255.255.3:53 (dns)  ip:udp
wg1      5.038  12  ->                                        100.72.7.16:59843    10.255.255.3:53 (dns)  ip:udp
wlan1    5.493  13  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:62859  10.255.255.3:53 (dns)  ip:udp
bridge1  5.493  14  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:62859  10.255.255.3:53 (dns)  ip:udp
wg1      5.493  15  ->                                        100.72.7.16:62859    10.255.255.3:53 (dns)  ip:udp
wlan1    5.494  16  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:60192  10.255.255.3:53 (dns)  ip:udp
bridge1  5.494  17  <-  44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:60192  10.255.255.3:53 (dns)  ip:udp
wg1      5.494  18  ->                                        100.72.7.16:60192    10.255.255.3:53 (dns)  ip:udp

 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Fri Nov 22, 2024 6:33 pm

Well, at this point, we know that
  • there is indeed an issue when modifying routing rules, anyone willing to file a support ticket?
  • the concept as such works
The next question is whether you can get any answer whatsoever via the tunnel - if you ping e.g. 8.8.8.8 from a 192.168.188.x device, does a sniffer matching only on interface=wg1 show any received (<-) packets at all?
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Fri Nov 22, 2024 7:05 pm

Well, at this point, we know that
  • there is indeed an issue when modifying routing rules, anyone willing to file a support ticket?
  • the concept as such works
The next question is whether you can get any answer whatsoever via the tunnel - if you ping e.g. 8.8.8.8 from a 192.168.188.x device, does a sniffer matching only on interface=wg1 show any received (<-) packets at all?
I'll open a ticket.
I found out that pings from local machine to 8.8.8.8 no longer works. :?
And nothing different is found in sniffer from what i posted before
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Fri Nov 22, 2024 7:55 pm

What means "local machine"? The Mikrotik itself or a PC connected to it?
And what means "no longer works" - if "local machine" means something connected to the Mikrotik in the 192.168.188.0/24 subnet, can you see pings to 8.8.8.8 to be routed out via the wg1 interface but no responses to come back?

The issue with Wireguard is that multiple peers can be potentially linked to the same interface, so the interface is always up no matter how many peers are actually reachable through it. So if anything in the peer settings is wrong, or if something is wrong with your account at the VPN provider, it behaves exactly this way - you can see packets to be sent via the Wireguard interface but nothing to come back through there.

So the next thing I would do would be to sniff while filtering on the IP address of the Wireguard server; if you can see that the Mikrotik sends packets to that address on its WAN interface, it means that routing of Mikrotik's own traffic is also correct. If you can see also responses, it means that the handshake with the server has been successful. If so, you should ping 8.8.8.8 from the connected PC, specifying some larger size of the packets, so that you could easily distinguish the Wireguard transport packets carrying them from the small handshake and keepalive ones while still sniffing with filtering on the server IP address, and see whether the Mikrotik indeed sends them to the server or not.
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Sun Nov 24, 2024 6:57 pm

What means "local machine"? The Mikrotik itself or a PC connected to it?
And what means "no longer works" - if "local machine" means something connected to the Mikrotik in the 192.168.188.0/24 subnet, can you see pings to 8.8.8.8 to be routed out via the wg1 interface but no responses to come back?

The issue with Wireguard is that multiple peers can be potentially linked to the same interface, so the interface is always up no matter how many peers are actually reachable through it. So if anything in the peer settings is wrong, or if something is wrong with your account at the VPN provider, it behaves exactly this way - you can see packets to be sent via the Wireguard interface but nothing to come back through there.

So the next thing I would do would be to sniff while filtering on the IP address of the Wireguard server; if you can see that the Mikrotik sends packets to that address on its WAN interface, it means that routing of Mikrotik's own traffic is also correct. If you can see also responses, it means that the handshake with the server has been successful. If so, you should ping 8.8.8.8 from the connected PC, specifying some larger size of the packets, so that you could easily distinguish the Wireguard transport packets carrying them from the small handshake and keepalive ones while still sniffing with filtering on the server IP address, and see whether the Mikrotik indeed sends them to the server or not.
I tried pinging 32k packets from local machine (connected via wifi to mikrotik) - requests time outs.
Here log from sniffer at the same time:
# 2024-11-24 19:55:06 by RouterOS 7.16.1
# software id = 4NIX-BDJQ
#
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS
INTERFACE  TIME    NUM  DIR  SRC-MAC            DST-MAC            SRC-ADDRESS          DST-ADDRESS          
bridge1    25.648  293  <-   44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:58316  10.255.255.3:53 (dns)
wg1        25.648  294  ->                                         100.72.7.16:58316    10.255.255.3:53 (dns)
wlan1      25.649  295  <-   44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:58317  10.255.255.3:53 (dns)
bridge1    25.649  296  <-   44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:58317  10.255.255.3:53 (dns)
wg1        25.649  297  ->                                         100.72.7.16:58317    10.255.255.3:53 (dns)
wlan1      26.288  298  <-   44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:58319  10.255.255.3:53 (dns)
bridge1    26.288  299  <-   44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:58319  10.255.255.3:53 (dns)
wg1        26.288  300  ->                                         100.72.7.16:58319    10.255.255.3:53 (dns)
wlan1      26.288  301  <-   44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:58318  10.255.255.3:53 (dns)
bridge1    26.288  302  <-   44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:58318  10.255.255.3:53 (dns)
wg1        26.288  303  ->                                         100.72.7.16:58318    10.255.255.3:53 (dns)
wlan1      26.661  304  <-   44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:65294  10.255.255.3:53 (dns)
bridge1    26.661  305  <-   44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:65294  10.255.255.3:53 (dns)
wg1        26.661  306  ->                                         100.72.7.16:65294    10.255.255.3:53 (dns)
wlan1      27.176  307  <-   44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:64368  10.255.255.3:53 (dns)
bridge1    27.176  308  <-   44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:64368  10.255.255.3:53 (dns)
wg1        27.176  309  ->                                         100.72.7.16:64368    10.255.255.3:53 (dns)
wlan1      27.177  310  <-   44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:53456  10.255.255.3:53 (dns)
bridge1    27.177  311  <-   44:E5:17:FC:9F:4F  B8:69:F4:03:7B:11  192.168.188.4:53456  10.255.255.3:53 (dns)
wg1        27.177  312  ->                                         100.72.7.16:53456    10.255.255.3:53 (dns)
And sniffer output with interface=wg1, it seems one sided as you suspect (no inbound traffic).

# 2024-11-24 19:59:15 by RouterOS 7.16.1
# software id = 4NIX-BDJQ
#
Columns: INTERFACE, TIME, NUM, DIR, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU, DSCP, FRAGMENT-OFFSET, IDENTIFICATION, IP-HEADER-SIZE
INT  TIME    NUM  DI  SRC-ADDRESS        DST-ADDRESS               PROTOCO  SIZE  C  D  FRAGM  IDENT  IP
wg1  8.362    76  ->  100.72.7.16        8.8.8.8                   ip:icmp  1420  2  0  28000  57177  20
wg1  8.362    77  ->  100.72.7.16        8.8.8.8                   ip:icmp  1420  2  0  29400  57177  20
wg1  8.362    78  ->  100.72.7.16        8.8.8.8                   ip:icmp  1228  2  0  30800  57177  20
wg1  8.528    79  ->  100.72.7.16:59455  10.255.255.3:53 (dns)     ip:udp     77  2  0      0  13796  20
wg1  8.83     80  ->  100.72.7.16:55940  10.255.255.3:53 (dns)     ip:udp     60  2  0      0  13797  20
wg1  8.997    81  ->  100.72.7.16:55281  10.255.255.3:53 (dns)     ip:udp     77  2  0      0  13798  20
wg1  8.998    82  ->  100.72.7.16:64090  10.255.255.3:53 (dns)     ip:udp     77  2  0      0  13799  20
wg1  9.53     83  ->  100.72.7.16:59455  10.255.255.3:53 (dns)     ip:udp     77  2  0      0  13800  20
wg1  9.825    84  ->  100.72.7.16:55940  10.255.255.3:53 (dns)     ip:udp     60  2  0      0  13801  20
wg1  9.901    85  ->  100.72.7.16:53134  10.255.255.3:53 (dns)     ip:udp     62  2  0      0  13802  20
wg1  9.938    86  ->  100.72.7.16:49759  10.255.255.3:53 (dns)     ip:udp     68  2  0      0  13803  20
wg1  10.011   87  ->  100.72.7.16:61166  10.255.255.3:53 (dns)     ip:udp     77  2  0      0  13804  20
wg1  10.012   88  ->  100.72.7.16:51595  10.255.255.3:53 (dns)     ip:udp     77  2  0      0  13805  20
wg1  10.06    89  ->  100.72.7.16:55351  10.255.255.3:53 (dns)     ip:udp     61  2  0      0  13806  20
wg1  10.06    90  ->  100.72.7.16:61236  10.255.255.3:53 (dns)     ip:udp     61  2  0      0  13807  20
wg1  10.531   91  ->  100.72.7.16:59455  10.255.255.3:53 (dns)     ip:udp     77  2  0      0  13808  20
wg1  10.951   92  ->  100.72.7.16:58764  176.99.137.169:80 (http)  ip:tcp     60  2  0      0  63898  20
wg1  10.952   93  ->  100.72.7.16:49759  10.255.255.3:53 (dns)     ip:udp     68  2  0      0  13809  20
wg1  11.08    94  ->  100.72.7.16:62438  10.255.255.3:53 (dns)     ip:udp     61  2  0      0  13810  20
wg1  11.08    95  ->  100.72.7.16:51010  10.255.255.3:53 (dns)     ip:udp     61  2  0      0  13811  20

 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Sun Nov 24, 2024 7:40 pm

32 kByte would be too much even for a jumbo frame, fragmentation is inevitable. I had in mind something between 400 and 1400 bytes - definitely smaller than the MTU of the Wireguard interface, just large enough to distinguish the transport Wireguard packets from the handshake and keepalive ones.

And I wanted to see the packet exchange between the WAN (ether1) address of your router and the IP address of the server.
 
Ramazzan
just joined
Topic Author
Posts: 23
Joined: Wed Aug 30, 2023 12:12 am

Re: Cant get Wireguard client to work

Sun Nov 24, 2024 7:56 pm

And I wanted to see the packet exchange between the WAN (ether1) address of your router and the IP address of the server.
Please share more details on how to get this
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11012
Joined: Mon Dec 04, 2017 9:19 pm

Re: Cant get Wireguard client to work

Sun Nov 24, 2024 9:34 pm

I've thought I already did, but ok, in more detail then.

Run /tool/sniffer/quick ip-address=ip.of.wg.server. Since persistent keepalive is not set on your wireguard peer, it doesn't matter if you see nothing yet (and it need not be set, as you don't expect any incoming connections via the WG tunnel, so no one cares that it is down until something in your LAN needs to create an outgoing connection).

Start pinging 8.8.8.8 from a device connected to the LAN, with address 192.168.188.x, with size 500 bytes. If the sniffer wasn't showing anything until now, it should show a brief conversation between the IP address attached to your ether1 and the address of the Wireguard server, followed by multiple packets of the same >500 byte size, one every second, and possibly also some responses to them, all this running through ether1. As it doesn't work as a whole, I assume we shall actually see something else, so wondering what will that be.

Who is online

Users browsing this forum: No registered users and 18 guests