Community discussions

MikroTik App
 
mystichussar
just joined
Topic Author
Posts: 15
Joined: Mon Oct 04, 2021 10:23 pm

Wireguard proper server config

Wed Oct 06, 2021 5:43 pm

Hello Folks,

Since this is my first post on this forum, prior to ask about things, I'd like to say HI to you.

I am lacking some knownledge and I'd like to ask you for a help and understanding my case. I prepared small schematic (sorry about performance) of structure of my network. That's first.
Image

I am trying to get Wireguard working on my mt, but no luck. I tried all suggestions here and on yt posted but no luck.

Back in the days, when I managed old router (before mt) I just had to port forward, to my server with wireguard and all was fine. I suspect now is probably the same case.

Can you please give me some hints guys?

BR

Edit. I see packets flowing when I'm on wifi on my android device with following setting:
/ip firewall nat print
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" 
      ipsec-policy=out,none 

 1    chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=13231 
      protocol=udp dst-address=my.external.ip.address dst-port=13231 log=no log-prefix=""
But no luck with mobile data. No packets shown anywhere on firewall.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5412
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard proper server config

Fri Oct 08, 2021 7:07 pm

Hi back

Questions:
- I assume your left device is a RB SXT sqG-5acD. It has an external IP 192.168.100.249 and an internal IP in the 192.168.1.0-range ?
- which device do you intend to have acting as "server" (which conceptually does not exist on WG, there are only peers)
- can you reach that device and port 12321 from outside ? How ?

What I find strange is that all ip-ranges are private ranges. What else is there to make sure you get to the real internet ?
What's in front of the RB SXT ? Or are your IP-ranges here purely informational ?

Have you checked the documentation ? https://help.mikrotik.com/docs/display/ROS/WireGuard

Note: there will always be some traffic going out visible. Only when you see traffic coming back in, you will know it works.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard proper server config

Fri Oct 08, 2021 8:03 pm

Try using IP Cloud on the MT devices to ascertain your public IP at each end.
 
mystichussar
just joined
Topic Author
Posts: 15
Joined: Mon Oct 04, 2021 10:23 pm

Re: Wireguard proper server config

Fri Oct 08, 2021 9:15 pm

Hi! I guess I messed things up a bit.
Questions:
- I assume your left device is a RB SXT sqG-5acD. It has an external IP 192.168.100.249 and an internal IP in the 192.168.1.0-range ? Left device is not mine, it's ISP property. I can't access it. I can see this device on my MT in 'Neighbour list' as 192.168.100.1. It is acting as gateway for my router.
- which device do you intend to have acting as "server" (which conceptually does not exist on WG, there are only peers) The right one.
- can you reach that device and port 12321 from outside ? How ?

What I find strange is that all ip-ranges are private ranges. What else is there to make sure you get to the real internet ?
What's in front of the RB SXT ? Or are your IP-ranges here purely informational ? The left device is communicating with some sort of repeater couple hundred meters away.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard proper server config

Fri Oct 08, 2021 10:40 pm

Okay, maybe still possible. YOu can see the left device but its routing not just modeming..........
What one needs to do is access the ISP router and port forward the WIREGUARD LISTENING PORT TO YOUR private WANIP. ( A lanip from the ISP routers perspective )
If you dont have access directly you should ask your ISP to do it for you. UDP protocol!!
 
mystichussar
just joined
Topic Author
Posts: 15
Joined: Mon Oct 04, 2021 10:23 pm

Re: Wireguard proper server config

Fri Oct 08, 2021 11:02 pm

From my first post on this thread:

'Back in the days, when I managed old router (before mt) I just had to port forward, to my server with wireguard and all was fine. I suspect now is probably the same case.'
 
holvoetn
Forum Guru
Forum Guru
Posts: 5412
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard proper server config

Fri Oct 08, 2021 11:07 pm

From my first post on this thread:

'Back in the days, when I managed old router (before mt) I just had to port forward, to my server with wireguard and all was fine. I suspect now is probably the same case.'
It is.
It is not because it is old school, it does not work anymore :D
 
mystichussar
just joined
Topic Author
Posts: 15
Joined: Mon Oct 04, 2021 10:23 pm

Re: Wireguard proper server config

Sat Oct 09, 2021 11:15 am

What is not working anymore? Port forwarding? When I've had my old PC acting as server, running wireguard server within my lan, the trick was to port forward udp 51820.

Two things changed from then:
  • no old PC with wireguard -> now wireguard is on MT
  • no old router -> my new mikrotik is now my router
When I check my external IP address on ipchicken, for instance, it's always the same - it's static IP.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5412
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard proper server config

Sat Oct 09, 2021 11:32 am

I am a bit confused.
What device do you use as "entry point" to reach the Wireguard port (which ultimately needs to be forwarded one way or the other towards your MT router) ?
Is port forwarding functioning there ?
 
mystichussar
just joined
Topic Author
Posts: 15
Joined: Mon Oct 04, 2021 10:23 pm

Re: Wireguard proper server config

Sat Oct 09, 2021 2:21 pm

Sorry, I think I don't understand your question. Perhaps this graphic will tell more.
Image
 
holvoetn
Forum Guru
Forum Guru
Posts: 5412
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard proper server config

Sat Oct 09, 2021 2:40 pm

OK, much clearer :D

On new MT router, add firewall rule to allow port 51820
/ip/firewall/filter add chain=input action=accept protocol=udp in-interface-list=WAN dst-port=51820 log=no (or yes, your choice)
Move that rule above the input drop rule which blocks everything coming from WAN (or !LAN, depends if you changed it or not).

And then setup Wireguard as per instructions of Wiki.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard proper server config

Sat Oct 09, 2021 4:46 pm

(1) The important learning point being is that if the MT is the public facing router or even if its behind another router, (but is the server to start the connection) one has to ALLOW the listening port traffic to hit the router itself (hence INPUT CHAIN RULE) to initially establish the tunnel.
If you know the IP address traffic is coming in you can narrow it down but generally since its for establishing a VPN tunnel and the credentials will be checked, its secure in the form presented.

(2) If, on the Server Side, the peer users will be going out to the internet using the WANIP of the server, there has to be a route in place to ensure that Wireguard traffic (peer originated outbound) returning from the internet being provided on the server side is sent to the other end of the tunnel (back to the peer). This also applies to returning traffic from any interactions with subnets on the LANSIDE of the server router (perhaps the peer users are using a printer on the server side).

(3) The rest of the setup is done on the wireguard settings themselves.........
I have mine setup so that I can actually reach the PEER router and configure it via winbox for example.
THat entails more work.....
 
mystichussar
just joined
Topic Author
Posts: 15
Joined: Mon Oct 04, 2021 10:23 pm

Re: Wireguard proper server config

Sun Oct 10, 2021 9:44 pm

@holvoetn thanks for the tip, but I knew about it and I've done it - no success.

I think I literally did everything what was suggested in this thread: viewtopic.php?t=174417

Don't know where I really stuck. It must be something in firewall config - port forwarding or routing I guess - since not long time ago I was able to run wireguard and connect to it from remote location...

Edit. I think about it again and I recon I don't need to port forwarding like I did with my old setup. I just need to access my MT from outside, but unable to do so.
Last edited by mystichussar on Sun Oct 10, 2021 9:57 pm, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5412
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard proper server config

Sun Oct 10, 2021 9:49 pm

Can you post your current configuration ?
/export hide-sensitive file=whatever

Then we can have a look.
 
mystichussar
just joined
Topic Author
Posts: 15
Joined: Mon Oct 04, 2021 10:23 pm

Re: Wireguard proper server config

Sun Oct 10, 2021 10:07 pm

 
holvoetn
Forum Guru
Forum Guru
Posts: 5412
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard proper server config

Sun Oct 10, 2021 10:52 pm

Posting your config between Code-tags is easier for everyone ...
# oct/10/2021 20:57:46 by RouterOS 7.1rc4
# software id = BSM0-IT8B
#
# model = RBD53iG-5HacD2HnD
# serial number = E7290XXXXXXX
/interface bridge
add admin-mac=08:55:31:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=poland disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=czosnek wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=czosnek_5 wireless-protocol=\
    802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=wgmt
/disk
set usb1 disabled=no
set usb1-part1 disabled=no
set usb1-part2 disabled=no
set usb1-part3 disabled=no name=disk1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=Wireguard interface=wgmt list=LAN
/interface wireguard peers
add interface=wgmt public-key="XXX="
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=10.20.50.1/24 comment=Wireguard interface=wgmt network=10.20.50.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=Wireguard dst-port=13231 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=13231 in-interface-list=WAN protocol=\
    udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward dst-address=192.168.1.1 dst-port=13231 \
    in-interface=ether1 protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=XX.XXX.XXX.XXX dst-port=13231 \
    protocol=udp to-addresses=10.20.50.0 to-ports=13231
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Warsaw
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.task.gda.pl
/system routerboard settings
set cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Question 1: why is you wireguard listen port on the config 13231 whereas you say above it should be 51820 ?
If you're knocking at the wrong door, it makes sense nobody opens ...

Question 2:
peer definition of wireguard: where is endpoint address and port ? It should at least have the own-IP address if the 'other side' does not have a public IP address. It needs an address and a port to listen to.

Once again, please follow the instructions from the documentation. There are a very good base.
https://help.mikrotik.com/docs/display/ROS/WireGuard
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard proper server config

Mon Oct 11, 2021 1:25 am

I dont see a mismatch the listen port for wireguard and the input chain to listen for it are the same 13231?

However why is this rule in your input chain, (what purpose)?
add action=accept chain=input comment=Wireguard dst-port=13231 in-interface-list=LAN protocol=udp

In the forward chain what is the purpose of this rule??

add action=accept chain=forward dst-address=192.168.1.1 dst-port=13231 in-interface=ether1 protocol=udp

In the NAT chain what is the purpose of this rule??
add action=dst-nat chain=dstnat dst-address=XX.XXX.XXX.XXX dst-port=13231 protocol=udp to-addresses=10.20.50.0 to-ports=13231

If you read my post you only need
a. listening port on input chain
b. route back to the peer

Where in the conversation did all these other crap seeming rules get recommended/discussed???

Where are your IP route settings??
 
mystichussar
just joined
Topic Author
Posts: 15
Joined: Mon Oct 04, 2021 10:23 pm

Re: Wireguard proper server config

Mon Oct 11, 2021 11:01 pm

Hello!

I followed once more everything from a thread: viewtopic.php?t=174417.

I came up with this setting:
/interface wireguard
add listen-port=13231 mtu=1420 name=wgmt
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1d name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=Wireguard interface=wgmt list=LAN
/interface wireguard peers
add allowed-address=10.20.50.2/32 endpoint-port=13231 interface=wgmt \
    public-key="sensitive"
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=10.20.50.1/24 comment=Wireguard interface=wgmt network=10.20.50.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=10.20.50.0/24 gateway=wgmt pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
And this is how my android setup looks like:
Image

As you can see - no packets flow. Rebooted mt several times. Clueless at this point.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Wireguard proper server config

Mon Oct 11, 2021 11:13 pm

/interface wireguard peers
add allowed-address=10.20.50.2/32 endpoint-port=13231 interface=wgmt \
public-key="sensitive"
If the peer is an android phone that will move around in a Roadwarrior fashion, you should not be setting the endpoint-port for it.
 
mystichussar
just joined
Topic Author
Posts: 15
Joined: Mon Oct 04, 2021 10:23 pm

Re: Wireguard proper server config

Mon Oct 11, 2021 11:27 pm

Removed port as suggested - no change.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Wireguard proper server config

Mon Oct 11, 2021 11:50 pm

Removed port as suggested - no change.
You also don't need the static ip route for the wireguard subnet as it will already be present as a connected route. After deleting this static route, reboot your device.

If that doesn't help, my best guess is that there is some other firewall between your android phone and the MikroTik that is blocking the wireguard traffic, as nothing else jumps out at me.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard proper server config

Tue Oct 12, 2021 12:04 am

/ip route
add disabled=no distance=1 dst-address=10.20.50.0/24 gateway=wgmt pref-src="" \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
YES you absolutely need this route (edit: I do because I dont give my WG interface IP addresses)

(1) TRY using 10.20.50.2 for dst address (dont think it will make a difference but worth a try)

(2) next remove IP address assigned to wireguard interface, it doesnt need one!!


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Question LOG your Listen port input chain rule, then attempt connection with the phone.
Do you see the attempt to connect??

That is the first step in troubleshooting, does phone reach the Router in the first place.
If it does not then two possibilities
a. misconfigured wireguard settings on phone.
b. your landing on another router before yours (in other words you dont really have a public IP address!!
Last edited by anav on Tue Oct 12, 2021 12:19 am, edited 1 time in total.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Wireguard proper server config

Tue Oct 12, 2021 12:13 am

YES you absolutely need this route.
He does not need that route since he has the IP address on the wireguard interface. If he removes the IP from the wireguard interface as you say then he would need that route.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard proper server config

Tue Oct 12, 2021 12:15 am

Removed port as suggested - no change.
You also don't need the static ip route for the wireguard subnet as it will already be present as a connected route. After deleting this static route, reboot your device.
Whaaaaaaaaat?

Tell me how any internet traffic going out the server router but originated on the smartphone, will get back to the smartphone without the iP route?????
Without such direction the return traffic will attempt to go out the standard default main IP route.
I am less sure on any peer to LAN interaction which would be firewall rule dependent to be allowed to occur, but still think the route is useful here too.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard proper server config

Tue Oct 12, 2021 12:16 am

Ah okay I was not aware of that functionality of adding IP address, thanks for the clarification.
In any case the extra route created would not prevent connectivity either way.

In any case the OP can try it both ways, as we both have run out of ideas LOL.

I would like to know for sure if the phone initial connect hits the router as a starting point to where this fails.!
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Wireguard proper server config

Tue Oct 12, 2021 12:37 am

Ah okay I was not aware of that functionality of adding IP address, thanks for the clarification.
Yes, whenever you have an IP on an interface, a dynamic connected (DC) route for the subnet is created with the interface as the gateway. This has the same settings as the static route that the original poster manually created, but a shorter distance (0), so the static route with distance 1 would never actually be activated and do anything because the connected route is used instead.

I suspect this behaviour of adding the IP address is the reason why so many wireguard tutorials ask you to add an IP on the wireguard interface itself on the hub end. A lot of linux distros have nice GUIs for doing something like giving an interface an IP address, but they don't always have nice GUIs for adding a static route onto the system. If someone is not an expert at linux, they may have some difficulty figuring out the static routing configuration, especially in a way that is persistent and survives a reboot. Putting the IP on the wireguard interface itself makes things easier for such users because it saves them from needing to add this route and means that they can probably just use the GUI to add the IP. It makes less of a difference on RouterOS because it is not much harder to add a static route there than it is to add an IP onto an interface.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard proper server config

Tue Oct 12, 2021 1:49 am

The issue I have is that users will not realize that adding the IP creates the static route for you.
I think its still useful to be able to create the route manually and then learn about the iP address trick after LOL
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Wireguard proper server config

Tue Oct 12, 2021 2:34 am

The issue I have is that users will not realize that adding the IP creates the static route for you.
They should realize this as it happens for all interfaces, not just wireguard.

For instance, in the factory mikrotik configuration for most of the SOHO devices, the bridge has the IP address 192.168.88.1/24. The fact that it has the IP address means that it has a dynamic connected (DC) route to 192.168.88.0/24 so that it can communicate with hosts on that network. Are you really suggesting that users think that on a newly purchased MikroTik router on the default config they have to add a static route like:

/ip route add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=bridge

??
 
holvoetn
Forum Guru
Forum Guru
Posts: 5412
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard proper server config

Tue Oct 12, 2021 7:50 am

I asked before but I will repeat:
In the drawing in post #10 of this thread you showed the WG port to be 51820.
Is that the port which is forwarded towards your Mikrotik router ? Or is it supposed to be 13231 as you are showing now in all your config ?
Or are ALL ports simply available on your router to use ? Are you sure about that ?
Go back to the port you know which worked before = 51820. It may be something IS blocked in between.

It's the only thing I see which could be wrong since your config is conceptually the same as mine for the server and Android client yet my setup works.
Other then that, logging of the input rule as suggested by Anav will tell you for sure if something is coming into that port or not.
If in doubt, use an external port scanner service to test (whatsmyip or something like that).
 
holvoetn
Forum Guru
Forum Guru
Posts: 5412
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard proper server config

Tue Oct 12, 2021 8:01 am

/interface wireguard peers
add allowed-address=10.20.50.2/32 endpoint-port=13231 interface=wgmt \
public-key="sensitive"
If the peer is an android phone that will move around in a Roadwarrior fashion, you should not be setting the endpoint-port for it.
Question:
Why not ?
As far as I understood the documentation you need endpoint adddress and port to listen to ?
Or is it because from the client traffic will already be directed to that specific port AND the interface definition also listens to that port , it does not need to be repeated anymore on the server/peer side ? (I know, there is no server nor client but it helps to make it more clear).
If that's the case, then it would be applicable for all peer definitions since it would be redundant information, no ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard proper server config

Tue Oct 12, 2021 3:06 pm

Hi H.
In the case of the smartphone, the endpoint can be any public IP provided by
a. the wifi of the location one is in, or
b. random generated by the cellular company.

In the case of a fixed peer behind a Public IP
(static or dynamic - I can use the endpoint of IP cloud if the main router or peer device is MT related - otherwise use dyndns address)
 
holvoetn
Forum Guru
Forum Guru
Posts: 5412
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard proper server config

Tue Oct 12, 2021 3:41 pm

Hi H.
In the case of the smartphone, the endpoint can be any public IP provided by
a. the wifi of the location one is in, or
b. random generated by the cellular company.

In the case of a fixed peer behind a Public IP
(static or dynamic - I can use the endpoint of IP cloud if the main router or peer device is MT related - otherwise use dyndns address)
If I understand your explanation correctly, it means the endpoint port on the client peer-definition is in fact the STARTING port for the communication ? The port which is used to go out ?
That's incredibly confusing to use those names then ...
And otherwise I am still confused :D

EDIT: just tried: in the WG app on my android phone, the endpoint port has to be filled in mandatory. No possibility to fill in merely an IP address or name. It HAS to have a semicolon followed by a portnumber. Now I'm even more confused :?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard proper server config

Tue Oct 12, 2021 5:53 pm

Hi mudcharme, yes I never really looked at my IP Routes in that regard and just had a peak, so thanks for the tip and reminder!!
Every subnet gateway has main routing table entry.

@ H
I can only state what I have setup on my wireguard connections................
On the Server Router.
a. listening port on input chain to allow initial connection traffic. (port 9213)
b. route to wg interface for any return traffic for peer originated outbound using the server router for internet ( automatically created if you give the wg interface an IP address).

For SERVER ROUTER Wireguard Settings

Name = wireguard-iphone,
Listen port =9213 (matches input chain rule)
Private key (not used externaly)
Public key = xxxxx to be sent to Iphone.

For SERVER ROUTER Peer Settings
- Interface name = wireguard-iphone
- Public Key = yyyyy this is the public key received from the Iphone
- Endpoint = empty (as i have no idea what the IP address of my IPhone will be !! )
- Endpoint port = empty (not applicable)
- Allowed address = 10.10.10.2/32 (this is the IP address I will put on the wireguard settings on the phone).

To Compare the SERVER ROUTER Peer settings for a peer that is a router with a known public IP address.
- Interface name = WG-FAM
- Public key = this is the public key received from the peer router
- Endpoint = IP CLOUD name of peer router
- Endpoint port = empty (not applicable)
- Allowed address = 192.168.30.0/24 ( this is the subnet that has access to the wg tunnel on the peer router )

Finally..........
For SMART PHONE Wireguard Settings
Public Key = yyyyy The public key provided TO the server router
Addresses = 10.10.10.2/32 The address assigned to the iphone for the wireguard traffic.

For SMART PHONE Peer Settings
Public Key = xxxxx The public key provided BY the server router.
Endpoint = IP CLOUDname:9213 the name of the server router appended with listening port. ( tells the smartphone where to make the initial connection)
Allowed IPs = 0.0.0.0/0 ( which basically lets any IP assigned to the smartphone be relevant either assigned by coffee shop wifi or cellular provider etc..)
 
mystichussar
just joined
Topic Author
Posts: 15
Joined: Mon Oct 04, 2021 10:23 pm

Re: Wireguard proper server config

Tue Oct 12, 2021 6:53 pm

OK Guys! I have good new - you are not gonna belive this... Today I called my ISP, totally hopeless (because of literally three afternoons spent on figuring what the heck is going on) and ask them to give me some hint about what else I can try, and the lady on the other side of the phone asks: 'Did you recently changed your router device?'. I was like: 'Yes..?'. Then she say: 'Oh, that's unfortunate - you should've told us about that. We'll fix that in a minute'. Guess what - wg on my android just started immediately. WTF!? They bond somehow their CPE with my router - mac address? For what? She didn't explained, when I asked...

Maybe it helps somebody in the future. I used simplest setting that was suggested in this thread: viewtopic.php?t=174417

Endpoint port in wireguard peer setup doesn't change anything - checked that. But endpoint port on android's wg is mandatory.

If you have questions about other setting, feel free to ask. If not, I consider this problem as solved.

Thanks for all suggestions and your help.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19112
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard proper server config

Tue Oct 12, 2021 7:51 pm

Good to hear.....
Of course think of the logic.

The Server Router Wireguard Setting has to include the LISTENING PORT for incoming connections.
The Server Router Wireguard Peer setting endpoint port is NOT used at all (unless the initial connection was required to be able to happen both ways)!!

Clearly the android settings need to know which port to send initial traffic out on, to make the initial connection.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: Wireguard proper server config

Wed Oct 13, 2021 9:45 pm

Yes, exactly, I never suggested that the actual client should not be configured with the server's port - it needs that. But there is no reason to specify the port that the client peer will use on the server side in the peer settings. For instance, it doesn't make sense to tell your Wireguard server that wherever your phone is in the world, that phone will be directly reachable on port 13231. As anav pointed out, when the phone goes behind a NAT, it is not directly reachable and doesn't have a choice in what port it uses.

Who is online

Users browsing this forum: ACHim, chrisk, DimoSK, mike7, RiStaR and 73 guests