Community discussions

MikroTik App
 
Borizo
newbie
Topic Author
Posts: 28
Joined: Thu Oct 28, 2010 4:38 pm

Will NATted wireguard work?

Wed Oct 13, 2021 7:18 pm

I am trying to run local wireguard server using Mikrotik though its implementation (7.1rc4) does not respond to Android Wireguard client implementation (1.0.20210926).
The config of server and client are inside attachments. In simple words: Mikrotik Wireguard does not respond, though routing IP configuration is correct and simple ping does work (I cannot ping phone IP as phone ISP provider is NATted).
I suspect that Mikrotik is confused where to send back wireguard packets and just silently drops them.
I wonder why: for me it's clear: send back where you've got them (same IP, src port). I also tried to remove Listening port in wireguard client, it does not help.
Are there any more logging filtering rules I can apply to see what's going on inside WG?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8757
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Will NATted wireguard work?

Wed Oct 13, 2021 9:30 pm

It works just fine, its your setup that is not working either on the phone or on the MT itself.
Here is an example of my settings for my iphone.........

I can only state what I have setup on my wireguard connections................
On the Server Router.
a. listening port on input chain to allow initial connection traffic. (port 9213)
b. route to wg interface for any return traffic for peer originated outbound using the server router for internet ( automatically created if you give the wg interface an IP address).

For SERVER ROUTER Wireguard Settings
Name = wireguard-iphone,
Listen port =9213 (matches input chain rule)
Private key (not used externally)
Public key = xxxxx to be sent to Iphone.

For SERVER ROUTER Peer Settings
- Interface name = wireguard-iphone
- Public Key = yyyyy this is the public key received from the Iphone
- Endpoint = empty (as i have no idea what the IP address of my IPhone will be !! )
- Endpoint port = empty (not applicable)
- Allowed address = 10.10.10.2/32 (this is the IP address I will put on the wireguard settings on the phone).

Finally..........
For SMART PHONE Wireguard Settings
Public Key = yyyyy The public key provided TO the server router
Addresses = 10.10.10.2/32 The address assigned to the iphone for the wireguard traffic.

For SMART PHONE Peer Settings
Public Key = xxxxx The public key provided BY the server router.
Endpoint = IP CLOUDname:9213 the name of the server router appended with listening port. ( tells the smartphone where to make the initial connection)
Allowed IPs = 0.0.0.0/0 ( which basically lets any IP assigned to the smartphone be relevant either assigned by coffee shop wifi or cellular provider etc..)

NOTE: I use the dyndns service provided by MT to identify the endpoint on the smartphone.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Borizo
newbie
Topic Author
Posts: 28
Joined: Thu Oct 28, 2010 4:38 pm

Re: Will NATted wireguard work?

Wed Oct 13, 2021 11:35 pm

Here is an example of my settings for my iphone.........
Thank you for sharing information on your setup. Few questions:
1. Does your MT router server behind NAT or it has public IP address?
2. Does your IPhone behind NAT or it has public IP address?
3. Do you run 7.1.rc4?
In my case both are behind NAT (i.e. have gray IPs). Mikrotik Wireguard server connection is done through port forwarding (i.e. UDP51820 port is forwarded through NATs to destination MT device).
I can only state what I have setup on my wireguard connections
I might be missing something, though my setup is identical to yours. If you see any difference, please pinpoint.
It works just fine, its your setup that is not working either on the phone or on the MT itself.
The problem is that I do not see reason it does not work: packets arriving from Phone to MT and ... no reply provided by MT. And this black box keeps silence.

Still have question:
Are there any more logging filtering rules I can apply to see what's going on inside WG?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8757
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Will NATted wireguard work?

Thu Oct 14, 2021 12:36 am

Yes, in my case the main router is a CCR1009.
Correct I use port forwarding to send the listening udp port to the LANIP of the second router (on the main router LAN applicable subnet). This main router LANIP is thus the same as the WANIP of the secondary router. Thus the listening port traffic hits the WANPORT of the secondary wireguard router and I use the input chain rule to capture the connection.

In my case the endpoint setting on the smart phone could be the IPcloud of the CCR1009 (main router) or the IPcloud of the RB450G secondary wireguard router as both will return the public IP that is applicable (in this case the dynamic wan ip assigned to the ccr1009).

What do you mean by gray IPs? I think this is where the trouble may reside!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8757
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Will NATted wireguard work?

Thu Oct 14, 2021 12:42 am

Please draw a network diagram as your config on the MT device is very confusing and ALL WRONG, and a diagram will help clear up some unknowns!!

Why is the output chain used and especially for the UDP port.
Why is the MT device which is your wireguard server port forwarding the UDP port.
It should only be using the INPUT CHAIN ?????
OR IS IT behind another device???

Finally you didnt do a good job of comparing my setup with yours.
Clearly the WIREGUARD peer settings are missing the allowed address!!!

YOU NEED TO show your config as the pictures are not that helpful.
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Borizo
newbie
Topic Author
Posts: 28
Joined: Thu Oct 28, 2010 4:38 pm

Re: Will NATted wireguard work?

Thu Oct 14, 2021 8:15 pm

Thank you for your reply.
Do you use RouterOS 7.1.rc4?
Have you tried to connect Android device to your WG server?
Why is the output chain used and especially for the UDP port.
Just to demonstrate that nothing is generated by WG server. And general question: why not?
OR IS IT behind another device???
Yes, my CCR WG server behind RB951 device, thus export file from Wireguard's won't help to understand network structure.
(internet) - ISP-NAT - HOUSE_OWNER_NAT - RB951(VPN_WITH_PUBLIC_IP+PORT_FORWARDING_FOR_UDP_51820) - CCR(WG)
Clearly the WIREGUARD peer settings are missing the allowed address!!!
From what I recall I have tried 0.0.0.0/0, and this does not help. Sorry I did not mentioned that.
I will double check allowed IPs, though I am way from the device. It will be week later.
/export hide-sensitive file=anynameyouwish
WG export won't help us, and for upstreaming RB951 I won't do that.

The problem is clear: packets are entered into WG server, but no output generated by WG server: neither new packets in output chain nor errors in log.
That's totally wrong
 
holvoetn
Member Candidate
Member Candidate
Posts: 117
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Will NATted wireguard work?

Thu Oct 14, 2021 8:34 pm

/export hide-sensitive file=anynameyouwish
WG export won't help us, and for upstreaming RB951 I won't do that.

The problem is clear: packets are entered into WG server, but no output generated by WG server: neither new packets in output chain nor errors in log.
That's totally wrong
You're coming here to ask for help and then dismissing the question for additional info which ultimately is only required to HELP YOU ?
You don't want to be helped ?

Really, a simple drawing and please do export that config (hide-sensitive).

WG interface is pretty simple. If packets are coming in but not out, it does not know where it needs to be send.
The only way for anyone to know for sure, is to have a look at your config.
If you do not want to share that info, no problem. But then you can wait a long time for a solution if you do not find it yourself...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8757
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Will NATted wireguard work?

Thu Oct 14, 2021 10:03 pm

As stated, this is a personal problem that you have, and is clearly no longer related to the wireguard or router settings.
Your stubborn head is the issue preventing success.
Good luck!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: Bing [Bot], flapviv and 54 guests