Community discussions

MikroTik App
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 7:33 pm

Hello,

I would appreciate if I could please get some help on setting up the RB5009UG as a Wireguard server to connect with android phone.
Here is my server config:
Screenshot_20220118_192954.jpeg
Screenshot_20220118_193130.jpeg
Here is my android phone config:
Interface:
name:home
private key:IPrxxxxx
Public Key: D0Pkxxxx
Addresses: 192.168.201.2/24
DNS servers: 192.168.200.1

Peer:
Public key: uQe9xxxx
Endpoint: xxxx:51820
Allowed IP's: 0.0.0.0/1, 128.0.0.0/1

Thank you lots in advance and much appreciated
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Member
Member
Posts: 392
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 8:32 pm

Check this topic.
viewtopic.php?t=182340
You are right, I am wrong
You are wise, I am dumb
You are wrong, you are dumb
Don't worry, it's all right to be dumb
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 8:41 pm

Check this topic.
viewtopic.php?t=182340
I read the topic but it's not clear for me how to make it work :(
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 8:49 pm

What about other config on RB? Addresses, routes, ... what you posted is not enough to make it work. Does wireguard1 interface have any IP address? Something like 192.168.201.1/24 perhaps? Also what you posted is wrong, there should be no endpoint for peer on RB.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 8:51 pm

What about other config on RB? Addresses, routes, ... what you posted is not enough to make it work.
[sami@Mikrotik_router] > ip address/ print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
0 192.168.200.1/24 192.168.200.0 eth2-lan
1 50.0.0.1/24 50.0.0.0 bridge-guest
2 D xxxx/32 10.0.0.1 digi
3 192.168.201.1/24 192.168.201.0 Wireguard_Android

[sami@Mikrotik_router] > ip route/ print
Flags: D - DYNAMIC; X, I, A - ACTIVE; c, s, v, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 Xs eth1-wan 1
;;; Mullvad
1 Xs 0.0.0.0/0 wireguard1 1
DAv 0.0.0.0/0 digi 1
DAc 10.0.0.1/32 digi 0
DAc 50.0.0.0/24 bridge-guest 0
DAc 192.168.200.0/24 bridge-lan 0
DAc 192.168.201.0/24 Wireguard_Android 0
;;; Wireguard range
2 s 192.168.201.0/24 bridge-lan 1

[sami@Mikrotik_router] > interface/wireguard/print
Flags: X - disabled; R - running
0 R name="Wireguard_Android" mtu=1420 listen-port=51820 private-key="mDi4OWxxx" public-key="/dfg9AjYxxx"

/interface wireguard peers
add allowed-address=192.168.201.3/32 interface=Wireguard_Android public-key="WmgyUSxxxx"
Last edited by slaz on Tue Jan 18, 2022 8:55 pm, edited 1 time in total.
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 8:54 pm

I also added a bit to message, but you were too fast. Get rid of peer's endpoint on RB.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 8:56 pm

I also added a bit to message, but you were too fast. Get rid of peer's endpoint on RB.
I did. posted updated config above
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:04 pm

Your Android config has address 192.168.201.2/24, but peer on RB has allowed-address=192.168.201.3/32, that won't work.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:07 pm

changed the android to 192.168.201.3/32 but no joy yet :(
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11817
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:07 pm

Change android settings
Use DNS 1.1.1.1, 9.9.9.9
and
Allowed IPs Try 0.0.0.0/0 if your intent is to go out the internet of the MT router ????
If your intent is to access a subnet on the MT router put that there instead........

The entries of 0.0.0.0/1 and 128.0.0.1, I have no idea will do but nothing I have seen before.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:07 pm

And you don't want this route:
;;; Wireguard range
2 s 192.168.201.0/24 bridge-lan 1
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:09 pm

@anav: 0.0.0.0/1 plus 128.0.0.0/1 is the same as 0.0.0.0/0, only doing it this way with two parts probably helps with overriding device's existing default route.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:12 pm

And you don't want this route:
;;; Wireguard range
2 s 192.168.201.0/24 bridge-lan 1
disabled the route
[sami@Mikrotik_router] > ip route/ print
Flags: D - DYNAMIC; X, I, A - ACTIVE; c, s, v, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
0 Xs eth1-wan 1
;;; Wireguard range
1 Xs 192.168.201.0/24 bridge-lan 1
;;; Mullvad
2 Xs 0.0.0.0/0 wireguard1 1
DAv 0.0.0.0/0 digi 1
DAc 10.0.0.1/32 digi 0
DAc 50.0.0.0/24 bridge-guest 0
DAc 192.168.200.0/24 bridge-lan 0
DAc 192.168.201.0/24 Wireguard_Android 0

but not yet there
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:16 pm

Does Android client have any status? Can it try to ping 192.168.201.2? And when you do that, is there any change in peer's Rx and Tx on RB? If not, do you see at least some incoming packets on WG port 51820? You can use Tools->Torch on WAN interface (digi). And of course your router does have public IP address, right?
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:24 pm

Does Android client have any status? Can it try to ping 192.168.201.2? And when you do that, is there any change in peer's Rx and Tx on RB? If not, do you see at least some incoming packets on WG port 51820? You can use Tools->Torch on WAN interface (digi). And of course your router does have public IP address, right?
Android looks connected and tx changes all the time ( increasing ) but the rx remains at 0 all the time. I ping from android to router but I don't receive anything. On the peer I can see this
Screenshot_20220118_212123.jpeg
The router has a public ip yes. It's PPoE and I connect to it using DDNS ( no-ip ).
WIth torch on the wan interface on port 51820 I can see packets running
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11817
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:27 pm

did you try android via cellular or are you using house wifi??

Have you posted your router config yet??
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:29 pm

android is via 4G cause I want to make sure it works and wifi does not interfere
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:35 pm

Config is here
You do not have the required permissions to view the files attached to this post.
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:43 pm

In case it's wanted I can always setup a discord share screen session or a team viewer to help easier
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11817
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:53 pm

Input chain rule..
add action=accept chain=input comment="Allow Wireguard" dst-port=51820 \
in-interface=eth1-wan protocol=udp

Should be
add action=accept chain=input comment="Allow Wireguard" dst-port=51820 \
in-interface=digi protocol=udp

alternatively this would have worked as well.
add action=accept chain=input comment="Allow Wireguard" dst-port=51820 \
in-interface-list=WAN protocol=udp

although I do see something potentially off on the interface list members
/interface list member
add interface=eth1-wan list=LAN ????
add interface=eth2-lan list=LAN
add interface=eth3-lan list=LAN
add interface=eth4-lan list=LAN
add interface=eth5-lan list=LAN
add interface=eth6-lan list=LAN
add interface=eth7-lan list=LAN
add interface=eth8-lan list=LAN
add interface=digi list=WAN
add interface=eth1-wan list=WAN
add interface=bridge-lan list=LAN
Last edited by anav on Tue Jan 18, 2022 9:56 pm, edited 1 time in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:54 pm

changed. Still not yet there
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 9:58 pm

Input chain rule..
add action=accept chain=input comment="Allow Wireguard" dst-port=51820 \
in-interface=eth1-wan protocol=udp

Should be
add action=accept chain=input comment="Allow Wireguard" dst-port=51820 \
in-interface=digi protocol=udp

alternatively this would have worked as well.
add action=accept chain=input comment="Allow Wireguard" dst-port=51820 \
in-interface-list=WAN protocol=udp

although I do see something potentially off on the interface list members
/interface list member
add interface=eth1-wan list=LAN ????
add interface=eth2-lan list=LAN
add interface=eth3-lan list=LAN
add interface=eth4-lan list=LAN
add interface=eth5-lan list=LAN
add interface=eth6-lan list=LAN
add interface=eth7-lan list=LAN
add interface=eth8-lan list=LAN
add interface=digi list=WAN
add interface=eth1-wan list=WAN
add interface=bridge-lan list=LAN
[sami@Mikrotik_router] > interface/list/member/print
Columns: LIST, INTERFACE
# LIST INTERFACE
0 LAN eth1-wan
1 LAN eth2-lan
2 LAN eth3-lan
3 LAN eth4-lan
4 LAN eth5-lan
5 LAN eth6-lan
6 LAN eth7-lan
7 LAN eth8-lan
8 WAN digi
9 WAN eth1-wan
10 LAN bridge-lan
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11817
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 10:02 pm

This is funky......... glad your IP route for the wireguard is DISABLED as its wrongly formatted, but that aside what is mullvad doing there?
/ip route
add disabled=yes distance=1 gateway=eth1-wan
add comment="Wireguard range" disabled=yes distance=1 dst-address=\
192.168.201.0/24 gateway=bridge-lan pref-src=192.168.200.1 routing-table=\
main scope=10 suppress-hw-offload=no target-scope=10
add comment=Mullvad disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
wireguard1 pref-src="" routing-table=Mullvad scope=30 \
suppress-hw-offload=no target-scope=10

So what is the real requirement??
Android out your Routers internet via wireguard
OR
Two wireguard tunnels.
1. Android to Router
2. Router to mullvan - where your intent is actually to send android traffic out the mullvad tunnel ???
Last edited by anav on Tue Jan 18, 2022 10:03 pm, edited 2 times in total.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 10:03 pm

If you're trying to ping router (any of its addresses), current firewall doesn't allow that. If you're trying to ping something else, that should work, at least I don't see anything blocking it.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 10:05 pm

Requirement:

Android to reach local devices ( 192.168.200.0/24 range ) and to reach the internet through the router 192.168.200.1
Mullvad is there from some try but it's not in use and no plans for it atm
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 10:08 pm

I can start from scratch regarding wireguard and can follow instructions if that works and can always show screen
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11817
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 10:36 pm

Requirement:

Android to reach local devices ( 192.168.200.0/24 range ) and to reach the internet through the router 192.168.200.1
Mullvad is there from some try but it's not in use and no plans for it atm
That makes no sense to me.....
The traffic coming on the android phone, Wireguard_Android interface and IP address 192.168.201.3/32 has NOTHING to do with 192.168.200.1 ???

(1) Without an IP address for the WG interface (preferred by me) .
All you need is
forward chain
add chain=forward action=accept in-interface=Wireguard_Android out-interface-list=WAN ( or src-address=192.168.201.3 )

and a route to ensure return traffic gets back to the tunnel
/ip route
add dst=192.168.20.3/32 gwy=wg-interface

(2) If you have an existing IP address all you need is the forward chain rule......
forward chain
add chain=forward action=accept src-address=192.168.201.3 out-interface-list=WAN (or in-interface=Wireguard_Android)

(the ip address will dynamically ensure a route back through the tunnel).

3. Finally you can also make the Wireguard interface is an interface list member such that it would be included automatically in any in-interface-list=????? out-interface-list=WAN comment="allow internet access"
However you dont use drop all rules so doesnt apply.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 10:41 pm

Requirement:

Android to reach local devices ( 192.168.200.0/24 range ) and to reach the internet through the router 192.168.200.1
Mullvad is there from some try but it's not in use and no plans for it atm
That makes no sense to me.....
The traffic coming on the android phone, Wireguard_Android interface and IP address 192.168.201.3/32 has NOTHING to do with 192.168.200.1 ???

(1) Without an IP address for the WG interface (preferred by me) .
All you need is
forward chain
add chain=forward action=accept in-interface=Wireguard_Android out-interface-list=WAN ( or src-address=192.168.201.3 )

and a route to ensure return traffic gets back to the tunnel
/ip route
add dst=192.168.20.3/32 gwy=wg-interface

(2) If you have an existing IP address all you need is the forward chain rule......
forward chain
add chain=forward action=accept src-address=192.168.201.3 out-interface-list=WAN (or in-interface=Wireguard_Android)

(the ip address will dynamically ensure a route back through the tunnel).

3. Finally you can also make the Wireguard interface is an interface list member such that it would be included automatically in any in-interface-list=????? out-interface-list=WAN comment="allow internet access"
However you dont use drop all rules so doesnt apply.
The traffic coming on the android phone, Wireguard_Android interface and IP address 192.168.201.3/32 has NOTHING to do with 192.168.200.1 ???

That is correct. I was assigning the 192.168.201.0 range for wireguard not to impact the router subnet 192.168.200.0 where I have dhcp enabled

and a route to ensure return traffic gets back to the tunnel
/ip route
add dst=192.168.20.3/32 gwy=wg-interface

What do you mean with this one? I guess the ip is wrong and should be 192.168.201.3/32?
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 10:55 pm

Did a test. On android I set 192.168.200.1:51820 as endpoint and then I can see rx on android increasing. I can go on the internet on android and I can ping 192.168.200.1 and 192.168.201.1 ( the router) but can't ping other devices in 192.168.200.0 range.

So I think there is something to do with the firewall rule to accept the traffic on 51820
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 11:19 pm

Don't invent random things that don't make sense. Endpoint on Android is where server is, if it should work from internet, it needs to be public address (or hostname) of your router. You also don't need another route to 192.168.201.3, there's already dynamic route to 192.168.201.0/24 created by IP address on WG interface.

What you had before was almost there, tunnel seemed to be up and just packets in it went missing. So put it back, keep a ping running on Android and check that you see incoming packets on router (Tools->Torch on WG interface). If you do, then you just need to find what in firewall blocks it. Simple start is to allow everything coming from WG tunnel and put it at the beginning of chain:
/ip firewall filter
add chain=forward in-interface=Wireguard_Android action=accept
Then it should work. You can move it to better place later, and by doing that (if you keep moving it down step by step) you can also find what was blocking packets before.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Tue Jan 18, 2022 11:47 pm

Don't invent random things that don't make sense. Endpoint on Android is where server is, if it should work from internet, it needs to be public address (or hostname) of your router. You also don't need another route to 192.168.201.3, there's already dynamic route to 192.168.201.0/24 created by IP address on WG interface.

What you had before was almost there, tunnel seemed to be up and just packets in it went missing. So put it back, keep a ping running on Android and check that you see incoming packets on router (Tools->Torch on WG interface). If you do, then you just need to find what in firewall blocks it. Simple start is to allow everything coming from WG tunnel and put it at the beginning of chain:
/ip firewall filter
add chain=forward in-interface=Wireguard_Android action=accept
Then it should work. You can move it to better place later, and by doing that (if you keep moving it down step by step) you can also find what was blocking packets before.
Sob, can I contact you in private?
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Wed Jan 19, 2022 1:05 am

So, I managed to be able to get on the internet from android (192.168.201.3/32) through the tunnel from router ( 192.168.201.1/24).
Only thing that does not work so far is to access the native network ( 192.168.200.0/24) from the android over the tunnel. This I don't know how to do it
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11817
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help needed for setting up Wireguard for android device

Wed Jan 19, 2022 1:20 am

YOu could try adding to the list in the android phone.....
Allowed IP's: 0.0.0.0/1, 128.0.0.0/1, 192.168.200.0/24
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Wed Jan 19, 2022 1:24 am

I just did but still can't access it. If I ping from android (192.168.201.3) to router (192.168.201.1 or 192.168.200.1) it works. But if I try to ping anything on 192.168.200.0/24 it does not work
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: Help needed for setting up Wireguard for android device

Sun Jan 23, 2022 2:58 am

Sorry, I didn't have time to play with routers last few days, and I also don't know how it will be in following ones.

If you can browse internet though tunnel (i.e. all random destination addresses), then tunnel is fine. Access to LAN could be blocked using firewal in chain=forward, but there's currently no rule that could be doing it. Make sure that 192.168.200.x devices you're trying to ping do accept ping from WG subnet (e.g. Windows by default don't). You can also check using Tools->Torch on bridge-lan if you see packets from client going to LAN (btw, LAN's IP address 192.168.200.1/24 should be on bridge-lan and not on eth2-lan, but that's not breaking it). Or you can use logging rules to log those packets and be sure that you don't miss any:
/ip firewall mangle
add chain=prerouting src-address=192.168.201.3 dst-address=192.168.200.0/24 action=log
add chain=forward src-address=192.168.201.3 dst-address=192.168.200.0/24 action=log
add chain=postrouting src-address=192.168.201.3 dst-address=192.168.200.0/24 action=log
First one will log packets coming from client, second will show that router is trying to forward them somewhere (should be to bridge-lan), and the last one that they successfully passed through firewall filter.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Sun Jan 23, 2022 2:04 pm

Thank you @Sob for your reply. Much appreciated.

I want to say that I tried before to ping from 192.168.201.3 ( android with tunnel) to 192.168.200.11 ( nas device on LAN) and I did tcpdump on nas and saw the request and reply on the nas but it was not arriving on the 192.168.201.3. I also did another test and pinged from 192.168.200.11 to 192.168.200.93 (laptop on Wifi) and that seemed to work and I was seeing the reply on 192.168.200.93. That tells me that ping from LAN devices through the wireguard device works but not from the wireguard device to the LAN.
Checked routing and so on but I did not see anything that could be the cause.

Furthermore, with your help I added the logging for the 3 rules and this is what I get:

1. Ping from 192.168.201.3 ( wireguard device ) to 192.168.200.11 ( LAN device) --> no reply on 192.168.201.3
 13:41:03 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:03 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:04 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:04 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:04 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:05 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:05 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:05 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:06 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:06 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:06 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:07 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:07 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:07 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:08 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:08 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:08 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:09 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:09 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:09 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:10 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:10 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:10 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:11 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:11 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:11 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:12 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:12 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:12 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:13 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:13 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
 13:41:13 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.11, len 84
2. Ping from 192.168.200.93 (LAN device) to 192.168.201.3 ( wireguard device) --> ping replies
 13:50:32 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto TCP (SYN), 192.168.201.3:34870->192.168.200.11:8123, len 60
 13:50:32 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto TCP (SYN), 192.168.201.3:34874->192.168.200.11:8123, len 60
 13:50:32 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto TCP (SYN), 192.168.201.3:34874->192.168.200.11:8123, len 60
 13:50:32 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto TCP (SYN), 192.168.201.3:34874->192.168.200.11:8123, len 60
 13:50:35 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.93, len 84
 13:50:35 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.93, len 84
 13:50:35 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.93, len 84
 13:50:36 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto TCP (SYN), 192.168.201.3:34874->192.168.200.11:8123, len 60
 13:50:36 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto TCP (SYN), 192.168.201.3:34874->192.168.200.11:8123, len 60
 13:50:36 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto TCP (SYN), 192.168.201.3:34874->192.168.200.11:8123, len 60
 13:50:36 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto TCP (SYN), 192.168.201.3:34872->192.168.200.11:8123, len 60
 13:50:36 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto TCP (SYN), 192.168.201.3:34870->192.168.200.11:8123, len 60
 13:50:36 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto TCP (SYN), 192.168.201.3:34872->192.168.200.11:8123, len 60
 13:50:36 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto TCP (SYN), 192.168.201.3:34872->192.168.200.11:8123, len 60
 13:50:36 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto TCP (SYN), 192.168.201.3:34870->192.168.200.11:8123, len 60
 13:50:36 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto TCP (SYN), 192.168.201.3:34870->192.168.200.11:8123, len 60
 13:50:36 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.93, len 84
 13:50:36 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.93, len 84
 13:50:36 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.93, len 84
 13:50:37 firewall,info prerouting: in:Wireguard_Android out:(unknown 0), proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.93, len 84
 13:50:37 firewall,info forward: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.93, len 84
 13:50:37 firewall,info postrouting: in:Wireguard_Android out:bridge-lan, proto ICMP (type 8, code 0), 192.168.201.3->192.168.200.93, len 84
To add more info on the setup:

A. this is the ip and routes for 192.168.200.93 ( laptop on wifi network where ping replies for 192.168.201.3)
root@X0J3:~$ ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: wlp147s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 192.168.200.93/24 brd 192.168.200.255 scope global dynamic noprefixroute wlp147s0
       valid_lft 307sec preferred_lft 307sec
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
       
root@X0J3:~$ ip ro
default via 192.168.200.1 dev wlp147s0 proto dhcp metric 600 
169.254.0.0/16 dev docker0 scope link metric 1000 linkdown 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.200.0/24 dev wlp147s0 proto kernel scope link src 192.168.200.93 metric 600 
B. this is the ip and routes for 192.168.200.11 ( nas on LAN network where ping does not reply for 192.168.201.3)
root@DS1621xs:~# ip -4 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: ovs_bond0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1
    inet 192.168.200.11/24 brd 192.168.200.255 scope global ovs_bond0
       valid_lft forever preferred_lft forever
8: ovs_eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1
    inet 169.254.145.103/16 brd 169.254.255.255 scope global ovs_eth0
       valid_lft forever preferred_lft forever
11: docker-09a8a427: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.18.0.1/16 brd 172.18.255.255 scope global docker-09a8a427
       valid_lft forever preferred_lft forever
12: docker-ab6d1be8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.21.0.1/16 brd 172.21.255.255 scope global docker-ab6d1be8
       valid_lft forever preferred_lft forever
13: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
14: docker-db34d484: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.19.0.1/16 brd 172.19.255.255 scope global docker-db34d484
       valid_lft forever preferred_lft forever
72: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1
    inet 192.168.201.1/24 scope global wg0
       valid_lft forever preferred_lft forever
root@DS1621xs:~# ip ro
default via 192.168.200.1 dev ovs_bond0  src 192.168.200.11 
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 
172.18.0.0/16 dev docker-09a8a427  proto kernel  scope link  src 172.18.0.1 
172.19.0.0/16 dev docker-db34d484  proto kernel  scope link  src 172.19.0.1 
172.21.0.0/16 dev docker-ab6d1be8  proto kernel  scope link  src 172.21.0.1 
192.168.200.0/24 dev ovs_bond0  proto kernel  scope link  src 192.168.200.11 
192.168.201.0/24 dev wg0  scope link 
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Sun Jan 23, 2022 2:11 pm

After posting the above information I noticed that on the nas ( 192.168.200.11) I still had the wireguard interface up from before moving the wireguard server to the router. That would mean that he had no way to route the packets to correct place.

root@DS1621xs:~# wg
interface: wg0
  public key: XXXlG4=
  private key: (hidden)
  listening port: 51820

peer: XXX353I=
  allowed ips: 192.168.201.2/32

peer: XXXWJQA=
  allowed ips: 192.168.201.3/32

peer: XXXBPV4=
  allowed ips: 192.168.201.4/32
root@DS1621xs:~# wg-quick down wg0
Warning: `/etc/wireguard/wg0.conf' is world accessible
[#] ip link delete dev wg0
[#] iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ovs_eth1 -j MASQUERADE

After putting down the wg0 interface on the nas I see replies.
root@DS1621xs:~# ping 192.168.201.3
PING 192.168.201.3 (192.168.201.3) 56(84) bytes of data.
64 bytes from 192.168.201.3: icmp_seq=1 ttl=63 time=310 ms
64 bytes from 192.168.201.3: icmp_seq=2 ttl=63 time=60.8 ms
64 bytes from 192.168.201.3: icmp_seq=3 ttl=63 time=217 ms
^C
--- 192.168.201.3 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 60.822/196.158/310.601/103.037 ms
This is amazing. Can't thank enough to you Sob and ALL the helped me on this. It's really much much appreciated
 
slaz
just joined
Topic Author
Posts: 24
Joined: Mon Jun 08, 2020 11:14 am

Re: Help needed for setting up Wireguard for android device

Sun Jan 23, 2022 5:57 pm

Doing some more configuration on the router I see that something changed since ros v6 to 7 in the sense that I can't seem to be able to connect to local devices if I am in local and I go over the internet.
This is what I try to do:
1. Connect from local devices to local devices ( works ): from 192.168.200.93 connect to 192.168.200.4 on port 5013 ( port of device )
2. Connect from internet ( 3G on phone ) to device on port 5013 (works): from 3g on phone --> WAN ip using ddns --> forwarded port 5013 on 192.168.200.4
3. Connect from local device to local device over the internet ( DOES NOT WORK): from 192.168.200.93 ( laptop ) --> internet --> WAN ip using ddns --> forwarded port 5013 on 192.168.200.4

As for the configuration, full configuration it's above and this are my firewall rules that I had in place on ros v6 when it worked:

[sami@Mikrotik_router] /interface/wireguard> /ip/firewall/nat/print 
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; Hairpin NAT
      chain=srcnat action=masquerade connection-mark=Hairpin NAT log=no log-prefix="" 

 1    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 

 2 X  ;;; Wireguard hairpin nat
      chain=dstnat action=dst-nat to-addresses=192.168.200.1 to-ports=51820 protocol=udp dst-address-list=WANs dst-port=51820 log=no log-prefix="" 

 4    ;;; Camera internal
      chain=srcnat action=masquerade protocol=tcp src-address=192.168.200.0/24 dst-address=192.168.200.4 out-interface=bridge-lan dst-port=5013 

 5    ;;; Camera internal
      chain=dstnat action=dst-nat to-addresses=192.168.200.4 to-ports=5013 protocol=tcp in-interface=bridge-lan dst-port=5013 


[sami@Mikrotik_router] /interface/wireguard> /ip/firewall/filter/print 
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1 X  chain=forward action=accept in-interface=bridge-lan out-interface=Wireguard_wg0 log=no log-prefix="" 

 2    ;;; Allow Wireguard
      chain=input action=accept protocol=udp in-interface=digi dst-port=51820 log=no log-prefix="" 

 3    chain=forward action=accept src-address=192.168.201.0/24 log=no log-prefix="" 

 4    chain=forward action=accept dst-address=192.168.201.0/24 log=no log-prefix="" 

 5    ;;; Allow OpenVPN
      chain=input action=accept protocol=tcp in-interface=eth1-wan dst-port=1194 log=no log-prefix="" 

 6    ;;; SSH
      chain=input action=drop protocol=tcp in-interface=eth1-wan dst-port=4040 log=yes log-prefix="" 

 7    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 8    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 9 X  ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

10 X  ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

11    ;;; openvpn
      chain=input action=accept protocol=tcp in-interface=eth1-wan dst-port=443 log=no log-prefix="" 

12    ;;; drop access to mikrotik on guest network
      chain=input action=reject reject-with=icmp-network-unreachable dst-address=50.0.0.1 in-interface=bridge-guest log=no log-prefix="" 

13    ;;; no fasttrack for guest traffic upload
      chain=forward action=accept connection-state=established,related src-address=50.0.0.0/24 log=no log-prefix="" 

14    ;;; no fasttrack for guest traffic download
      chain=forward action=accept connection-state=established,related dst-address=50.0.0.0/24 log=no log-prefix="" 

15    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix="" 

16    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

17    ;;; defconf: accept out ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec 

18    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked log=no log-prefix="" 

19    ;;; drop guest traffic
      chain=forward action=reject reject-with=icmp-network-unreachable in-interface=bridge-guest out-interface=bridge-lan log=no log-prefix="" 

20    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

21 X  ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 

22    ;;; drop guest traffic to router
      chain=input action=reject reject-with=icmp-network-unreachable dst-address=192.168.200.0/24 in-interface=bridge-guest log=no log-prefix="" 

23 X  ;;; WINBOX
      chain=input action=accept protocol=tcp dst-port=8291 log=yes log-prefix="" 

24    ;;; Drop telnet traffic
      chain=input action=drop protocol=tcp in-interface=eth1-wan dst-port=23 log=yes log-prefix="" 

25    ;;; Drop Mikrotik Web Gui External
      chain=input action=drop protocol=tcp in-interface=eth1-wan dst-port=80 log=yes log-prefix="" 
      
Tried different things but I could not seem to be able to fix it
 
Sob
Forum Guru
Forum Guru
Posts: 8208
Joined: Mon Apr 20, 2009 9:11 pm

Re: Help needed for setting up Wireguard for android device

Sun Jan 23, 2022 10:09 pm

Your hairpin NAT is unnecessarily complicated, usually it's enough to have:
/ip firewall nat
add chain=srcnat src-address=192.168.200.0/24 dst-address=192.168.200.0/24 action=masquerade
There's no need for any connection marking. I guess the reason why you do it like this is to work around this config:
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
It's something you don't usually want to have, it makes all bridged packets go through IP firewall, as if they were routed and not bridged. Unless you're sure that you need it and know why, I'd get rid of that (set both to "no") and it will make things easier.

Maybe it has something to do with srcnat rules like this one:
/ip firewall nat
add action=masquerade chain=srcnat comment="Camere Dahua internal" dst-address=192.168.200.4 dst-port=5013 out-interface=bridge-lan protocol=tcp src-address=192.168.200.0/24
But they don't really make sense to me, what's the idea behind that?

That said, even what you have now looks like it should work.
Come on people, do you really have to quote full posts? It's annoying and in most cases useless.

Who is online

Users browsing this forum: wenasong and 6 guests