I've been having problems with Wireguard (not wireugard running directly on the Mikrotik). I suspect it's a NAT issue, but I'm not sure how to fix it. My firewall rules are just the default setup, and I've had this problem on v7 (up to v7.2.1) and now I've downgraded to LTS 6.48.6, and the problem persists.

When I try to connect to a wireguard endpoint running on a remote vps, it randomly won't connect. If I toggle wireguard off & on, eventually, it will connect. I've looked at wireshark, and the client is sending handshake requests to the endpoint but not receiving a reply.

Looking at the firewall connections on the Mikrotik, I can see the udp connection, with a timeout < 10 sec. It's only seeing one-way traffic.

Sometimes, if there was a previous connection and I disconnected, and reconnected, an old udp entry will be there, with a timeout < 3 min. What I notice, is the new connection might not receive a reply, but the old connection continues to be refreshed and the timer reset to 3 minutes, even though it's disconnected. I suspect the wireguard endpoint replies are going to the old connection instead of the new one. Though it's not only when there's an old connection that the problem happens, so it's more than Mikrotik being confused with an old connection.

Any ideas?

I have this same problem (I think) but even when using WG on a MikroTik behind another NAT (which could be a MikroTik as well), and in my case I narrowed it down to UDP stream timeout. Only solution which seems to work is to disable the tunnel for a time just greater than that UDP stream timeout value of the router doing the nat. I would think there should be a more elegant solution, but other than switching the tunnel to a new port completely, this is the only thing which seems to work. Hopefully there's a better solution someone can offer for such problems.

I don't really know enough about udp session handling and how this plays into NAT, to claim that this is a bug specific to MikroTik or not. If it is, it should receive some priority attention because it creates a fatal flaw with reliability of protocols like Wireguard or even OpenVPN UDP mode, as well as SIP and other UDP services

I'm not certain it's a Mikrotik problem; it could be something with Wireguard itself. I just don't know.

I do know that it happens with multiple clients: Windows, Linux, and Android. And it doesn't happen with ipv6 endpoints, just ipv4.