Community discussions

MikroTik App
 
frika
just joined
Topic Author
Posts: 8
Joined: Tue Jan 18, 2022 12:16 pm

Issue with 2 Wireguard tunnels on one machine.

Wed Sep 28, 2022 11:32 am

Hello,
I am an issue with Wireguard and I would appreciate any help anyone can provide.
My setup is the following:
Ubuntu server with Wireguard server and 30+ Mikrotik router with wireguard clients. Each router has 2 tunnels connecting to the Wireguard/ubuntu server. At random interval of time (a couple of weeks) for some reason the Ubuntu server switches from the port that i am using (16331 for wg0 and 16332 for wgman) to port 1025 (both of the tunnels switch to communicate on the same port) which forces one of the tunnels to keep on working while the other one fails. (i wasn't fully aware about what was happening when i created this topic). It seems to me that this could be an issue on the ubuntu side more then the Mikrotik side still if anyone has suggestions.
The issue is resolved when the bridges on Mikrotik are destroyed and new wireguard vpns are created with different keys however that is hardly a doable solution.

Again any help would be appreciated and welcome :) Thank you for your support in advance.

PS. If you have any questions feel free to ask.
Regards Bob
Last edited by frika on Wed Sep 28, 2022 3:31 pm, edited 2 times in total.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Issues with Wireguard.

Wed Sep 28, 2022 12:38 pm

I got nothing from your story.
Please show output of:
wg show
on the ubuntu box, and:
/interface/wireguard/print detail

/interface/wireguard/peers/print  detail
from a MikroTik.
So we can make a picture of what do you think is wrong.
Please anonymize the keys and IPs/hostnames before posting the results here.
 
frika
just joined
Topic Author
Posts: 8
Joined: Tue Jan 18, 2022 12:16 pm

Re: Issues with Wireguard.

Wed Sep 28, 2022 2:18 pm

I will edit the original post and try to make this simpler and shorter....
I got nothing from your story.
Please show output of:
wg show
on the ubuntu box, and:
/interface/wireguard/print detail

/interface/wireguard/peers/print  detail
from a MikroTik.
So we can make a picture of what do you think is wrong.
Please anonymize the keys and IPs/hostnames before posting the results here.
Here is the wg show on the server side:

interface: wg0
public key: (hidden)
private key: (hidden)
listening port: 16331

peer: (hidden)
endpoint: xx.xx.xx.231:16331
allowed ips: xx.xx.xx.11/32, xx.xx.xx.80/29
latest handshake: 3 seconds ago
transfer: 35.22 KiB received, 18.19 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.13:1024
allowed ips: xx.xx.xx.12/32, xx.xx.xx.88/29
latest handshake: 5 seconds ago
transfer: 42.37 KiB received, 38.22 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.4:38702
allowed ips: xx.xx.xx.23/32, xx.xx.xx.176/29
latest handshake: 8 seconds ago
transfer: 42.15 KiB received, 39.86 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: 62.176.115.47:1029
allowed ips: xx.xx.xx.29/32, xx.xx.xx.224/29
latest handshake: 12 seconds ago
transfer: 43.83 KiB received, 34.95 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.83:16331
allowed ips: xx.xx.xx.33/32, xx.xx.xx.0/29
latest handshake: 13 seconds ago
transfer: 71.24 KiB received, 67.75 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.198:16331
allowed ips: xx.xx.xx.13/32, xx.xx.xx.96/29
latest handshake: 21 seconds ago
transfer: 43.70 KiB received, 34.88 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.67:16331
allowed ips: xx.xx.xx.17/32, xx.xx.xx.128/29
latest handshake: 28 seconds ago
transfer: 45.27 KiB received, 38.87 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.87:16331
allowed ips: xx.xx.xx.28/32, xx.xx.xx.216/29
latest handshake: 39 seconds ago
transfer: 42.72 KiB received, 38.63 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.3:16331
allowed ips: xx.xx.xx.9/32, xx.xx.xx.64/29
latest handshake: 40 seconds ago
transfer: 77.08 KiB received, 78.45 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.14:1024
allowed ips: xx.xx.xx.24/32, xx.xx.xx.184/29
latest handshake: 41 seconds ago
transfer: 44.32 KiB received, 34.78 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.68:1189
allowed ips: xx.xx.xx.61/32, xx.xx.xx.224/29
latest handshake: 41 seconds ago
transfer: 25.99 KiB received, 8.12 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.125:1024
allowed ips: xx.xx.xx.21/32, xx.xx.xx.160/29
latest handshake: 43 seconds ago
transfer: 38.06 KiB received, 26.16 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.88:16331
allowed ips: xx.xx.xx.30/32, xx.xx.xx.232/29
latest handshake: 46 seconds ago
transfer: 49.73 KiB received, 47.19 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.203:16331
allowed ips: xx.xx.xx.3/32, xx.xx.xx.16/29
latest handshake: 54 seconds ago
transfer: 84.86 KiB received, 76.16 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.58:62279
allowed ips: xx.xx.xx.26/32, xx.xx.xx.200/29
latest handshake: 56 seconds ago
transfer: 55.94 KiB received, 49.12 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.54:16331
allowed ips: xx.xx.xx.18/32, xx.xx.xx.136/29
latest handshake: 58 seconds ago
transfer: 40.86 KiB received, 33.77 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.95:55011
allowed ips: xx.xx.xx.19/32, xx.xx.xx.144/29
latest handshake: 1 minute, 9 seconds ago
transfer: 60.32 KiB received, 55.04 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.45:16331
allowed ips: xx.xx.xx.8/32, xx.xx.xx.56/29
latest handshake: 1 minute, 15 seconds ago
transfer: 39.70 KiB received, 33.38 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.189:16331
allowed ips: xx.xx.xx.2/32, xx.xx.xx.8/29
latest handshake: 1 minute, 15 seconds ago
transfer: 52.93 KiB received, 47.00 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.8:16331
allowed ips: xx.xx.xx.25/32, xx.xx.xx.192/29
latest handshake: 1 minute, 15 seconds ago
transfer: 54.61 KiB received, 44.01 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.43:1025
allowed ips: xx.xx.xx.16/32, xx.xx.xx.120/29
latest handshake: 1 minute, 20 seconds ago
transfer: 53.18 KiB received, 43.40 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.27:16331
allowed ips: xx.xx.xx.31/32, xx.xx.xx.240/29
latest handshake: 1 minute, 25 seconds ago
transfer: 52.96 KiB received, 42.75 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.201:16331
allowed ips: xx.xx.xx.10/32, xx.xx.xx.72/29
latest handshake: 1 minute, 39 seconds ago
transfer: 60.80 KiB received, 54.36 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.253:16331
allowed ips: xx.xx.xx.7/32, xx.xx.xx.48/29
latest handshake: 1 minute, 39 seconds ago
transfer: 42.59 KiB received, 35.38 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.123:16331
allowed ips: xx.xx.xx.6/32, xx.xx.xx.40/29
latest handshake: 1 minute, 45 seconds ago
transfer: 66.91 KiB received, 60.57 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.232:44783
allowed ips: xx.xx.xx.14/32, xx.xx.xx.104/29
latest handshake: 1 minute, 49 seconds ago
transfer: 34.50 KiB received, 18.43 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.58:16331
allowed ips: xx.xx.xx.32/32, xx.xx.xx.248/29
latest handshake: 1 minute, 55 seconds ago
transfer: 49.34 KiB received, 47.61 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.121:1024
allowed ips: xx.xx.xx.4/32, xx.xx.xx.24/29
latest handshake: 2 minutes, 9 seconds ago
transfer: 42.90 KiB received, 40.22 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.25:1025
allowed ips: xx.xx.xx.22/32, xx.xx.xx.168/29
latest handshake: 2 minutes, 11 seconds ago
transfer: 42.29 KiB received, 40.75 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.93:16331
allowed ips: xx.xx.xx.34/32, xx.xx.xx.8/29
latest handshake: 2 minutes, 12 seconds ago
transfer: 34.86 KiB received, 35.68 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.37:1024
allowed ips: xx.xx.xx.20/32, xx.xx.xx.152/29
latest handshake: 2 minutes, 12 seconds ago
transfer: 46.18 KiB received, 38.95 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.35:1024
allowed ips: xx.xx.xx.27/32, xx.xx.xx.208/29
latest handshake: 2 minutes, 17 seconds ago
transfer: 28.29 KiB received, 19.70 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx..57:16331
allowed ips: xx.xx.xx.15/32, xx.xx.xx.112/29
latest handshake: 2 minutes, 25 seconds ago
transfer: 29.16 KiB received, 20.19 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.130:42639
allowed ips: xx.xx.xx.5/32, xx.xx.xx.32/29
transfer: 0 B received, 230.38 KiB sent
persistent keepalive: every 30 seconds

interface: wgman
public key: (hidden)
private key: (hidden)
listening port: 16332

peer: (hidden)
endpoint: xx.xx.xx.68:1189
allowed ips: xx.xx.xx.61/32
latest handshake: 5 seconds ago
transfer: 25.69 KiB received, 7.94 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.125:1024
allowed ips: xx.xx.xx.21/32
latest handshake: 10 seconds ago
transfer: 266.36 KiB received, 279.69 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.123:16332
allowed ips: xx.xx.xx.6/32
latest handshake: 13 seconds ago
transfer: 266.20 KiB received, 280.07 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.203:16332
allowed ips: xx.xx.xx.3/32
latest handshake: 19 seconds ago
transfer: 223.95 KiB received, 237.19 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.54:16332
allowed ips: xx.xx.xx.18/32
latest handshake: 23 seconds ago
transfer: 269.03 KiB received, 275.84 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.198:16332
allowed ips: xx.xx.xx.13/32
latest handshake: 25 seconds ago
transfer: 286.54 KiB received, 1.49 MiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.8:16332
allowed ips: xx.xx.xx.25/32
latest handshake: 26 seconds ago
transfer: 287.20 KiB received, 1.49 MiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.83:1024
allowed ips: xx.xx.xx.33/32
latest handshake: 26 seconds ago
transfer: 231.50 KiB received, 230.94 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.253:16332
allowed ips: xx.xx.xx.7/32
latest handshake: 26 seconds ago
transfer: 224.98 KiB received, 236.13 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.13:1025
allowed ips: xx.xx.xx.12/32
latest handshake: 26 seconds ago
transfer: 223.64 KiB received, 237.60 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.231:1026
allowed ips: xx.xx.xx.11/32
latest handshake: 26 seconds ago
transfer: 223.79 KiB received, 237.66 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.189:16332
allowed ips: xx.xx.xx.2/32
latest handshake: 26 seconds ago
transfer: 223.29 KiB received, 236.60 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.4:59497
allowed ips: xx.xx.xx.23/32
latest handshake: 26 seconds ago
transfer: 287.07 KiB received, 1.49 MiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.232:1094
allowed ips: xx.xx.xx.14/32
latest handshake: 26 seconds ago
transfer: 287.16 KiB received, 1.49 MiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.58:17466
allowed ips: xx.xx.xx.26/32
latest handshake: 27 seconds ago
transfer: 287.20 KiB received, 1.49 MiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.58:16332
allowed ips: xx.xx.xx.32/32
latest handshake: 27 seconds ago
transfer: 287.73 KiB received, 1.49 MiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.121:1024
allowed ips: xx.xx.xx.4/32
latest handshake: 27 seconds ago
transfer: 225.04 KiB received, 234.95 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.47:1029
allowed ips: xx.xx.xx.29/32
latest handshake: 28 seconds ago
transfer: 287.26 KiB received, 1.49 MiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.87:16332
allowed ips: xx.xx.xx.28/32
latest handshake: 31 seconds ago
transfer: 223.82 KiB received, 237.41 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.95:55024
allowed ips: xx.xx.xx.19/32
latest handshake: 31 seconds ago
transfer: 266.73 KiB received, 279.75 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.37:1024
allowed ips: xx.xx.xx.20/32
latest handshake: 31 seconds ago
transfer: 223.86 KiB received, 237.35 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.3:16332
allowed ips: xx.xx.xx.9/32
latest handshake: 32 seconds ago
transfer: 267.07 KiB received, 280.85 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.27:1025
allowed ips: xx.xx.xx.31/32
latest handshake: 32 seconds ago
transfer: 223.79 KiB received, 237.35 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.67:16332
allowed ips: xx.xx.xx.17/32
latest handshake: 32 seconds ago
transfer: 267.11 KiB received, 280.79 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.35:1024
allowed ips: xx.xx.xx.27/32
latest handshake: 34 seconds ago
transfer: 265.95 KiB received, 279.16 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.14:1025
allowed ips: xx.xx.xx.24/32
latest handshake: 34 seconds ago
transfer: 265.61 KiB received, 280.16 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.57:16332
allowed ips: xx.xx.xx.15/32
latest handshake: 34 seconds ago
transfer: 265.07 KiB received, 279.35 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.201:1024
allowed ips: xx.xx.xx.10/32
latest handshake: 34 seconds ago
transfer: 266.54 KiB received, 279.75 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.25:1025
allowed ips: xx.xx.xx.22/32
latest handshake: 45 seconds ago
transfer: 223.23 KiB received, 236.47 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.43:1025
allowed ips: xx.xx.xx.16/32
latest handshake: 1 minute ago
transfer: 4.93 MiB received, 2.59 MiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.45:16332
allowed ips: xx.xx.xx.8/32
latest handshake: 1 minute, 19 seconds ago
transfer: 224.11 KiB received, 238.09 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.93:16332
allowed ips: xx.xx.xx.34/32
latest handshake: 1 minute, 31 seconds ago
transfer: 226.52 KiB received, 230.52 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.88:16332
allowed ips: xx.xx.xx.30/32
latest handshake: 1 minute, 48 seconds ago
transfer: 273.07 KiB received, 273.13 KiB sent
persistent keepalive: every 30 seconds

peer: (hidden)
endpoint: xx.xx.xx.130:32428
allowed ips: xx.xx.xx.5/32
transfer: 0 B received, 226.91 KiB sent
persistent keepalive: every 30 seconds


MIKROTIK:


Output of /interface/wireguard/print detail

Flags: X - disabled; R - running
0 R name="Dasta613" mtu=1420 listen-port=16331
private-key="(hidden)"
public-key="(hidden)"

1 R name="Management Dasta613" mtu=1420 listen-port=16332
private-key="(hidden)"
public-key="(hidden)"

output of /interface/wireguard/peers/print detail

Flags: X - disabled
0 interface=Dasta613 public-key="(hidden)"
endpoint-address=xx.xx.xx.37 endpoint-port= 16331
current-endpoint-address=xx.xx.xx.37 current-endpoint-port= 16331
allowed-address=xx.xx.xx .120/29,xx.xx.xx .1/24,xx.xx.xx .0/23
persistent-keepalive=30s rx=2983.7KiB tx=3160.2KiB last-handshake=1m25s

1 interface=Management Dasta613
public-key="(hidden)"
endpoint-address=xx.xx.xx.37 endpoint-port= 16332
current-endpoint-address=xx.xx.xx.37 current-endpoint-port= 16332
allowed-address=xx.xx.xx.1/24 persistent-keepalive=30s rx=17.9MiB
tx=20.8MiB last-handshake=21s
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Issues with Wireguard.

Wed Sep 28, 2022 2:46 pm

Ok, so you're worried about those endpoints listed on ubuntu with not-random and not set by you ports 1024 / 1025 ?
Are those peers having unique keys and allowed IPs? What port is set on the wg interfaces on those specific mikrotiks ?
 
frika
just joined
Topic Author
Posts: 8
Joined: Tue Jan 18, 2022 12:16 pm

Re: Issues with Wireguard.  [SOLVED]

Wed Sep 28, 2022 3:28 pm

I found the problem... Since both the tunnels are on the same Ubuntu machine with 1 IP and 1 MAC address and some of the clients are behind NAT Wireguard switches both of the tunnels from the designated Listening port to a port dictated by the router with NAT (which can be caused by several events). The communication is ok until there is a break of electricity/internet/connection at which point both of the tunnels trying to establish connection on the same port which is impossible and one works out fine while the other is unable to create tunnel since the port is already in use by wireguard tunnel.
Solution either create interface with separated Public IP and move one of the tunnels on it OR create a separated VM with IP etc. Or you have access to the device with NAT set it up in such way that this is not an issue.
 
frika
just joined
Topic Author
Posts: 8
Joined: Tue Jan 18, 2022 12:16 pm

Re: Issues with Wireguard.

Wed Sep 28, 2022 3:30 pm

Ok, so you're worried about those endpoints listed on ubuntu with not-random and not set by you ports 1024 / 1025 ?
Are those peers having unique keys and allowed IPs? What port is set on the wg interfaces on those specific mikrotiks ?
Thank you for your time and for taking an interest in my problem :)
I hope you have a good day/evening!
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Issue with 2 Wireguard tunnels on one machine.

Wed Sep 28, 2022 4:08 pm

What you described should not happen, the problem must be somewhere else.

Who is online

Users browsing this forum: Amazon [Bot], araqiel, eworm, Josephny and 96 guests