I am trying to connect from my road warrior client to mikrotik and i get this error: Sending initiation handshake to peer1 did not complete after 5 sec
mikrotik is not behind CGNAT. Also i want to mention that i already have l2tp with IPSEC vpn server on mikrotik and roadwarriors are working perfectly. I want to switch from l2tp VPN to wireguard VPN because it is easier to setup on mobile phones and devices generally.
My mikrotik config is the bellow:
Code: Select all
/interface bridge
add admin-mac=DC:2C:6E:3B:C7:89 auto-mac=no comment=defconf name=bridge.LAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.0.0.100-10.0.0.199
add name=vpn_pool ranges=10.10.10.2-10.10.10.11
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge.LAN lease-time=1w1d name=dhcp1
/ppp profile
add change-tcp-mss=yes local-address=10.10.10.1 name=vpn_profile \
remote-address=vpn_pool use-encryption=yes
/interface bridge port
add bridge=bridge.LAN comment=defconf interface=ether3
add bridge=bridge.LAN comment=defconf interface=ether4
add bridge=bridge.LAN comment=defconf interface=ether5
add bridge=bridge.LAN comment=defconf interface=ether6
add bridge=bridge.LAN comment=defconf interface=ether7
add bridge=bridge.LAN comment=defconf interface=ether8
add bridge=bridge.LAN comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn_profile enabled=yes use-ipsec=\
required
/interface list member
add comment=defconf interface=bridge.LAN list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=172.16.10.3/32,10.0.0.0/24 interface=wireguard1 \
public-key="SNXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX6yTM="
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge.LAN network=10.0.0.0
add address=91.XXX.169.238/30 interface=ether1 network=91.XXX.169.236
add address=172.16.10.1/24 comment="WG VPN" interface=wireguard1 network=\
172.16.10.0
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port Scanners to list" \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=jump chain=input comment="SYN Flood INPUT" connection-state=new \
jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=input comment="WG VPN Rule" dst-port=13231 protocol=\
udp
add action=accept chain=input comment="VPN Allow Rules" dst-port=1701 \
protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input src-address-list="port scanners"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=jump chain=forward comment="SYN Flood FW" connection-state=new \
jump-target=syn-attack protocol=tcp tcp-flags=syn
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=syn-attack connection-state=new limit=400,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=syn-attack connection-state=new log=yes log-prefix=\
SYN-ATK protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=30000-35000 \
in-interface-list=WAN protocol=udp to-addresses=10.0.0.220 to-ports=\
30000-35000
add action=dst-nat chain=dstnat dst-port=5001 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.0.220 to-ports=5001
add action=dst-nat chain=dstnat dst-port=5090 in-interface-list=WAN protocol=\
tcp to-addresses=10.0.0.220 to-ports=5090
add action=dst-nat chain=dstnat dst-port=5090 in-interface-list=WAN protocol=\
udp to-addresses=10.0.0.220 to-ports=5090
/ip firewall raw
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN log=yes \
log-prefix="WAN DNS" protocol=udp
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=91.XXX.169.237 routing-table=\
main suppress-hw-offload=no
My Client setup is above:
Code: Select all
[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ListenPort = 13231
Address = 172.16.10.3/32
[Peer]
PublicKey = TgXXXXXXXXXXXXXXXXXXXXXXXXXXXXXmE=
AllowedIPs = 172.16.10.1/32, 10.0.0.0/24
Endpoint = 91.XXX.169.238:13231
Also from mikrotik peer side, the handshake of my client is 00:00:00.
Any ideas what is wrong?