Hello
After a few tries, I was finally able to set up a wireguard connection.
Everything works, unfortunately after disconnecting the router still wants to resume the connection. In the options I set the hold to 25 but it lasts all the time ... Below config:
/ip address
add address=192.168.2.1/24 comment=defconf interface=Home network=192.168.2.0
add address=192.168.4.1/24 interface=Tik network=192.168.4.0
add address=192.168.10.1/24 interface=Bridge-geust network=192.168.10.0
/ip dhcp-client
add comment=defconf interface=ether1

/interface wireguard peers
add allowed-address=192.168.4.2/32 disabled=yes interface=Tik \

Log I get after disconnecting:
Retrying handshake with peer because we stopped hearing back after 15 seconds
Handshake for peer did not complete after 5 seconds, retryin......
...........................
............................
..............................

I found similar messages - but to the option with the inability to connect. a I am connecting, but after disconnecting I get this message:|
e.g. - viewtopic.php?t=184821&sid=17fcd4140cae ... 496e4081d5
Regards
Qba

Wireguard always tries to connect outbound.
Keepalive only needs to be set on the devices acting as client.

i.e. I understand that it will want to connect all the time and will generate this type of logs, unlike OpenVPN which disconnects and that's it? as the router itself doesn't try to make a callback?
I thought that after setting Keepalive after a given time, it stops calling the client

Nope, you simply do NOT user persistent keep alive settings on the ROUTERs (server for wireguard initial connection) peer entries.

Nope, you simply do NOT user persistent keep alive settings on the ROUTERs (server for wireguard initial connection) peer entries.

Honestly - I don't really understand ... Maybe it's a matter of technical complexity ... I also have 25sec set in the connection settings on my computer - if it's about it.

In Wireguard there are only peers.
But for sake of simplicity, let's assume you have a server and some clients.
On the server this keepalive is not needed. Only on the peers (clients) which are connecting TO the server.

So from your computer to that Mikrotik server, yes, there it is needed.
On your phone, yes.
On the Mikrotik itself (assuming your device acts as "server"), it's not needed.

Now I understand, thank You for translating into "normal language".
But back to the topic ... Mikrotik after creating clients, connecting and disconnecting - will it "call" clients all the time? I understand correctly? Doesn't it significantly affect his work? Isn't that a threat in any way? If I want to have logs from only connections - allowed and rejected, I have to create a proper rule for logs, otherwise it will write all of them to me like now?

Has nothing to do with Mikrotik
That's how Wireguard works.

You can easily test this:
-Set a wrong endpoint-IP/address in your wireguard settings on PC.
-Start Wireguard
-You will see the TX counter move up (nobody will answer but you will see it tries and tries and tries ...)

I understand I mean similar logs as for example OpenVpn - this user logged in then, logged out then, and such and such a connection was rejected. Nothing else, by the way it came out to keep the connection, that's why I asked - I had no idea it worked like that.
Thanks for help and reply.
Regards

The Router does not call anyone, its the clients that call the router, and that is to establish the tunnel connection. Once the tunnel is up traffic is two way. If there is no client user accessing the tunnel to do work, the client device keeps the tunnel active (open and available) by the persistant keep alive setting.

thanks @anav for an even clearer explanation;) then where, or in which place to turn off the backup? set keepalive on tik to zero?

Yes, that's also what I indicated.

ET phone Home.

Home does not phone ET

thanks @anav for an even clearer explanation;) then where, or in which place to turn off the backup? set keepalive on tik to zero?

On the router you have two spots to set wireguard parameters.

1 - The INTERFACE itself
2 - Peer settings, where you identify the peers (where you put the public key from client devices etc). MAKE SURE HERE, you do NOT use any keep alive settings. In fact all you need here is
a. allowed IPs,
b. public key
c. interface name ( which you made at 1 )

So what should the correct configuration look like?
The tik will check for 8 minutes if there is no connection, then the message:
"Zeroing out all keys for peer, since we haven't received a new one in 540 seconds"
and after another 20 tries it will give up?
"Handshake for peer did not complete after 20 attempts, giving up"
I ask because since I started the topic, I want to know how it should look properly. and i can't find it

What I do:
- only look at peers status
- disable logging for wireguard (it has no added value if the connection works)

Ok - I just need to look for how to create a rule that allows you to see logins from wireguard
I already know everything - I guess
To close
Regards

The login is the initial handshake, you can see counters add by one when this happens.
So log that..........( aka the input chain firewall rule )

@Anav I think I know what you mean ... but I don't know how to create it ... when I give lofi from the firewall, it crashes so much that I can't find myself. With OVPN, the log itself is saved - the user x comes in then, then comes out and after problems .. and somehow I'm not doing well

post your config
/export file=anynameyouwish ( minus the router serial number and any public WANIP information )

post your config
/export file=anynameyouwish ( minus the router serial number and any public WANIP information )

model = RBD52G-5HacD2HnD
# serial number =
/interface bridge
add name=Bridge-geust
add admin-mac=xXx auto-mac=no comment=defconf name=Home
/interface ethernet
set [ find default-name=ether1 ] comment=A
set [ find default-name=ether2 ] comment=B
set [ find default-name=ether3 ] comment=C
set [ find default-name=ether4 ] comment=D
/interface wireguard
add listen-port=53535 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile1 \
supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
"profile guest" supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=poland disabled=no distance=indoors frequency=2452 installation=\
indoor mode=ap-bridge name=2G security-profile=profile1 ssid=Dom \
station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-eeeC country=poland disabled=no distance=indoors frequency=\
5700 installation=indoor mode=ap-bridge name=5G security-profile=profile1 \
ssid=Dom-ac station-roaming=enabled wireless-protocol=802.11
add keepalive-frames=disabled mac-address=ZzZ master-interface=\
2G multicast-buffering=disabled name=Guest security-profile=\
"profile guest" ssid=Guest wds-cost-range=0 wds-default-cost=0 wps-mode=\
disabled
/ip pool
add name=dhcp ranges=192.168.2.2-192.168.2.40
add name=OpenVpnpool ranges=192.168.3.2-192.168.3.6
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes interface=Home lease-time=51w3d \
name=dhcp
add address-pool=dhcp_pool2 interface=Bridge-geust name=dhcp1
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.3.1 name=OpenVpn remote-address=\
OpenVpnpool use-encryption=required use-ipv6=no
/interface bridge port
add bridge=Home comment=defconf ingress-filtering=no interface=ether2
add bridge=Home comment=defconf ingress-filtering=no interface=ether3
add bridge=Home comment=defconf ingress-filtering=no interface=ether4
add bridge=Home comment=defconf ingress-filtering=no interface=ether5
add bridge=Home comment=defconf ingress-filtering=no interface=2G
add bridge=Home comment=defconf ingress-filtering=no interface=5G
add bridge=Bridge-geust interface=Guest
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=Home list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=Mikro-Server cipher=aes256-cbc default-profile=\
OpenVpn enabled=yes require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.4.2/32 interface=wireguard1 public-key=\
"xyz"
/interface wireless access-list
add comment=Fone interface=5G mac-address=IiI
/ip address
add address=192.168.2.1/24 comment=defconf interface=Home network=192.168.2.0
add address=192.168.4.1/24 interface=wireguard1 network=192.168.4.0
add address=192.168.10.1/24 interface=Bridge-geust network=192.168.10.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add rrrrrr
add ggggg
add hhhhh
add jjjjj
add kkkkk
add llllll
add pppppppp
add ooooooo
add uuuuuuuuuuuuu
add ttttttttttt
add iiiiiiiiiiiiiiiiii
add ffffffffffffff
add aaaaaaaaaaaaaaaaaaaa
add vvvvvvvvvvvvvvvvvvvv
add bbbbbbbbbbbbbbbb
add qqqqqqqqqqqqqq
add yyyyyyyyyyyyyyyyy
add dddddddddddddddd
add xxxxxxxxxxxxxxxxx
add ssssssssssssssssssssssss
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=\
192.168.2.15,62.179.1.62,62.179.1.63 gateway=192.168.2.1 netmask=24
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=input comment="Open VPN" dst-port=1194,80,8291,21 \
protocol=tcp src-address=192.168.3.2-192.168.3.6 src-port=""
add action=accept chain=input comment=Wireguard dst-port=53535,80,8291,21 \
protocol=udp src-port=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input dst-port=1194 protocol=tcp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1 src-address=\
192.168.4.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=WwW
set ssh disabled=yes
set api disabled=yes
set winbox address=OoO
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ppp secret
add name=wWw profile=OpenVpn service=ovpn
add name=yYy profile=OpenVpn service=ovpn
/system clock
set time-zone-name=Europe/Warsaw
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
that's all