Community discussions

MikroTik App
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Unable to set WG public key on CLI or WebFig

Thu Aug 12, 2021 11:19 pm

I'm having a problem where I need to add Wireguard peers that have the same public keys. WebFig and Winbox won't let me add it because there is already another peer with the same key, but it shouldn't matter. In the CLI, it just doesn't want to work at all, even when using a different key. What gives?
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Unable to set WG public key on CLI or WebFig

Fri Aug 13, 2021 1:16 am

You can't have two peers with the same public key, by design. Wireguard simple doesn't do this. This is how Wireguard works, and has nothing to do with Mikrotik.
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Unable to set WG public key on CLI or WebFig

Fri Aug 13, 2021 3:11 am

You can't have two peers with the same public key, by design.
Then why isn't there a way to assign a peer to multiple interfaces? Each interface+peer combo would have a specific connection by design because the source port will be different for each. That's basic CCNA-level stuff!
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Unable to set WG public key on CLI or WebFig

Fri Aug 13, 2021 5:28 am

I think we are talking about different things here - something isn't adding up. Let me see if I understood You:

Imagine You have one server "A" and two clients - "B" and "C".

1) You create a Wireguard interface on all machines.
2) On the clients You create one peer, and point it to the server. You put the server's public key on both clients peer configuration.
3) On the server You will create two peers: one for machine B and another for machine C. You can use one Wireguard interface for both, or create one interface for each. Your choice.
4) Still on the server, You will put the public key of each client on its respective peer config. The keys must be different.

I never tried to add the same peer on two different interfaces. BUT: Wireguard uses the keys as part of the routing decision. If You have the same public key on two different configs, how would it know where to route to?

Take a look at the reference:
https://www.wireguard.com/#cryptokey-routing
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Unable to set WG public key on CLI or WebFig

Fri Aug 13, 2021 5:53 am

All the Wireguard interfaces have different public keys and the server knows about these different public keys. Actually, this is because I'm using Mullvad VPN which uses Wireguard and allows up to 5 "clients" which is a code word for a unique private+public key combo. I want all 5 of these "clients" to connect to one of their servers using a different source port, and this means that it will technically work because all 5 connections can be differentiated. The problem is, to specify the server to connect to, I have to add a Wireguard peer which happens to be identical for all the interfaces. I already tried something similar where I have several actual client devices behind the NAT connecting to the same server, so it is actually possible just by changing the source port. The problem is, Mikrotik doesn't let you assign one peer profile to multiple interfaces and this setup doesn't work although in reality it can. It's a known that the server will accept these multiple connections so it's on Mikrotik to add the functionality needed.
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Unable to set WG public key on CLI or WebFig

Fri Aug 13, 2021 6:20 am

But would it work, if all connections where from a (say) Linux box? I'm still not sure that this specific setup would work with Wireguard - it would play merry hell with the routing.

Yes, five different clients, behind a router, should work ok. All five tunnels terminating on the same router? I'm not so sure about it... Did You read the link I sent? Wireguard uses the public key for more than authentication and cryptography.

To be honest, never tried it - I've never had to establish more than one connection to the same host, like You described.
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Unable to set WG public key on CLI or WebFig

Fri Aug 13, 2021 4:38 pm

If we think about the 5 clients behind the router simply as network connections, this abstracts away the fact that they're all different devices. This still leaves that each device has a unique private key which lets the server know which client is which even though they share the same IP. However, all of these clients share the same peer public key and endpoint. Now let's move all of these clients onto the router. Each WG interface in the router acts like an independent client because the source port will be different for each and each one still has a different private key. Each interface will still have the same peer public key and endpoint, the same as before, but if only Mikrotik allowed that. Therefore, the network setup to the server appears the exact same and it should be technically possible to have a multiple client setup on the router.
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Unable to set WG public key on CLI or WebFig

Fri Aug 13, 2021 4:44 pm

No, it does not. Part of the routing decision, with Wireguard, uses the key. Did You read the link I sent? Did You tested with a Linux client?

It is the only way to make sure if this is a Mikrotik limitation or a Wireguard one.

Go. Read. The. Link.
Do. The. Linux. Test.
 
Cablenut9
Long time Member
Long time Member
Topic Author
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Unable to set WG public key on CLI or WebFig

Fri Aug 13, 2021 4:53 pm

Go. Read. The. Link.
I already did!
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Unable to set WG public key on CLI or WebFig

Fri Aug 13, 2021 5:17 pm

So You should see the potential problem.

Now it's time to test with a linux client. This way we can rule out (or confirm) the Mikrotik limitation. Now is a good time to find problems with Mikrotik's Wireguard implementation: it's still considered beta.

But first... test with a Linux client. See if You can run the five Wireguard connections ate the same time.
 
pvlcek
just joined
Posts: 4
Joined: Tue Dec 18, 2018 12:57 pm

Re: Unable to set WG public key on CLI or WebFig

Thu Jun 23, 2022 8:15 pm

Hi, I see this also as a problem. I had to replace my original Mikrotik device with a different one, and from that moment on I cannot connect to the peer. I would welcome if there was an option to specify the public WG key of the original device. I know it, have it exported successfully.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Unable to set WG public key on CLI or WebFig

Thu Jun 23, 2022 8:45 pm

It's not what this thread is about. Public key is derived from private key. Set that one and you'll have also original private one.
 
pvlcek
just joined
Posts: 4
Joined: Tue Dec 18, 2018 12:57 pm

Re: Unable to set WG public key on CLI or WebFig

Thu Jun 23, 2022 9:16 pm

It's not what this thread is about. Public key is derived from private key. Set that one and you'll have also original private one.
True. My bad, I thought that I'd had the private key imported successfully but instead the interface generated a random one. And since there are dots and you cannot see the actual key, I assumed it simply was not working right... Sorry for hijacking this thread a bit.

Who is online

Users browsing this forum: No registered users and 15 guests