Thank you for sharing information on your setup. Few questions:Here is an example of my settings for my iphone.........
I might be missing something, though my setup is identical to yours. If you see any difference, please pinpoint.I can only state what I have setup on my wireguard connections
The problem is that I do not see reason it does not work: packets arriving from Phone to MT and ... no reply provided by MT. And this black box keeps silence.It works just fine, its your setup that is not working either on the phone or on the MT itself.
Just to demonstrate that nothing is generated by WG server. And general question: why not?Why is the output chain used and especially for the UDP port.
Yes, my CCR WG server behind RB951 device, thus export file from Wireguard's won't help to understand network structure.OR IS IT behind another device???
From what I recall I have tried 0.0.0.0/0, and this does not help. Sorry I did not mentioned that.Clearly the WIREGUARD peer settings are missing the allowed address!!!
WG export won't help us, and for upstreaming RB951 I won't do that./export hide-sensitive file=anynameyouwish
You're coming here to ask for help and then dismissing the question for additional info which ultimately is only required to HELP YOU ?WG export won't help us, and for upstreaming RB951 I won't do that./export hide-sensitive file=anynameyouwish
The problem is clear: packets are entered into WG server, but no output generated by WG server: neither new packets in output chain nor errors in log.
That's totally wrong
This was helpful: after adding 0.0.0.0/0 into allowed addresses I am get error in the log. I still don't get why WG binds to 127.0.0.1.Clearly the WIREGUARD peer settings are missing the allowed address!!!
That's no problem: let all NEW traffic go to router.0.0.0.0/0 is only for a 'client' and consequently all of its traffic will then go through the WG interface to your router.
On your server/router you should not use 0.0.0.0/0. That should be the IP address of your 'other side'. From your screenshots above that should then be 192.168.90.3, the IP you assigned on your mobile device.
As it's disabled we can ignore it. Right?(1) The WG interface may or may not get an IP address (optional, works either way).
That's useful if you might have several WAN outputs (though not active simultaneously). In that case all rules and defaults are easier to apply to bridge rather than to each separate output.(2) Why did you put the WAN connection on a biridge, normally not required?
discover is only essential here. Rest can be deleted as it is not used.(3) I dont understand the very unusual non-standard use of interface list and interface members.
Thanks. May be will go this way later.(4)...
Tried this 192.168.90.3/32 as suggested by holvoetn above: server shuts up.(5)
This is the crucial part:Please draw a network diagram as your config on the MT device is very confusing and ALL WRONG, and a diagram will help clear up some unknowns!!
Why is the output chain used and especially for the UDP port.
Why is the MT device which is your wireguard server port forwarding the UDP port.
It should only be using the INPUT CHAIN ?????
OR IS IT behind another device???
Finally you didnt do a good job of comparing my setup with yours.
Clearly the WIREGUARD peer settings are missing the allowed address!!!
YOU NEED TO show your config as the pictures are not that helpful.
/export hide-sensitive file=anynameyouwish
Of course, there is nothing new in what you are saying.@anav Wireguard is quite fun to use. I tested it behind two nats (double natted) and I had a thing i did not understand.
I opened ports on both main routers that directed to the main wireguard peer behind the network.
Whatever peer that initiated the connection would use a random port (I am guessing it was masqueraded) to connect to the dst-nated port on the other network
The receiving peer will use the dst-nated port all the way thru to contact the initiating peer.
If the ip of either wan changes the internal listening port of the mikrotik's wireguard configuration of the device behind this ip change needs to be changed on the initiator or the masqueraded port path will fail? (this is my guess, it just won't connect as the target peer and router will not see any packets)
otherwise it just works, this is amazing! I am so glad it got added to routeros