Community discussions

MikroTik App
 
Borizo
newbie
Topic Author
Posts: 33
Joined: Thu Oct 28, 2010 4:38 pm

Will NATted wireguard work?

Wed Oct 13, 2021 7:18 pm

I am trying to run local wireguard server using Mikrotik though its implementation (7.1rc4) does not respond to Android Wireguard client implementation (1.0.20210926).
The config of server and client are inside attachments. In simple words: Mikrotik Wireguard does not respond, though routing IP configuration is correct and simple ping does work (I cannot ping phone IP as phone ISP provider is NATted).
I suspect that Mikrotik is confused where to send back wireguard packets and just silently drops them.
I wonder why: for me it's clear: send back where you've got them (same IP, src port). I also tried to remove Listening port in wireguard client, it does not help.
Are there any more logging filtering rules I can apply to see what's going on inside WG?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Will NATted wireguard work?

Wed Oct 13, 2021 9:30 pm

It works just fine, its your setup that is not working either on the phone or on the MT itself.
Here is an example of my settings for my iphone.........

I can only state what I have setup on my wireguard connections................
On the Server Router.
a. listening port on input chain to allow initial connection traffic. (port 9213)
b. route to wg interface for any return traffic for peer originated outbound using the server router for internet ( automatically created if you give the wg interface an IP address).

For SERVER ROUTER Wireguard Settings
Name = wireguard-iphone,
Listen port =9213 (matches input chain rule)
Private key (not used externally)
Public key = xxxxx to be sent to Iphone.

For SERVER ROUTER Peer Settings
- Interface name = wireguard-iphone
- Public Key = yyyyy this is the public key received from the Iphone
- Endpoint = empty (as i have no idea what the IP address of my IPhone will be !! )
- Endpoint port = empty (not applicable)
- Allowed address = 10.10.10.2/32 (this is the IP address I will put on the wireguard settings on the phone).

Finally..........
For SMART PHONE Wireguard Settings
Public Key = yyyyy The public key provided TO the server router
Addresses = 10.10.10.2/32 The address assigned to the iphone for the wireguard traffic.

For SMART PHONE Peer Settings
Public Key = xxxxx The public key provided BY the server router.
Endpoint = IP CLOUDname:9213 the name of the server router appended with listening port. ( tells the smartphone where to make the initial connection)
Allowed IPs = 0.0.0.0/0 ( which basically lets any IP assigned to the smartphone be relevant either assigned by coffee shop wifi or cellular provider etc..)

NOTE: I use the dyndns service provided by MT to identify the endpoint on the smartphone.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Borizo
newbie
Topic Author
Posts: 33
Joined: Thu Oct 28, 2010 4:38 pm

Re: Will NATted wireguard work?

Wed Oct 13, 2021 11:35 pm

Here is an example of my settings for my iphone.........
Thank you for sharing information on your setup. Few questions:
1. Does your MT router server behind NAT or it has public IP address?
2. Does your IPhone behind NAT or it has public IP address?
3. Do you run 7.1.rc4?
In my case both are behind NAT (i.e. have gray IPs). Mikrotik Wireguard server connection is done through port forwarding (i.e. UDP51820 port is forwarded through NATs to destination MT device).
I can only state what I have setup on my wireguard connections
I might be missing something, though my setup is identical to yours. If you see any difference, please pinpoint.
It works just fine, its your setup that is not working either on the phone or on the MT itself.
The problem is that I do not see reason it does not work: packets arriving from Phone to MT and ... no reply provided by MT. And this black box keeps silence.

Still have question:
Are there any more logging filtering rules I can apply to see what's going on inside WG?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Will NATted wireguard work?

Thu Oct 14, 2021 12:36 am

Yes, in my case the main router is a CCR1009.
Correct I use port forwarding to send the listening udp port to the LANIP of the second router (on the main router LAN applicable subnet). This main router LANIP is thus the same as the WANIP of the secondary router. Thus the listening port traffic hits the WANPORT of the secondary wireguard router and I use the input chain rule to capture the connection.

In my case the endpoint setting on the smart phone could be the IPcloud of the CCR1009 (main router) or the IPcloud of the RB450G secondary wireguard router as both will return the public IP that is applicable (in this case the dynamic wan ip assigned to the ccr1009).

What do you mean by gray IPs? I think this is where the trouble may reside!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Will NATted wireguard work?

Thu Oct 14, 2021 12:42 am

Please draw a network diagram as your config on the MT device is very confusing and ALL WRONG, and a diagram will help clear up some unknowns!!

Why is the output chain used and especially for the UDP port.
Why is the MT device which is your wireguard server port forwarding the UDP port.
It should only be using the INPUT CHAIN ?????
OR IS IT behind another device???

Finally you didnt do a good job of comparing my setup with yours.
Clearly the WIREGUARD peer settings are missing the allowed address!!!

YOU NEED TO show your config as the pictures are not that helpful.
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Borizo
newbie
Topic Author
Posts: 33
Joined: Thu Oct 28, 2010 4:38 pm

Re: Will NATted wireguard work?

Thu Oct 14, 2021 8:15 pm

Thank you for your reply.
Do you use RouterOS 7.1.rc4?
Have you tried to connect Android device to your WG server?
Why is the output chain used and especially for the UDP port.
Just to demonstrate that nothing is generated by WG server. And general question: why not?
OR IS IT behind another device???
Yes, my CCR WG server behind RB951 device, thus export file from Wireguard's won't help to understand network structure.
(internet) - ISP-NAT - HOUSE_OWNER_NAT - RB951(VPN_WITH_PUBLIC_IP+PORT_FORWARDING_FOR_UDP_51820) - CCR(WG)
Clearly the WIREGUARD peer settings are missing the allowed address!!!
From what I recall I have tried 0.0.0.0/0, and this does not help. Sorry I did not mentioned that.
I will double check allowed IPs, though I am way from the device. It will be week later.
/export hide-sensitive file=anynameyouwish
WG export won't help us, and for upstreaming RB951 I won't do that.

The problem is clear: packets are entered into WG server, but no output generated by WG server: neither new packets in output chain nor errors in log.
That's totally wrong
 
holvoetn
Member Candidate
Member Candidate
Posts: 148
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Will NATted wireguard work?

Thu Oct 14, 2021 8:34 pm

/export hide-sensitive file=anynameyouwish
WG export won't help us, and for upstreaming RB951 I won't do that.

The problem is clear: packets are entered into WG server, but no output generated by WG server: neither new packets in output chain nor errors in log.
That's totally wrong
You're coming here to ask for help and then dismissing the question for additional info which ultimately is only required to HELP YOU ?
You don't want to be helped ?

Really, a simple drawing and please do export that config (hide-sensitive).

WG interface is pretty simple. If packets are coming in but not out, it does not know where it needs to be send.
The only way for anyone to know for sure, is to have a look at your config.
If you do not want to share that info, no problem. But then you can wait a long time for a solution if you do not find it yourself...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Will NATted wireguard work?

Thu Oct 14, 2021 10:03 pm

As stated, this is a personal problem that you have, and is clearly no longer related to the wireguard or router settings.
Your stubborn head is the issue preventing success.
Good luck!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Borizo
newbie
Topic Author
Posts: 33
Joined: Thu Oct 28, 2010 4:38 pm

Re: Will NATted wireguard work?

Fri Oct 22, 2021 3:39 pm

Clearly the WIREGUARD peer settings are missing the allowed address!!!
This was helpful: after adding 0.0.0.0/0 into allowed addresses I am get error in the log. I still don't get why WG binds to 127.0.0.1.

Also please see export in the attachement.
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Member Candidate
Member Candidate
Posts: 148
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Will NATted wireguard work?

Fri Oct 22, 2021 3:54 pm

From your screenshots in your very first post I see you did not specify an endpoint address nor port for the WG peer on "server".

I know there is still some discussion ongoing about the need for that but can you fill in IP of endpoint and the required port ?
The allowed address for the peer on server side, should be the endpoint address you assigned to your client. What address-range do you want to go back to that client ?
THAT's how it knows where to go back to if you have multiple peers on the same WG-interface.

0.0.0.0/0 is only for a 'client' and consequently all of its traffic will then go through the WG interface to your router.
On your server/router you should not use 0.0.0.0/0. That should be the IP address of your 'other side'. From your screenshots above that should then be 192.168.90.3, the IP you assigned on your mobile device.

Surely some of the more expert members may contradict me here (actually, I am sure they will :lol: ) but this is how I have set it up and it works reliably for my setup with 1 'server' and 5 'clients'.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Will NATted wireguard work?

Fri Oct 22, 2021 4:00 pm

Hi there,
(1) The WG interface may or may not get an IP address (optional, works either way).
It does not need nor should get an IP pool, dhcp server etc.........
/ip pool
add name=dhcp ranges=192.168.89.2-192.168.89.254
add name=pool1 ranges=192.168.90.128/25
/ip dhcp-server
add address-pool=dhcp interface=brHome lease-time=1d name=dhcp1
add address-pool=pool1 disabled=yes interface=wgHome lease-time=23h name=\
wgDHCP


(2) Why did you put the WAN connection on a biridge, normally not required?
Perhaps there is something I dont understand.
Also dont get this -- at least never seen it used before??
/interface bridge host
add bridge=brInet interface=ether1 mac-address=AA:BB:CC:DD:EE:FF
/interface bridge port
add bridge=brInet ingress-filtering=no interface=ether1

(3) I dont understand the very unusual non-standard use of interface list and interface members.
What prompted you to do this ?? More specifically what was the point of the include all line???

/interface list
add name=WAN
add name=LAN
add include=all name=discover

/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=brHome list=discover
add interface=brInet list=discover


(4) Where in heck did you get those firewall rules? They are not even close to correct for anything.
Better off putting the defaults back in and only making necessary changes!

(5) Lets look at wireguard settings...... Assuming this is SERVER router (where the peer clients reside).
First thing for your android phone to work you need the IP Address given to the android phone it the android phones WG settings.
More specifically in the phones OWN WG settings (not the phone peer settings).
So you need to put an address here on the phone that matches up the allowed address on the router.
Lets say on the phone you use 10.0.30.2/32
Listen port not required
I put in DNS servers 1.1.1.1 and 9.9.9.9 as well, not sure what your phone has.
On the phones peer settings this is where you put the endpoint of the router.
I use the IP Cloud address of my router for this
I dont use keep alive
Its in the peer settings you put allowed IPs 0.0.0.0/0 (because we dont know what public IP your phone will have when you connect).

So now looking below, in the red on your router is where you would put 10.0.30.2.
The other two lines, not sure what they are for but remove them for now as they dont seem to server any purpose.

interface wireguard peers
add allowed-address=0.0.0.0/0 comment=Aurora interface=wgHome public-key=\
"xxx="
add comment=RobotArms/W7 interface=wgHome public-key=\
"yyy="
add comment=Motor endpoint-address=192.168.90.4 endpoint-port=51820 \
interface=wgHome public-key=\
"zzz=
"
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
Borizo
newbie
Topic Author
Posts: 33
Joined: Thu Oct 28, 2010 4:38 pm

Re: Will NATted wireguard work?

Fri Oct 22, 2021 5:11 pm

0.0.0.0/0 is only for a 'client' and consequently all of its traffic will then go through the WG interface to your router.
On your server/router you should not use 0.0.0.0/0. That should be the IP address of your 'other side'. From your screenshots above that should then be 192.168.90.3, the IP you assigned on your mobile device.
That's no problem: let all NEW traffic go to router.
Tried to specify 192.168.90.3 on MT in peer "Allowed Addresses" field: WireGuard server (Mikrotik) just shuts up, i.e. no responses sent to 51820.
(1) The WG interface may or may not get an IP address (optional, works either way).
As it's disabled we can ignore it. Right?
(2) Why did you put the WAN connection on a biridge, normally not required?
That's useful if you might have several WAN outputs (though not active simultaneously). In that case all rules and defaults are easier to apply to bridge rather than to each separate output.
(3) I dont understand the very unusual non-standard use of interface list and interface members.
discover is only essential here. Rest can be deleted as it is not used.
(4)...
Thanks. May be will go this way later.
(5)
Tried this 192.168.90.3/32 as suggested by holvoetn above: server shuts up.
You do not have the required permissions to view the files attached to this post.
 
Borizo
newbie
Topic Author
Posts: 33
Joined: Thu Oct 28, 2010 4:38 pm

Re: Will NATted wireguard work?

Fri Oct 22, 2021 5:46 pm

Something badly screwed in the WG implementation here.

Endpoint == bindpoint?
Allowed addresses works only with 0.0.0.0/0.

Incorrect names in WinBox 3.31 x64. Which one do you use?
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Member Candidate
Member Candidate
Posts: 148
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Will NATted wireguard work?

Fri Oct 22, 2021 6:08 pm

Assuming you're talking about a smartphone as remote client, this is what I have:

Endpoint: Internal IP address of the client device since the external IP makes no sense, it's dynamic. In my case 10.255.255.6
Endpoint port: the UDP port your itf listens to but this is open for discussion whether this is needed or not.
Allowed address: in my case only routing back to smartphone what comes from smartphone. So I filled there 10.255.255.6/32

PS How to attach pictures on this place ??
 
Borizo
newbie
Topic Author
Posts: 33
Joined: Thu Oct 28, 2010 4:38 pm

Re: Will NATted wireguard work?

Fri Oct 22, 2021 6:19 pm

Below "Submit" button there are two tabs: "Options" and "Attachments"
 
holvoetn
Member Candidate
Member Candidate
Posts: 148
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Will NATted wireguard work?

Fri Oct 22, 2021 6:32 pm

Sweet ! Totally overlooked that section.
 
Borizo
newbie
Topic Author
Posts: 33
Joined: Thu Oct 28, 2010 4:38 pm

Re: Will NATted wireguard work?

Sat Oct 23, 2021 9:17 am

Thus my verdict:
WireGuard implementation in Mikrotik RouterOS in 7.1rc4 incorrectly binds to output interface and replies to peers (i.e. clients connections).
Actually it does not know where to bind and binds to 127.0.0.1.
Below is a demonstrating example from post #9.
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Member Candidate
Member Candidate
Posts: 148
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Will NATted wireguard work?

Sat Oct 23, 2021 10:10 am

I dare to say that conclusion is pretty premature.
Some important info is missing which you are not showing and unless I missed it, you have not provided that information, not even after having been requested to do so multiple times.

It was requested first here by anav:
Please draw a network diagram as your config on the MT device is very confusing and ALL WRONG, and a diagram will help clear up some unknowns!!

Why is the output chain used and especially for the UDP port.
Why is the MT device which is your wireguard server port forwarding the UDP port.
It should only be using the INPUT CHAIN ?????
OR IS IT behind another device???

Finally you didnt do a good job of comparing my setup with yours.
Clearly the WIREGUARD peer settings are missing the allowed address!!!

YOU NEED TO show your config as the pictures are not that helpful.
/export hide-sensitive file=anynameyouwish
This is the crucial part:
/export hide-sensitive file=anynameyouwish

Look at it from another angle:
Your setup does not work. That's clear.
Others chiming in here HAVE a working setup (even multiple).
Wouldn't it be smart then to first make sure you ALSO have a working setup before jumping into (incomplete) conclusions ?
Then you can thinker further with the settings as you will have a base to compare with.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Will NATted wireguard work?

Sat Oct 23, 2021 4:08 pm

Ive already pointed out what information needs to be put in both the router and the smartphone,
Ive also pointed out issues with your config.
Not much more one can do, until you decide you want to learn MT and not be so stubborn.
Wireguard works great.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
kryztoval
just joined
Posts: 5
Joined: Tue Sep 07, 2021 10:46 pm

Re: Will NATted wireguard work?

Tue Oct 26, 2021 2:38 am

@anav Wireguard is quite fun to use. I tested it behind two nats (double natted) and I had a thing i did not understand.
I opened ports on both main routers that directed to the main wireguard peer behind the network.

Whatever peer that initiated the connection would use a random port (I am guessing it was masqueraded) to connect to the dst-nated port on the other network
The receiving peer will use the dst-nated port all the way thru to contact the initiating peer.

If the ip of either wan changes the internal listening port of the mikrotik's wireguard configuration of the device behind this ip change needs to be changed on the initiator or the masqueraded port path will fail? (this is my guess, it just won't connect as the target peer and router will not see any packets)

otherwise it just works, this is amazing! I am so glad it got added to routeros
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8827
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Will NATted wireguard work?

Tue Oct 26, 2021 4:27 am

@anav Wireguard is quite fun to use. I tested it behind two nats (double natted) and I had a thing i did not understand.
I opened ports on both main routers that directed to the main wireguard peer behind the network.

Whatever peer that initiated the connection would use a random port (I am guessing it was masqueraded) to connect to the dst-nated port on the other network
The receiving peer will use the dst-nated port all the way thru to contact the initiating peer.

If the ip of either wan changes the internal listening port of the mikrotik's wireguard configuration of the device behind this ip change needs to be changed on the initiator or the masqueraded port path will fail? (this is my guess, it just won't connect as the target peer and router will not see any packets)

otherwise it just works, this is amazing! I am so glad it got added to routeros
Of course, there is nothing new in what you are saying.
The peer client end has to know which WANIP to send the initial request too.
That is why using an MT wireguard server is handy because one can use the available IP cloud:port# as the address.
Otherwise one would have to get a dyndns name setup for the WANIP (unless it was a static Wanip).

It doesnt matter how many routers are behind the router with the most outward facing connection aka the public IP.
That router needs to port forward the listening port to the second router and the second router to the third etc.
The last router takes the port and uses it as INPUT CHAIN RULE to the router itself.

There is no random assignment of listening port however.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: Ahrefs [Bot], HappyPacket, MrBonding, Semrush [Bot] and 46 guests