Community discussions

MikroTik App
 
bourneagainsh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Thu May 21, 2020 7:41 pm

WireGuard MT-Server/Android-Client

Thu Nov 18, 2021 9:19 pm

I am running RouterOS Development 7.1rc6.

My RB4011 router is the "WG server" and Android mobile phones (cca 20+) will be the "WG clients" connecting to the server
to get (some will have access to LAN IP's 192.168.88.1/24 on that router and RB4011 WAN as a VPN access/connectivity for every client connected).

RB4011 router "WG server" has WAN public IPv4 address on "ether1" and bridge is LAN with ether2-10 + sfp-sfpplus1 on 192.168.88.1/24 [10-254]
range with various servers connected. No IPv6 connectivity yet from my ISP :(


I have accepted default "Firewall" config when setting up the router.
/ip firewall filter export
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
And here is default settings for NAT:
.
/ip firewall nat export
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

I have used the following settings, some of it borrowed from (connecting 2 sites via WG)
https://help.mikrotik.com/docs/display/ROS/WireGuard
/interface wireguard add listen-port=13231 name=wireguard1
/interface wireguard print
public-key="SERVER-PUB-KEY="
Or use WinBox -> Wireguard - Publick key: "SERVER-PUB-KEY="


Then installed on Android Wireguard App
https://f-droid.org/en/packages/com.wireguard.android/

- Create from scratch -
-- Interface
--- Name: WG-VPN
--- Private key: ->/-> "generate"
--- Public key: (automatically generated in previous step - "PUB-KEY-ANDROID=" )
--- Addresses: 10.1.101.1/24
--- DNS servers: 1.0.0.1

- Add Peer -
-- Peer
--- Public key: "SERVER-PUB-KEY="
--- Pre-shared key: none
--- Persistent keepallive: none
--- Endpoint: RB4011-WAN-IP:13231
--- Allowed IP's: 0.0.0.0/0

Here is the rest of commands to get set up the Wireguard Client:
/interface wireguard peers add allowed-address=10.1.101.0/24 endpoint-port=13231 interface=wireguard1 public-key="PUB-KEY-ANDROID="
/ip address add address=10.255.255.1/30 interface=wireguard1
/ip route add dst-address=10.1.101.0/24 gateway=wireguard1
/ip firewall filter add action=accept chain=input dst-port=13231 protocol=udp
Up to here, the VPN side is working, but is there an easier way of creating the clients or the "*.conf" files for Wireguard Clients?

I quite like the web generator for CloudFlare WRAP Clinets:
https://github.com/maple3142/cf-warp

Or the simple wireguard vpn user management script for IPv4/6
https://github.com/tmiklas/wg_config
that can easily re-generate in shell the QR code:
qrencode -t ansiutf8 < ~/wg_config/users/alice/client.conf


But what is not working is access to LAN IP's 192.168.88.1/24 [10-254] while connected.
I have tried accessing the MikroTik web page 192.168.88.1 and nothing, try using the Android Mikrotik app - (DISCOVERED) and nothing :(
Any help would be greatly appreciated.
 
hazyd
just joined
Posts: 13
Joined: Fri Aug 14, 2009 6:55 am

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 3:02 am

I am guessing that you didn't add the interface to the LAN interface list, so the firewall is blocking it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 3:25 am

First comment, you should upgrade to the stable 7.1.1 version.

The single android device should have an IP in this format I think?
-- Addresses: 10.1.101.2/32 (single IP) ?? The rest of the client looked fine.......


As for the RB4011 server
FROM:
/interface wireguard peers add allowed-address=10.1.101.0/24 endpoint-port=13231 interface=wireguard1 public-key="PUB-KEY-ANDROID="
/ip address add address=10.255.255.1/30 interface=wireguard1
/ip route add dst-address=10.1.101.0/24 gateway=wireguard1
/ip firewall filter add action=accept chain=input dst-port=13231 protocol=udp


TO
/interface wireguard peers add allowed-address=10.1.101.2/32 endpoint-port=13231 interface=wireguard1 public-key="PUB-KEY-ANDROID="
/ip address add address=10.1.101.1/24 network=10.1.101.0 interface=wireguard1
/ip route add dst-address=10.1.101.0/24 gateway=wireguard1 (not required since you have the IP address above !!!
/ip firewall filter add action=accept chain=input dst-port=13231 protocol=udp { good although you could be more accurate and state in-interface-list=WAN }

If you didnt use a firewall address list, the the IP routes would not be created dynamically and you would need the dst-route.
dst-address=10.1.101.2/32 gwy=wireguard interface

If you are going to have multiple single android devices and various IPs, then ensure you use single IPs within the subnet described by the IP address and you are good to go.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 8:55 am

I am guessing that you didn't add the interface to the LAN interface list, so the firewall is blocking it.
Although you could do this I've made the choice not to do it like that.
I've create separate interface-list WG-ZONE and ZT-ZONE for Wireguard & ZeroTier types of traffic and placed the "wireguard1" and "zerotier1" interfaces in them.
I do not consider incoming packets from these places/zone as "LAN" in terms of "security zone/level/trust" and its more clear in the policies like that.
Sure you need to pay a bit more attention when making rules to make you allow traffic to/from these zones.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 1:50 pm

Not a bad idea there jvan, it certainly is a viable option.
If its just me the admin dont care so much.
However if its a bunch of others, different scenario, LAN interface is still not that evil,
if you have a separate interface for management and if you have drop all rules in your config.
Either way I agree in principle that you should have control over where and when the traffic is allowed.
 
bourneagainsh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Thu May 21, 2020 7:41 pm

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 3:52 pm

First comment, you should upgrade to the stable 7.1.1 version.

The single android device should have an IP in this format I think?
-- Addresses: 10.1.101.2/32 (single IP) ?? The rest of the client looked fine.......


TO
/interface wireguard peers add allowed-address=10.1.101.2/32 endpoint-port=13231 interface=wireguard1 public-key="PUB-KEY-ANDROID="
/ip address add address=10.1.101.1/24 network=10.1.101.0 interface=wireguard1
/ip route add dst-address=10.1.101.0/24 gateway=wireguard1 (not required since you have the IP address above !!!
/ip firewall filter add action=accept chain=input dst-port=13231 protocol=udp { good although you could be more accurate and state in-interface-list=WAN }

If you didnt use a firewall address list, the the IP routes would not be created dynamically and you would need the dst-route.
dst-address=10.1.101.2/32 gwy=wireguard interface

If you are going to have multiple single android devices and various IPs, then ensure you use single IPs within the subnet described by the IP address and you are good to go.

Sure, I am already on 7.1.1 but back in November when I posted it was still 7.1rc6 :)

Yes, you are right, my mistake :( ammended: That should be 10.1.101.1/32 for the first client?
/interface wireguard peers print
/interface wireguard peers edit number=0 allowed-address
10.1.101.1/32
Ctrl+o=save&quit

My Android Client has Interface - Address 10.1.101.1/32



/ip address print
/ip address disable numbers=1
/ip address add address=10.1.101.1/24 network=10.1.101.0 interface=wireguard1 #should that not be 10.1.101.0/24?
/ip address print
Flags: X, D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE

# ADDRESS NETWORK INTERFACE
;;; defconf
0 192.168.88.1/24 192.168.88.0 bridge
1 X 10.255.255.1/30 10.255.255.0 wireguard1
2 D xxx.xxx.xxx.xxx/26 xxx.xxx.xxx.xxx ether1
3 10.1.101.1/24 10.1.101.0 wireguard1




/ip firewall filter print
ip firewall filter edit number=7 value-name=in-interface-list
WAN
Ctrl+o=save&quit

/ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, d, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE

DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 xxx.xxx.xxx.xxx 1
DAc 10.1.101.0/24 wireguard1 0
DAc xxx.xxx.xxx.xxx/26 ether1 0
DAc 192.168.88.0/24 bridge 0


But now the tunnel does not work at all :( Ups.
 
bourneagainsh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Thu May 21, 2020 7:41 pm

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 3:54 pm

I am guessing that you didn't add the interface to the LAN interface list, so the firewall is blocking it.
Although you could do this I've made the choice not to do it like that.
I've create separate interface-list WG-ZONE and ZT-ZONE for Wireguard & ZeroTier types of traffic and placed the "wireguard1" and "zerotier1" interfaces in them.
I do not consider incoming packets from these places/zone as "LAN" in terms of "security zone/level/trust" and its more clear in the policies like that.
Sure you need to pay a bit more attention when making rules to make you allow traffic to/from these zones.
Could you please post your full wg set-up for thous who are not proficient in the art of networking pls?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 3:55 pm

I would not use .1 but start with 10.1.101.2/32 as I indicated.

Will look at the config now.
I dont understand where this line is coming from.
1 X 10.255.255.1/30 10.255.255.0 wireguard1 ??

Best to post your config
/export hide-sensitive file=anynameyouwish
 
bourneagainsh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Thu May 21, 2020 7:41 pm

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 4:11 pm

I am guessing that you didn't add the interface to the LAN interface list, so the firewall is blocking it.
/interface list member add interface=wireguard1 list=LAN

Looks right?
 
bourneagainsh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Thu May 21, 2020 7:41 pm

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 4:13 pm

I would not use .1 but start with 10.1.101.2/32 as I indicated.

Will look at the config now.
I dont understand where this line is coming from.
1 X 10.255.255.1/30 10.255.255.0 wireguard1 ??

Best to post your config
/export hide-sensitive file=anynameyouwish
Networking is not something I enjoy :(
It was trial and error from setup here:
https://help.mikrotik.com/docs/display/ROS/WireGuard
 
bourneagainsh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Thu May 21, 2020 7:41 pm

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 4:34 pm

I have edited the config for some more not important info ....
# jan/07/2022 15:14:04 by RouterOS 7.1.1
# software id = 3HDX-880N
#
# model = RB4011iGS+5HacQ2HnD
# serial number = AAAAAAAAAAAAAAA
/interface bridge add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge

/interface wireless 
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX comment="Wireless 5 GHz chip model: QCA9984 " country=\
    "xxxxxxxxxxxx" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge secondary-frequency=auto ssid=XXXXXX \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="xxxxxxxxxxxx" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=xxxxxx wireless-protocol=802.11

/interface wireless manual-tx-power-table set wlan1 comment="Wireless 5 GHz chip model: QCA9984 "
/interface wireless nstreme set wlan1 comment="Wireless 5 GHz chip model: QCA9984 "

/interface wireguard add comment=WIREGUARD listen-port=13231 mtu=1420 name=wireguard1


/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface lte apn
set [ find default=yes ] ip-type=ipv4

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik

/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d

/ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add address-pool=dhcp interface=bridge name=defconf

/port
set 0 name=serial0
set 1 name=serial1

/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks

/routing table
add fib name=""

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2

/ip neighbor discovery-settings set discover-interface-list=LAN
/ip settings set max-neighbor-entries=8192

/ipv6 settings set max-neighbor-entries=8192

/interface detect-internet set detect-interface-list=all

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN

/interface wireguard peers
add allowed-address=10.1.101.1/32 endpoint-port=13231 interface=wireguard1 \
    public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network= 192.168.88.0
add address=10.255.255.1/30 disabled=yes interface=wireguard1 network=10.255.255.0
add address=10.1.101.1/24 interface=wireguard1 network=10.1.101.0

/ip dhcp-client add comment=defconf interface=ether1

/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns set servers=1.1.1.1,1.0.0.1
/ip dns static add address=192.168.88.1 comment=defconf name=router.lan


/ip firewall address-list
add address=xxx.xxx.xxx.xxx/26 comment="xxxxxxxx" list=allowed-in
add address=13.230.0.0/15 comment=AMAZON-NRT list=block-in

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    "" log=yes src-address-list=block-in
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
    protocol=icmp src-address-list=allowed-in
add action=accept chain=input comment="accept SSH / IP addrs" dst-port=22 \
    log=yes protocol=tcp src-address-list=allowed-in
add action=accept chain=input comment="defconf: accept WinBox / IP addrs" \
    dst-port=8291 log=yes protocol=tcp src-address=xxx.xxx.xxx.xxx/28
add action=accept chain=input comment=WIREGUARD dst-port=13231 \
    in-interface-list=WAN log=yes protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward disabled=yes src-address=10.1.101.0/24
add action=accept chain=forward disabled=yes dst-address=10.1.101.0/24
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall nat 
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip service set www-ssl disabled=no
/ip ssh set host-key-size=8192 strong-crypto=yes
/ip upnp set enabled=yes

/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external

/system clock set time-zone-name=Europe/xxxxxxx

/system identity set name=RB4011iGS+5HacQ2HnD

/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive

/system ntp client set enabled=yes
/system ntp client servers
add address=xx.pool.ntp.org
add address=0.xx.pool.ntp.org
add address=1.xx.pool.ntp.org
add address=2.xx.pool.ntp.org
add address=3.xx.pool.ntp.org

/system resource irq rps set sfp-sfpplus1 disabled=no

/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
 
bourneagainsh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Thu May 21, 2020 7:41 pm

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 4:51 pm

I would not use .1 but start with 10.1.101.2/32 as I indicated.

Will look at the config now.
I dont understand where this line is coming from.
1 X 10.255.255.1/30 10.255.255.0 wireguard1 ??

Best to post your config
/export hide-sensitive file=anynameyouwish
#wg peers
As recommended, clients will start with xxx.xxx.xxx.2/32
/interface wireguard peers print
/interface wireguard peers edit number=0 allowed-address
10.1.101.2/32
Ctrl+o=save&quit
My Android Client has Interface - Address 10.1.101.1/32

#IP address
/ip address print
/ip address disable numbers=1
/ip address add address=10.1.101.1/24 network=10.1.101.0 interface=wireguard1 #should that not be 10.1.101.0/24?
/ip address print
Flags: X, D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE

# ADDRESS NETWORK INTERFACE
;;; defconf
0 192.168.88.1/24 192.168.88.0 bridge
1 X 10.255.255.1/30 10.255.255.0 wireguard1
2 D xxx.xxx.xxx.xxx/26 xxx.xxx.xxx.xxx ether1
3 10.1.101.1/24 10.1.101.0 wireguard1


#Added in-interface-list as WAN
/ip firewall filter print
ip firewall filter edit number=7 value-name=in-interface-list
WAN
Ctrl+o=save&quit


#IP route check
/ip route print
Flags: D - DYNAMIC; A - ACTIVE; c, d, y - COPY
Columns: DST-ADDRESS, GATEWAY, DISTANCE

DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 xxx.xxx.xxx.xxx 1
DAc 10.1.101.0/24 wireguard1 0
DAc xxx.xxx.xxx.xxx/26 ether1 0
DAc 192.168.88.0/24 bridge 0


#Adding WG to LAN interfaces
/interface list member print
/interface list member add interface=wireguard1 list=LAN
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 4:57 pm

Euh, don't think this is going to work :

/interface wireguard peers
add allowed-address=10.1.101.1/32 endpoint-port=13231 interface=wireguard1 \
public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="


/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network= 192.168.88.0
add address=10.255.255.1/30 disabled=yes interface=wireguard1 network=10.255.255.0 (what is this doing here ??)
add address=10.1.101.1/24 interface=wireguard1 network=10.1.101.0


So take *.1 or *.254 for the actual IP-address on the Mikrotik/Gateway and start handing out IP's for the peers from *.2 or something.

My config :
/interface wireguard peers
add allowed-address=192.168.1.1/32 interface=wireguard1 public-key=***************************************

/ip address
add address=192.168.1.254/24 comment=WG-L3 interface=wireguard1 network=192.168.1.0
 
bourneagainsh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Thu May 21, 2020 7:41 pm

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 5:13 pm

add address=10.255.255.1/30 disabled=yes interface=wireguard1 network=10.255.255.0 (what is this doing here ??)
It was trial and error from setup here:
https://help.mikrotik.com/docs/display/ROS/WireGuard
Networking is not my cup of tea .. :(
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 5:15 pm

add address=10.255.255.1/30 disabled=yes interface=wireguard1 network=10.255.255.0 (what is this doing here ??)
It was trial and error from setup here:
https://help.mikrotik.com/docs/display/ROS/WireGuard
Networking is not my cup of tea .. :(
Well it is "disabled" so not really interfering, but you better cleanup this stuff anyway.
 
bourneagainsh
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 65
Joined: Thu May 21, 2020 7:41 pm

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 5:20 pm

Euh, don't think this is going to work :

/interface wireguard peers
add allowed-address=10.1.101.1/32 endpoint-port=13231 interface=wireguard1 \
public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network= 192.168.88.0
add address=10.1.101.1/24 interface=wireguard1 network=10.1.101.0

So take *.1 or *.254 for the actual IP-address on the Mikrotik/Gateway and start handing out IP's for the peers from *.2 or something.
Maybe I get my wires crossed, you say start from xx.x.xxx.2/32, so that's my (1st) client and would be:
/interface wireguard peers add allowed-address=10.1.101.2/32 endpoint-port=13231 interface=wireguard1 \
public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
/ip address add address=10.1.101.2/24 interface=wireguard1 network=10.1.101.0

And if I wanted to add another (2nd) client I would do:
/interface wireguard peers add allowed-address=10.1.101.3/32 endpoint-port=13231 interface=wireguard1 \
public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
/ip address add address=10.1.101.3/24 interface=wireguard1 network=10.1.101.0

And so on, right?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 5:31 pm

There 2 aspects of a Wireguard setup : The Mikrotik "side" and each peer.

The command below glues an IP address on the Mikrotik for the wireguard "endpoint"
This is only 1-time config! Not to be repeated for each peer or someting.

/ip address
add address=10.1.101.1/24 interface=wireguard1 network=10.1.101.0

...then the 2e config is indeed for EACH peer (=client) and so on.

/interface wireguard peers
add allowed-address=10.1.101.2/32 endpoint-port=13231 interface=wireguard1 \
public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
/interface wireguard peers
add allowed-address=10.1.101.3/32 endpoint-port=13231 interface=wireguard1 \
public-key="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="


Look at this like a wheel with spokes. The central part is "common" for each of the spokes (=peers) and you put 1 IP on there within a certain range.
Then each of the peers/spokes get an IP-address out of the same range, but offcours not the same as the one you assigned on the Mikrotik.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard MT-Server/Android-Client

Fri Jan 07, 2022 6:54 pm

As to your question correct!!
To state Jvan's, post in another way.

Each android client should have a single different IP address (starting with .2 etc.) in its main wireguard interface settings.
Each android peer should be reflected in the Wireguard Server Peer settings, with that unique IP and of course unique public IP address (from the android device).
The IP address you have in the Server Router will provide all the dynamic routing (back from LAN queries, back from Internet queries) for all the Android connections (as they are all on the same network)

Who is online

Users browsing this forum: menyarito and 33 guests