Community discussions

MikroTik App
 
pawlisko
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Sat Oct 17, 2020 5:12 am

WireGuard on 7.1 - issue with the number of WG interfaces

Sun Dec 05, 2021 5:38 pm

Hi all,

Current working config. MT with multiple IKEv2 tunnels to different VPN providers, splits are working based on IP ranges. On RaspberryPI working WG server in roadwarrior mode.

Just upgraded to 7.1

I was able to move the WG server from RPI to MT, it works (interface name wg0 on MT). So I can eliminate RPI - awesome, but... I have an issue with moving IKEv2 tunnels to WG. I am creating a new WireGuard interface let's call it wg1 - entering the private key, port information. The new interface appears in the list. Going to IP addresses - entering IP information, trying to assign this address to the proper interface but wg1 does not appear on the dropdown list - Issue #1. Furthermore, during WireGuard peer creation, I cant select wg1 as the correct interface - Issue #2.

Tried this via CLI - same result.

Is it me, or there is an issue with the software? Or maybe 7.1 does not have proper WG client...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard on 7.1 - issue with the number of WG interfaces

Sun Dec 05, 2021 8:32 pm

Hi pawlisko.
See my post here, viewtopic.php?t=174417#p859788
Why you ask, because in my iteration on an earlier version for of ROS7Beta , even though I could, I did NOT use IP addresses for my WG interfaces.
Therefore it can be done. The biggest difference is that dynamically the router does not then create the necessary IP routes for the interface and it has to be done manually.
We should be able to get you up and running!!
 
pawlisko
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Sat Oct 17, 2020 5:12 am

Re: WireGuard on 7.1 - issue with the number of WG interfaces

Mon Dec 06, 2021 4:21 am

Hi avav,

Thanks for the info - today I've spent an entire day experimenting. What was weird was all the beforementioned issues disappeared after reboot. Which is strange but who I am to judge.

There is a bug thou - WG instance becomes useless after the change of port. The only remedy is to delete the affected instance and set them up from the beginning. Nothing else helps (reboot, turning on/off, changing keys is not even possible).

If you could point me to another issue I have - I would like to use my MT as a WG client to another site. Typical VPN client, where MT initiates connection - HOW TO?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard on 7.1 - issue with the number of WG interfaces

Mon Dec 06, 2021 7:11 am

Export config please (/export hide-sensitive file=anynameyouwish).

There used to be a bug where the interface sometimes did not come up on its own.
When it happened, you had to disable the peer and enable it again. Something which was easily solved using a netwatch script.
But I think that was solved some versions ago (7.1rc5 for sure still had this problem).

So there might be something else (or it's not solved at all).
Only way to tell is to have a look at your config.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: WireGuard on 7.1 - issue with the number of WG interfaces

Mon Dec 06, 2021 7:12 am

@pawlisko: Weird issues you're having.
I've just changed the listen port of the wg interface 3 times, it works just fine.
Can you provide steps that can reproduce your issue?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard on 7.1 - issue with the number of WG interfaces

Mon Dec 06, 2021 4:41 pm

Sure thing, is your MT the primary router behind the ISP modem or is it behind another router??

Client actions:

WIREGUARD INTERFACE
1. give name to interface: lets say wg-client
2. add the listen port that will be open on the server side lets say 6767
3. Public Key (auto generated and what needs to be given to the admin on the Server side)

PEER INTERFACE
1. interface name: Interface name of the server side wireguard interface
2. public Key: The key provided to the client admin from the wireguard server admin
3. Endpoint: This is the WANIP associated with the wireguard server, typically if the server is also an MT device I use the IP Cloud name of the MT server device.
4. Allowed Addresses: I put 0.0.0.0/0, basically I want my client users to be able to access any IP on the internet through the wireguard server device (isp connection).
5. Persistent Keep alive: set to something nominal like 30sec...

Client Router Settings:

We have to ensure we are able to send the correct client router users through the wg-tunnel and that is done through IP Routing.
Typically we have......
dst-address=0.0.0.0/0 gateway=ISP gateway IP (all users subnets 192.168.0.x / 192.168.5.x / 192.168.10.x - vlans 10, 50, 100 respectively)

Lets say you want all vlan100 users to access internet through the tunnel.........

Then add
/ip route
dst-address=0.0.0.0/0 gateway=ISP gateway IP
dst-address=0.0.0.0/0 gateway=wg-client routing-table=USEWG

/routing rule
add action=lookup-only-in-table disabled=no src-address=192.168.10.0/24 table=USEWG
or
add action=lookup-only-in-table disabled=no interface=vlan100 table=table-poker
 
pawlisko
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 54
Joined: Sat Oct 17, 2020 5:12 am

Re: WireGuard on 7.1 - issue with the number of WG interfaces

Tue Dec 07, 2021 2:08 am

@holvoetn

My config is a bit large - 1.5MB, I have about 27k lines of code of different IP lists as I use this for routing through different IKEv2 tunnels (it is country-specific), I am using HE.net for IPv6 traffic as my ISP is not providing IPv6 addresses, also HE.net provides me with Dynamic A-address for the router (there is a script running when WAN is down to update IP as needed) as my IPv4 addressing is dynamic. I use CISCO WLC with WAPs. Two switches with LACP from MT just in case if anything would go south. I was not able yet to create VLANs, which is next on my list - basically 2 VLANS - Main Network and Guest.

Still I need to sanitize config as it has too much information about different e-mail I am using, certain IP addresses, etc.

@anav
Is it possible to use lists instead of IP addresses for src and dst in routing? Should I add IP address? Also any chance for dedicated DNS per tunnel?

Who is online

Users browsing this forum: No registered users and 12 guests