Hey Guys,

i am not able to become a Wireguard VPN Running.

I followed this in my Test Szenario without any working.
https://help.mikrotik.com/docs/display/ROS/WireGuard

I don't understand it, there's no logging, not traffic, no errors, nothing. Just two peers not even try to talk to each other.

Is there any switch to turn on?

Maybe this post will help https://forum.mikrotik.com/viewtopic.php?t=182340

You did change the IP addresses from the example?
Can you share you config: /export hide-sensitive file=anynameyoulike

You did change the IP addresses from the example?
Can you share you config: /export hide-sensitive file=anynameyoulike

There it is. I just tried it without Allowed Address and with 0.0.0.0/0 because I just wanted to see something happen. The local Gateway is behind tripple NAT so the IP is Wurscht.

# jan/25/2022 15:22:46 by RouterOS 7.1.1
# software id =
#
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1_WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/disk
set slot1 disabled=no
set slot1-part1 disabled=no
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/interface list member
add interface=ether1_WAN list=WAN
/interface wireguard peers
add allowed-address=192.168.88.0/24 endpoint-port=13231 interface=wireguard1 \
public-key="tEO6OXhdlSvVUTumRFve6uZKufPGWC4GJeA0M8hCxgA="
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1_WAN
/ip firewall filter
add action=accept chain=input comment="established, related" \
connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment="WinBox, SSH ACCEPT" dst-port=8291,22 \
protocol=tcp
add action=accept chain=input dst-port=13231 protocol=udp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="established, related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop not DSTNATED" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22,8291 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=\
22,8291 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22,8291 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22,8291 \
protocol=tcp src-address-list=ssh_stage1
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=\
22,8291 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22,8291 \
protocol=tcp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=CHR

Well lets start with basics.
As far as I can tell you only have one device involved, so either you are creating a tunnel to a higher intelligent alien civilization, or we are missing critical information.

Seriously, there are two likely possibilities.
a. there is a Device 2 - location, relationship, config ??
OR
b Third party VPN Vendor ??

Well lets start with basics.
As far as I can tell you only have one device involved, so either you are creating a tunnel to a higher intelligent alien civilization, or we are missing critical information.

Seriously, there are two likely possibilities.
a. there is a Device 2 - location, relationship, config ??
OR
b Third party VPN Vendor ??

Like i said, this is my cloud router, the rb3011 is behind tripple nat and has the cloud router as endpoint. i can give the cloud router xyz.notexist as endpoint but for what?

there's no logging, not traffic, no errors, nothing. Just two peers not even try to talk to each other.
Is there any switch to turn on?

You have posted an export of just one peer, what's the second one, another CHR or something completely different?

Second, did you try to ping via the tunnel? Wireguard doesn't initiate the session until it gets a payload packet to transport or unless you set persistent-keepalive at the /interface/wireguard/peers row to something else than 0.

there's no logging, not traffic, no errors, nothing. Just two peers not even try to talk to each other.
Is there any switch to turn on?

You have posted an export of just one peer, what's the second one, another CHR or something completely different?

Second, did you try to ping via the tunnel? Wireguard doesn't initiate the session until it gets a payload packet to transport or unless you set persistent-keepalive at the /interface/wireguard/peers row to something else than 0.

the second peer is a rb3011 behind tripple nat, yes i didnt post the config.

I didnt know that payload is needed, so there is no handshake and no loggign before theres no try, ok i just thought there will be some logging and connection initialization

Slowly you are revealing the facts...........
Suggest reading this ............
viewtopic.php?p=908118#p908118

1. Server Device CHR (for initial connection)
2. Client Device RB3011 (for initial connection due to being behind tripple NAT)

What do you wish to accomplish?
A. Have a CHR subnet go out RB3011 internet thru the wireguard tunnel?
B. Want be able to configure the CHR from the RB3011 admin PC, thru the wireguard tunnel ?
C. etc.......

EDIT:
Okay I see you have no user requirements at the moment, just playing with settings.

Oh guys, close it.

Facepalm...i forgot to add an IP for the wireguard interfaces.

But at last...I try to explain what i have to do with my bad english.

Location A: Has 2 WAN, DSL and LTE and offers some webservices for the coworkers. If the DSL goes Down and the LTE goes online the services aren't available from outside because of Double Nat inside the LTE Network. So i want to Route this through an "always-on-gateway" AKA Azure Cloud Instance AKA LocationB:

So locA has an wguard tunnel to locb and the coworkers ask locb b's ip/dns which reconnects them through vpn to locA.

So my Tunnel actually goes up after i added ip's to the interfaces, routing and firewall are set up.

Slowly you are revealing the facts...........
Suggest reading this ............
viewtopic.php?p=908118#p908118

1. Server Device CHR (for initial connection)
2. Client Device RB3011 (for initial connection due to being behind tripple NAT)

What do you wish to accomplish?
A. Have a CHR subnet go out RB3011 internet thru the wireguard tunnel?
B. Want be able to configure the CHR from the RB3011 admin PC, thru the wireguard tunnel ?
C. etc.......

EDIT:
Okay I see you have no user requirements at the moment, just playing with settings.

Yes, in fact just playing cause with IPIP i did. this without Problems.

The Picture in help.mikrotik.com didn't show the IP Addresses from the wireguard Interfaces

To assign an address to a Wireguard interface is just one of possible ways to tell RouterOS that that interface is a gateway to some subnet.

The Picture in help.mikrotik.com didn't show the IP Addresses from the wireguard Interfaces

To be honest I have successfully configured, with Sindy's astute and accurate help, my 'live' wireguard connections without an IP address attached to the wireguard interfaces. I have not found yet, a compelling reason to do so.
With the proper WIREGUARD settings themselves, I have found, thus far, that I can direct traffic flow with appropriate IP Routes and FW Rules (both input and forward chain). Another useful functionality is provided by the fact that the wireguard interface can be an Interface List Member (but not a bridge member).

i tried routing directly onto the interfaces but this didnt work

So I can understand better.
1- Location A, acts as the client device for initial connection, to Location B, because when the Primary WAN goes down, the Secondary WAN provides a private IP with no method of forwarding a port to your Mikrotik Router.
2 - Location B not understood.
What is the relationship between co-workers and Location B?
Are the co-workers actually more affiliated with Location A, aka they use Location A web servers.
If so, what do they use Location B for?

Assuming this Location B is the CHR of what you speak?
Where is the config for this device?

How do co-workers access location B?