Community discussions

MikroTik App
 
vadimkara
just joined
Topic Author
Posts: 20
Joined: Tue Apr 16, 2019 8:37 am

WireGuard DualWan

Fri Aug 05, 2022 12:00 pm

I have 2 offices:
First office have 2 isp( isp1 isp2)
Second have 1 isp (isp3)
Configured wireguard between isp2-isp3 cause isp1 has no connection with isp3.On office 1 all traffic is properly marked for dualwan. Got this error wireguard1 Handshake for peer did not complete after 5 seconds, cause in connection is to isp2 but out is from isp1(main route). What should i do?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard DualWan

Fri Aug 05, 2022 1:32 pm

Provide network diagrams so we understand what devices are involved, whats connected to ports and importantly what subnets go where.
Provide the two configs /export just ensure you put fake numbers for ISP WANIP and gateway IP etc.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard DualWan

Fri Aug 05, 2022 1:40 pm

That or stir the pot and watch the tea leaves, I suppose ?
 
vadimkara
just joined
Topic Author
Posts: 20
Joined: Tue Apr 16, 2019 8:37 am

Re: WireGuard DualWan

Fri Aug 05, 2022 2:00 pm

Network Diagramm
You do not have the required permissions to view the files attached to this post.
Last edited by vadimkara on Fri Aug 05, 2022 2:07 pm, edited 1 time in total.
 
vadimkara
just joined
Topic Author
Posts: 20
Joined: Tue Apr 16, 2019 8:37 am

Re: WireGuard DualWan

Fri Aug 05, 2022 2:06 pm

Office1

/interface/wireguard print
Flags: X - disabled; R - running
 0  R name="wireguard1" mtu=1420 listen-port=13231 private-key="***" public-key="***"
 
/interface/wireguard/peers print
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-ADDRESS, ENDPOINT-PORT, ALLOWED-ADDRESS
# INTERFACE   PUBLIC-KEY                                    ENDPOINT-ADDRESS  ENDPOINT-PORT  ALLOWED-ADDRESS
0 wireguard1  ********************************************  192.168.22.1              55555  0.0.0.0/0      
                                                                                             ::/0           


add action=accept chain=input comment="Allow UDP 55555 Wireguard" dst-port=\
    55555 log=yes log-prefix=Wireguard protocol=udp

/ip/address> print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS            NETWORK        INTERFACE  
;;; defconf
0   192.168.4.254/24  192.168.4.0   bridge     
1 D 192.168.20.1/24   192.168.20.0  ether5(WAN)
1 D 192.168.21.1/24   192.168.21.0  ether4(WAN)
3   192.168.100.5/31   192.168.100.4  wireguard1 

Office2


/interface/wireguard print
Flags: X - disabled; R - running
 0  R name="wireguard1" mtu=1420 listen-port=13231 private-key="***" public-key="***"
 
/interface/wireguard/peers print
Columns: INTERFACE, PUBLIC-KEY, ENDPOINT-ADDRESS, ENDPOINT-PORT, ALLOWED-ADDRESS
# INTERFACE   PUBLIC-KEY                                    ENDPOINT-ADDRESS  ENDPOINT-PORT  ALLOWED-ADDRESS
0 wireguard1  ********************************************  192.168.21.1              55555  0.0.0.0/0      
                                                                                             ::/0           

add action=accept chain=input comment="Allow UDP 55555 Wireguard" dst-port=\
    55555 log=yes log-prefix=Wireguard protocol=udp

/ip/address> print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
#   ADDRESS            NETWORK        INTERFACE  
;;; defconf
0   192.168.90.254/24  192.168.90.0   bridge     
1 D 192.168.22.1/24   192.168.22.0  ether5(WAN)
2  192.168.100.5/31   192.168.100.4  wireguard1 

Last edited by vadimkara on Fri Aug 05, 2022 2:12 pm, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard DualWan

Fri Aug 05, 2022 2:12 pm

That's only a partial config.

From terminal:
/export file=anynameyou wish
Review export for remaining sensitive info (serial numbers, public IP, keys, ...) and post between [code] quotes
Do this for each of the devices.

.
 
User avatar
BrateloSlava
Member Candidate
Member Candidate
Posts: 167
Joined: Mon Aug 09, 2021 10:33 am
Location: Ukraine, Kharkiv

Re: WireGuard DualWan

Fri Aug 05, 2022 2:34 pm

Am I understanding your settings correctly?

1. Office 1 has two internet connections. They are configured as a primary and a backup. Office 2 has one internet connection.

2. The main internet connection in Office 1 is not, for some reason, able to establish a VPN connection to Office 2.

3. You are trying to set up a VPN connection between the backup connection of Office 1 and Office 2.

As far as I understand, nothing works for you, because the packets leave through the main connection. And it is expected that they will leave through the backup channel. Therefore, I would like to look at the rules by which you provide switching between the main and backup channels in Office 1.
Last edited by BrateloSlava on Fri Aug 05, 2022 2:39 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard DualWan

Fri Aug 05, 2022 2:34 pm

And for BOTH devices!
 
vadimkara
just joined
Topic Author
Posts: 20
Joined: Tue Apr 16, 2019 8:37 am

Re: WireGuard DualWan

Fri Aug 05, 2022 4:03 pm

Am I understanding your settings correctly?

1. Office 1 has two internet connections. They are configured as a primary and a backup. Office 2 has one internet connection.

2. The main internet connection in Office 1 is not, for some reason, able to establish a VPN connection to Office 2.

3. You are trying to set up a VPN connection between the backup connection of Office 1 and Office 2.

As far as I understand, nothing works for you, because the packets leave through the main connection. And it is expected that they will leave through the backup channel. Therefore, I would like to look at the rules by which you provide switching between the main and backup channels in Office 1.
yes correctly no switching only distance in routes 1 for main 2 for backup
/ip route
add check-gateway=ping comment="Policy Based Dctel" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=dctel pref-src="" routing-table=DCTel \
    scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Policy Based Infocom" disabled=no distance=1 \
    dst-address=0.0.0.0/0 gateway=infocom pref-src="" routing-table=\
    Infocom scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Main route" disabled=no distance=1 dst-address=\
    0.0.0.0/0 gateway=Infocom pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Backup route" disabled=no distance=2 \
    dst-address=0.0.0.0/0 gateway=dctel pref-src=0.0.0.0 routing-table=\
    main scope=30 suppress-hw-offload=no target-scope=10

and packet marking
/ip firewall mangle
add action=mark-connection chain=prerouting comment=Infocom connection-mark=\
    no-mark in-interface=ether1-vib-Infocom new-connection-mark=Infocom-conn \
    passthrough=no
add action=mark-connection chain=prerouting comment=Dctel connection-mark=\
    no-mark in-interface=ether2-vib-DCTel new-connection-mark=Dctel-conn \
    passthrough=no
add action=mark-routing chain=prerouting comment=Infocom-forward \
    connection-mark=Infocom-conn dst-address-type=!local in-interface-list=!WAN \
    new-routing-mark=Infocom passthrough=no
add action=mark-routing chain=prerouting comment=Dctel-forward connection-mark=\
    Dctel-conn dst-address-type=!local in-interface-list=!WAN new-routing-mark=\
    DCTel passthrough=no
add action=mark-routing chain=output comment=Infocom-out connection-mark=\
    Infocom-conn dst-address-type=!local new-routing-mark=Infocom passthrough=\
    no
add action=mark-routing chain=output comment=Dctel-out connection-mark=\
    Dctel-conn dst-address-type=!local new-routing-mark=DCTel passthrough=no
Last edited by vadimkara on Fri Aug 05, 2022 6:14 pm, edited 1 time in total.
 
User avatar
BrateloSlava
Member Candidate
Member Candidate
Posts: 167
Joined: Mon Aug 09, 2021 10:33 am
Location: Ukraine, Kharkiv

Re: WireGuard DualWan

Fri Aug 05, 2022 5:47 pm

For a correct configuration, it is necessary to block the possibility of building a tunnel not from "your" interface. About route. Try to change, like this example:
/ip route add check-gateway=ping disabled=no distance=50 dst-address=0.0.0.0/0 gateway=IP_of_GW1 routing-table=route-WAN-1
/ip route add check-gateway=ping disabled=no distance=50 dst-address=0.0.0.0/0 gateway=IP_of_GW2 routing-table=route-WAN-2
/ip route add check-gateway=ping disabled=no distance=70 dst-address=0.0.0.0/0 gateway=IP_of_GW1
/ip route add check-gateway=ping disabled=no distance=71 dst-address=0.0.0.0/0 gateway=IP_of_GW2

/routing rule add action=lookup-only-in-table disabled=no src-address=Your_IP_ISP1 table=route-WAN-1
/routing rule add action=lookup-only-in-table disabled=no src-address=Your_IP_ISP2 table=route-WAN-2
/routing rule add action=lookup-only-in-table disabled=no dst-address=172.22.2.128/25(Your_LAN_Space) table=main
 
vadimkara
just joined
Topic Author
Posts: 20
Joined: Tue Apr 16, 2019 8:37 am

Re: WireGuard DualWan

Fri Aug 05, 2022 5:52 pm

For a correct configuration, it is necessary to block the possibility of building a tunnel not from "your" interface. About route. Try to change, like this example:
/ip route add check-gateway=ping disabled=no distance=50 dst-address=0.0.0.0/0 gateway=IP_of_GW1 routing-table=route-WAN-1
/ip route add check-gateway=ping disabled=no distance=50 dst-address=0.0.0.0/0 gateway=IP_of_GW2 routing-table=route-WAN-2
/ip route add check-gateway=ping disabled=no distance=70 dst-address=0.0.0.0/0 gateway=IP_of_GW1
/ip route add check-gateway=ping disabled=no distance=71 dst-address=0.0.0.0/0 gateway=IP_of_GW2

/routing rule add action=lookup-only-in-table disabled=no src-address=Your_IP_ISP1 table=route-WAN-1
/routing rule add action=lookup-only-in-table disabled=no src-address=Your_IP_ISP2 table=route-WAN-2
/routing rule add action=lookup-only-in-table disabled=no dst-address=172.22.2.128/25(Your_LAN_Space) table=main
Didnt understand 1 part why i need change distance of routes?(changed but no help)
after adding routing rules handshake error dissapear but no ping even point to point wireguard addresses 192.168.100.4 and 192.168.100.5
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard DualWan

Fri Aug 05, 2022 7:06 pm

Bratelo slava HINT: You are NOT helping by interjecting before the necessary information to give an informed response is possible. The OP needs to provide more information as already requested to get to a satisfactory resolution of the problem. There are a few here that can play the mind reader game and take shortcuts (sob, mkx, sindy) but otherwise not usually successful and irritating for those of us asking for the information. The OP was sidetracked and has yet to provide the requested information, hopefully soon coming. :-)

Not to say your advice is not sound or useful but usually there is more to the story which can only be sussed out with more context and information.
Often there is lots the OP leaves out that is necessary to the puzzle.

By the way I didnt read your question nor his response, its noise since I dont understand
a. the network structure (what devices are attached, internet comes from, what goes out on the ports) A network diagram helps immensely here.
b. the configuration which fills in the rest of the gaps. ( the bridge/vlans/subnets, the firewall rules, the routing etc. and how they interact)
c. the requirements of the network in terms of use cases
what the user(s)/device(s) should be able to do and not do..................pushes config design
 
vadimkara
just joined
Topic Author
Posts: 20
Joined: Tue Apr 16, 2019 8:37 am

Re: WireGuard DualWan

Fri Aug 05, 2022 8:47 pm

Export config
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard DualWan

Fri Aug 05, 2022 9:50 pm

I am confused why do you have both office routers accepting wireguard traffic on the input chain?
For the purposes of the initial handshake one needs to be the server with input chain rule the other has no input chain rule (not both on same port thats for sure).

Typically the IP that is static is the better one to choose as server device,

So which is which ??? A better diagram would have shown this!
 
vadimkara
just joined
Topic Author
Posts: 20
Joined: Tue Apr 16, 2019 8:37 am

Re: WireGuard DualWan

Fri Aug 05, 2022 10:29 pm

I am confused why do you have both office routers accepting wireguard traffic on the input chain?
For the purposes of the initial handshake one needs to be the server with input chain rule the other has no input chain rule (not both on same port thats for sure).

Typically the IP that is static is the better one to choose as server device,

So which is which ??? A better diagram would have shown this!
From the official mikrotik help site to site wireguard
https://help.mikrotik.com/docs/display/ROS/WireGuard

Peer configuration
Peer configuration defines who can use the WireGuard interface and what kind of traffic can be sent over it. To identify the remote peer, its public key must be specified together with the created WireGuard interface.

Office1

/interface/wireguard/peers
add allowed-address=10.1.101.0/24 endpoint-address=192.168.80.1 endpoint-port=13231 interface=wireguard1 \
public-key="v/oIzPyFm1FPHrqhytZgsKjU7mUToQHLrW+Tb5e601M="
Office2

/interface/wireguard/peers
add allowed-address=10.1.202.0/24 endpoint-address=192.168.90.1 endpoint-port=13231 interface=wireguard1 \
public-key="u7gYAg5tkioJDcm3hyS7pm79eADKPs/ZUGON6/fF3iI="

All isps have static ips. But i tried all ways site to site, server and client result the same
Last edited by vadimkara on Fri Aug 05, 2022 10:31 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard DualWan

Fri Aug 05, 2022 10:31 pm

MT documentation aside......... I asked a specific question, regarding who is connecting first.........
Last edited by anav on Fri Aug 05, 2022 11:37 pm, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard DualWan

Fri Aug 05, 2022 10:32 pm

Nothing wrong both accepting traffic.
To say it differently, it doesn't break anything.
 
vadimkara
just joined
Topic Author
Posts: 20
Joined: Tue Apr 16, 2019 8:37 am

Re: WireGuard DualWan

Fri Aug 05, 2022 10:32 pm

I really dont care what MT documentation says......... I asked a specific question, Perhaps someone else can help you out.
I tried all variants result the same no ping from local subnets or from router to router
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: WireGuard DualWan

Fri Aug 05, 2022 10:57 pm

most dual-wan configurations forgot to take care properly/correctly of incoming connections for each wan

as a result incoming connection by secondary wan end up replied by primary wan and or managed by secondary routing table which dont have some routes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard DualWan

Fri Aug 05, 2022 11:09 pm

I understand that, the question was which was going to be connecting to the other to establish the tunnel initially, after that it matters little as the tunnel is always up and is bi-directional.
In any case I would at least have differnent ports so I would underrstand from logs or what have you, who connected to who etc............
Such as routerA, listening port is 15000 with input chain rule for same, and routerB, listening port is 25000 with input chain rule for same.
Concur either one can be the client or server in the setup (as its a peer to peer network), but being clear or delineating the two just seems logical to me.
Plus if both can act as servers, then its easy to distinguish which one is setting up road warrior or home clients to access for example......... if that is desired.
Personal preference..........

To the problem at hand, will never sort out the issue because I dont think its wireguard related I think its all the other garbage that is probably interfering.
The config is overly complex and full of what I would avoid. The mangling and routes are tricky and the firewall rules are all over the place and mostly missing in the forward chain
Last edited by anav on Fri Aug 05, 2022 11:10 pm, edited 1 time in total.
 
vadimkara
just joined
Topic Author
Posts: 20
Joined: Tue Apr 16, 2019 8:37 am

Re: WireGuard DualWan

Fri Aug 05, 2022 11:09 pm

most dual-wan configurations forgot to take care properly/correctly of incoming connections for each wan

as a result incoming connection by secondary wan end up replied by primary wan and or managed by secondary routing table which dont have some routes
all traffic marked properly all vpn ipsec ppp works fine. Only wireguard has this problem
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard DualWan

Fri Aug 05, 2022 11:11 pm

Hmmm, thats good to know. I will keep looking. I wonder if adding the wireguard interfaces to the WAN interface list may be an issue........ ?
 
vadimkara
just joined
Topic Author
Posts: 20
Joined: Tue Apr 16, 2019 8:37 am

Re: WireGuard DualWan

Fri Aug 05, 2022 11:22 pm

Hmmm, thats good to know. I will keep looking. I wonder if adding the wireguard interfaces to the WAN interface list may be an issue........ ?
tried this already not helped
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard DualWan

Fri Aug 05, 2022 11:36 pm

edit NM - other than to say based on the next post, my request to know which is initiating and which is receiving the first handshake is indeed germane!
Last edited by anav on Fri Aug 05, 2022 11:52 pm, edited 2 times in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: WireGuard DualWan

Fri Aug 05, 2022 11:46 pm

most dual-wan configurations forgot to take care properly/correctly of incoming connections for each wan

as a result incoming connection by secondary wan end up replied by primary wan and or managed by secondary routing table which dont have some routes
all traffic marked properly all vpn ipsec ppp works fine. Only wireguard has this problem
In the configuration export of the dual-WAN router, I can see the connection-mark is assigned only in prerouting. So if it is this router that sends the first ever packet of the Wireguard transport connection, it sends it using routing table main. Could it be the case? What does /ip/firewall/connection/print detail where src-address~":55555" or dst-address~":55555" show on this router while the connection attempt is ongoing?
 
vadimkara
just joined
Topic Author
Posts: 20
Joined: Tue Apr 16, 2019 8:37 am

Re: WireGuard DualWan

Sat Aug 06, 2022 8:06 am


all traffic marked properly all vpn ipsec ppp works fine. Only wireguard has this problem
In the configuration export of the dual-WAN router, I can see the connection-mark is assigned only in prerouting. So if it is this router that sends the first ever packet of the Wireguard transport connection, it sends it using routing table main. Could it be the case? What does /ip/firewall/connection/print detail where src-address~":55555" or dst-address~":55555" show on this router while the connection attempt is ongoing?
bratelo slava already metion this routing rules fixed this issue handshake success but no ping.
 
vadimkara
just joined
Topic Author
Posts: 20
Joined: Tue Apr 16, 2019 8:37 am

Re: WireGuard DualWan

Sat Aug 06, 2022 8:57 am

problem solved mask on both sides must be 30 not 31
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard DualWan

Sat Aug 06, 2022 1:57 pm

Thanks for letting us know. I was going to suggest using /24 for both wg IP addresses at each device, as there is no harm no foul in doing so and it works every time and just use firewall rules to limit to IPs etc..........as necessary.

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Majestic-12 [Bot], nuwang13, Rhydu, Semrush [Bot] and 57 guests