Community discussions

MikroTik App
  4. RouterOS
  5. General

Wireguard interface with multiple peers  [SOLVED]

Post Reply
 
sobercouncil
just joined
Topic Author
Posts: 9
Joined: Thu Aug 25, 2022 1:30 pm

Wireguard interface with multiple peers

Tue Nov 01, 2022 7:17 pm

I've seen other discussions about this, but not clear if a change is intended, or if I'll need to use a dedicated Wireguard interface for each peer:
Code: Select all
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1

/interface wireguard peers
add allowed-address=192.168.0.2/32 comment=peerA endpoint-address="" interface=wireguard1 public-key="{uniquestringA}"
add allowed-address=192.168.0.3/32 comment=peerB endpoint-address="" interface=wireguard1 public-key="{uniquestringB}"

add address=192.168.0.1/24 interface=wireguard1 network=192.168.0.0

#        routerboard: yes
#         board-name: RB1100AHx4 Dude Edition
#              model: RB1100Dx4
#           revision: r2
# 
#             channel: stable
#   installed-version: 7.5
Kind regards.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard interface with multiple peers

Tue Nov 01, 2022 9:42 pm

So far so good.
What are the user requirements (both local users and remote users).
Top
 
sobercouncil
just joined
Topic Author
Posts: 9
Joined: Thu Aug 25, 2022 1:30 pm

Re: Wireguard interface with multiple peers

Wed Nov 02, 2022 12:46 pm

Hi Anav,

Thank you for your reply.

The peers (peerA and peerB - Windows clients) need to speak to the subnets which sit behind the Mikrotik peer (in the below example - 172.16.0.0/16), e.g.:

Image

This works perfectly for peerA, but peerB is unable to initiate a handshake with the Mikrotik (pcap shows the request reaching the Mikrotik, but it does not reply).

I've seen this thread, where I can see that it should be possible to have multiple peers on a single WG interface.

Wireguard client config:
Code: Select all
[Interface]
PrivateKey = {local_privatekey}
Address = 192.168.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = {Mikrotik_publickey}
AllowedIPs = 192.168.0.0/24, 172.16.0.0/19
Endpoint = 64.12.12.9:13231
PersistentKeepalive = 10
Kind regards.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard interface with multiple peers

Wed Nov 02, 2022 1:21 pm

Yes it should work looking at your information.
Please post full config on router.
/export file=anynameyouwish ( minus serial number and any public WANIP info )

Also ensure that Client B, gets the same public IP from the router that client A received, but the router gets Client Bs public IP and set on the router peer B settings.

Is there some firewall or other setting on peer B windows blocking ??
Top
 
sobercouncil
just joined
Topic Author
Posts: 9
Joined: Thu Aug 25, 2022 1:30 pm

Re: Wireguard interface with multiple peers

Wed Nov 02, 2022 3:24 pm

Hi Anav,

Please see attached config.

Also ensure that Client B, gets the same public IP from the router that client A received, but the router gets Client Bs public IP and set on the router peer B settings.

Checked and confirmed to be unique.

Is there some firewall or other setting on peer B windows blocking ??

I don't believe so, pcap shows the handshake reaching the Mikrotik public IP from peerB's public IP, but no reply from the Mikrotik:

Image

With peerA, I can see full handshake exchange - as you'd expect.

Kind regards.
You do not have the required permissions to view the files attached to this post.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard interface with multiple peers

Wed Nov 02, 2022 4:40 pm

(1) Is this an internet facing router? If so you are in serious deficiency of firewall rules and is really a security risk.

(2) Is this a cloud router, I dont understand your setup at all, need network diagram?

(3) What is the LAN, I see ether1 is disabled so thats not useful. I see bonded ether9 and ether10
and the vlans part of the bonding, so is that your WAN and if so, how does that work?? Is it one WAN, two wans, very confusing overall.

Nothing here to say why A works and B does not.
Top
 
sobercouncil
just joined
Topic Author
Posts: 9
Joined: Thu Aug 25, 2022 1:30 pm

Re: Wireguard interface with multiple peers

Wed Nov 02, 2022 5:27 pm

Hi Anav,

(1) Is this an internet facing router? If so you are in serious deficiency of firewall rules and is really a security risk.
(2) Is this a cloud router, I dont understand your setup at all, need network diagram?

Many thanks for considering this.

The router has access to WAN via one of the VLANs on the bonding interface. The router is essentially an endpoint connected to a pair of TOR switches. WAN connectivity is handled by a cluster of (different) routers. Firewalling is done closer to server cluster by dedicated equipment/systems. Traffic can pass through this router, but there is a deny all rule for input traffic.

(3) What is the LAN, I see ether1 is disabled so thats not useful. I see bonded ether9 and ether10
and the vlans part of the bonding, so is that your WAN and if so, how does that work?? Is it one WAN, two wans, very confusing overall.

One VLAN for (essentially) WAN, one VLAN for management LAN.

Nothing here to say why A works and B does not.

Yes, very strange that the router doesn't respond to the handshake. The public IP of peerB is reachable from the Mikrotik.

Many thanks for your time.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard interface with multiple peers

Wed Nov 02, 2022 6:23 pm

I didn't check details, but make sure that you have correct keys for peerB. In case there would be some mixup, WG would simply ignore request from, as it would see it, unknown peer.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard interface with multiple peers

Wed Nov 02, 2022 7:05 pm

Sob see post #4!
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard interface with multiple peers

Wed Nov 02, 2022 7:25 pm

I'm not sure what you're trying to say there.
Top
 
sobercouncil
just joined
Topic Author
Posts: 9
Joined: Thu Aug 25, 2022 1:30 pm

Re: Wireguard interface with multiple peers  [SOLVED]

Thu Nov 03, 2022 2:07 pm

Hi both,

Many thanks for looking into this for me.

I found the solution in this thread. The issue is with the endpoint being set as a blank value in the peer config - "endpoint-address" should be entirely absent if it isn't specified (peerA below is correct, peerB is incorrect):
Code: Select all
add allowed-address=192.168.0.2/32 comment=peerA interface=wireguard1 \
    public-key="peerA_publickey"
add allowed-address=192.168.0.3/32 comment=peerB endpoint-address="" interface=\
    wireguard1 public-key="peerB_publickey"
When I sent the initial config, it was after recreating the nodes entirely, so seems I accidentally fixed the issue for PeerA (for a second time). Just an unfortunate coincidence.

Kind regards.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard interface with multiple peers

Thu Nov 03, 2022 2:29 pm

Sober, much thanks for the feedback. I do now recall reading that thread but not paying enough attention to it.
I will add it to my wireguard article.

To be clear, this only happens if you have entered in an endpoint address but then removed it.
Not quite clear on how this happens?
Top
 
sobercouncil
just joined
Topic Author
Posts: 9
Joined: Thu Aug 25, 2022 1:30 pm

Re: Wireguard interface with multiple peers

Thu Nov 03, 2022 6:00 pm

Hi Anav,

Via the WI, you need to collapse the "Endpoint" field and then click "OK" - not ["Apply" + "OK"] - which seems to commit the empty dropdown. Weirdly, if you return to the peer after committing the config successfully, the empty dropdown will be present again, but not present in the export:

Image
Code: Select all
add comment=test1 endpoint-address="" interface=wireguard1 public-key="sgfTz8xpzywdpRvjpeOmBtfQk63pbp3lcNCmKm6GYBk="
add comment=test2 endpoint-address="" interface=wireguard1 public-key="mBmVaeZMhb2ERRZgMn4chRdftAtEysNi4vhX+RxzsEo="
add comment=test3 interface=wireguard1 public-key="rw1TUYHIvayb2ovlhmFZ9m03FUSQt2g39tk0fjnIgRU="
add comment=test4 endpoint-address="" interface=wireguard1 public-key="2713AH/C6kmL5AFq90yOJ+CkQMKlGSBnmQ1NP67NNAg="
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19325
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Wireguard interface with multiple peers

Thu Nov 03, 2022 6:04 pm

Must be a webconfig anomaly!!
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard interface with multiple peers

Sat Nov 05, 2022 2:48 am

It's interesting, I would have expected that if blank address should have any effect, if would be the same as any wrong address. Which would be something you may not even notice, because WG is very keen on roaming, so even if you set peer's address to any wrong address, first packet from peer will update current-endpoint-address and it will work just fine:
Code: Select all
[sob@CHR5] /interface/wireguard/peers> print detail 
Flags: X - disabled 
 0   interface=wireguard1 public-key="xxx" endpoint-address=240.240.240.240 
     endpoint-port=0 current-endpoint-address=192.168.80.10 current-endpoint-port=64191 allowed-address=192.168.44.10/32 
     rx=6.2KiB tx=6.4KiB last-handshake=1s
But blank endpoint-address really does block it completely.
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot] and 135 guests
  4. RouterOS
  5. General