Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Mikrotik wireguard issues

Post Reply
 
andreyakifev
just joined
Topic Author
Posts: 1
Joined: Tue Dec 03, 2019 6:54 am

Mikrotik wireguard issues

Fri Dec 30, 2022 9:51 am

Hello.

I have 2 Mikrotiks:
1. hap ac2, installed in my home. Wireguard server.
2. mAP Lite, my road warrior router. Wireguard client.

When I go somewhere I take my road warrior with me and forward all my traffic to my home router via wireguard VPN.
But sometimes It cannot complete wireguard handshake with my home router.

For instance, I arrive to the hotel and turn on my mAP Lite. After that I try to ping something using wireguard interface:
Code: Select all
ping address=8.8.8.8 interface=WgHome
And it is not successful.
But if I try to ping something using WAN interface, it is successful.
I think sometimes(!) my mAP Lite is not able to complete wireguard handshake.

But finally, I connect my laptop to the hotel wifi and make a direct wireguard connection from my laptop to my home router (using another peer record) without any problems. Then I just go to my home mikrotik and try to disable-enable wireguard peer which is used by my mAP Lite. Usually it fixes my problem and I have my mAP Lite completed handshake and working VPN.

But what is the problem exactly? My laptop never has any problems with wireguard connection and I don’t need to do any extra activities.

My mAP Lite wireguard configuration:
Code: Select all
/interface wireguard
add disabled=yes listen-port=13232 mtu=1420 name=AnotherWG
add listen-port=13231 mtu=1420 name=WgHome
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="My home" endpoint-address=hidden endpoint-port=14142 interface=WgHome persistent-keepalive=10s public-key="hidden"
add allowed-address=0.0.0.0/0 comment="Another peer" disabled=yes endpoint-address=hidden endpoint-port=12330 interface=AnotherWg persistent-keepalive=10s public-key="hidden"
My hap ac2 configuration:
Code: Select all
/interface wireguard
add comment="Wireguard connection to Frankfurt" listen-port=13231 mtu=1420 name=Frankfurt
add comment="Selectel wg" listen-port=13232 mtu=1420 name=Selectel
add comment="Wireguard for home" listen-port=14142 mtu=1420 name=WgServer
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="For work" endpoint-address=hidden endpoint-port=51820 interface=Frankfurt public-key="hidden"
add allowed-address=172.17.100.0/24,172.17.9.0/24,10.255.148.0/24 comment="For work" endpoint-address=hidden endpoint-port=51820 interface=Selectel persistent-keepalive=10s public-key="hidden"
add allowed-address=192.168.100.11/32 comment=MBP interface=WgServer persistent-keepalive=10s public-key="hidden"
add allowed-address=192.168.100.10/32 comment="For my friend1" interface=WgServer persistent-keepalive=10s public-key="hidden"
add allowed-address=192.168.100.12/32 comment="For my friend2" interface=WgServer persistent-keepalive=10s public-key="hidden"
add allowed-address=192.168.100.13/32 comment="For my friend3" interface=WgServer public-key="hidden"
add allowed-address=192.168.100.14/32 comment="For my friend4" interface=WgServer persistent-keepalive=10s public-key="hidden"
add allowed-address=192.168.100.15/32 comment="mAP Lite" interface=WgServer persistent-keepalive=10s public-key="hidden"
As you can see, on my mAP Lite I have one disabled wireguard connection and peer.
On my hap ac2 I have a lot of peers and two connections. mAP Lite connects to WgServer interface and known as Peer with comment "mAP Lite"
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19322
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Mikrotik wireguard issues

Mon Jan 02, 2023 4:27 am

Two things..........
a. you dont need the maplite as you have discovered for wireguard connection, for example I use my iphone from anywhere to make a tunnel and then use my iphone app to access the router like winbox.

b. why use the maplite then ??????

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In any case lets check your settings to ensure its not a wireguard related issue!!
I will assume you already have two different wireguard IPs, one for the maplite and one for the laptop itself, and I will throw in a third for an iphone LOL.

HAPAC2

Okay so you have three different wireguard tunnels.
Your work one I dont get, are you using the work tunnel to access the internet at the remote end ( hapac client to work wireguard router )?

In any case will try to focus on home one........
Kewl, you have many peers, friends, etc, your laptop is mbp.....

WHERE IS THE REST OF YOUR CONFIG.
I CANT WORK WITH NOTHING.

Why do people ask for help when they seem to obviously think they know everything - like what to show or not show...........
Solve it yourself OR

Provide the full configs of both devices. ( please )
/export file=anynameyouwish ( minus router serial number and any public WANIP information )
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5478
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Mikrotik wireguard issues

Mon Jan 02, 2023 10:54 am

Map lite as road warrior yet being able to also setup the WG interface using laptop or phone is a strange setup, true :lol:

Config is not complete, as requested please provide more info.

When this happens and you disable/enable the WG peer on mAP Lite site, does it start to work then ?
Could be a problem with DNS resolve upon startup of map Lite.
Known problem with Mikrotik implementation of wireguard interface: upon startup of interface it only tries to resolve the name of the other end ONCE, it it fails, it stops and doesn't retry. You can circumvent this problem with a small script and/or netwatch to toggle the WG peer on mAP Lite side.
And I catalogue this as a bug since this is something which should be handled by surrounding application, not by user (e.g. Win client simply does not allow to start up the interface if DNS resolution is not working, thát's how it should be).
Top
 
WinOS
just joined
Posts: 3
Joined: Mon Jan 02, 2023 10:42 am

Re: Mikrotik wireguard issues

Mon Jan 02, 2023 11:41 am

Map lite as road warrior yet being able to also setup the WG interface using laptop or phone is a strange setup, true :lol:
Some devices can't run WG because of policy or its not supported.
Top
 
Newbienoob
just joined
Posts: 9
Joined: Thu Jan 05, 2023 6:37 pm

Re: Mikrotik wireguard issues

Thu Jan 05, 2023 8:52 pm

...

When I go somewhere I take my road warrior with me and forward all my traffic to my home router via wireguard VPN.
But sometimes It cannot complete wireguard handshake with my home router.

For instance, I arrive to the hotel and turn on my mAP Lite. After that I try to ping something using wireguard interface:
Code: Select all
ping address=8.8.8.8 interface=WgHome
And it is not successful.
But if I try to ping something using WAN interface, it is successful.
I think sometimes(!) my mAP Lite is not able to complete wireguard handshake.
...
Hello, I have the same issue.
What I am actually doing is re-enabling the default gateway 0.0.0.0/0 to the ethernet port that I am connecting to the hotel and then toggle the WG Tunnel.
I think it should be done automatically every 10 seconds but I dont have much knowledge.
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], GoogleOther [Bot], slimmerwifi, vingjfg and 41 guests
  4. RouterOS
  5. Beginner Basics