Community discussions

MikroTik App
 
neeeo
just joined
Topic Author
Posts: 2
Joined: Sat Feb 04, 2023 12:21 pm

Wireguard only works from wg-interface-ip

Sat Feb 04, 2023 1:00 pm

Hi together,

i try to setup a wireguard connection to another location (with help of wireguard ui).
If i try to connect from a local config (on my computer, not the router) i can connect andi it works well.

Now i setup a wireguard on my mikrotik (with if ip 18.1.1.6/30) and on the other location with 18.1.1.5/30.
2_wg_server_ip_routeros.png
This is my wg-server-config:
5_wg_server_wg1_config.png
This is my peer config:
1_wg_server_config_routeros.png
I set up the route for the wg net (18.1.1.4/30 and the network of the other location) with the wg1 interface on my mikrotik.
3_wg_routes_wg_interface.png
So i setup a few firewall rules to allow the wg1 interface to connect into my routeros and same for connections out of my routeros.
4_wg1_fw_rules.png
If i try now to ping the other location i only can to WITHOUT the advanced settings (so from my mikrotik-wg-server-ip): - it works
6_mikrotik_wg_ping_from_wg_if_ip_to_other_location_wg_ip.png
I also can ping the other locations lan, or the devices in it:
7_mikrotik_wg_ping_from_wg_if_ip_to_other_location_lan_ip.png
If i enter a locally LAN IP to ADVANCED from my side and try t ping the other location wg-tunnel-ip i only get timeouts:
8_ping_from_local_lan_to_other_location_tunnel_ip.png
Even if i try to ping the other locations lan with an local IP out of my LAN under ADVANCED:
9_ping_from_local_lan_to_other_location_lan_ip.png

If i do that with an on my pc local installed wireguard and the same tunnel settings i can reach the other locations lan.
So i tried 3 weeks to figure it out but i'm not getting a solution :(

Is here someone who can help me?
Thanks really alot and have a nice day :)
You do not have the required permissions to view the files attached to this post.
 
neeeo
just joined
Topic Author
Posts: 2
Joined: Sat Feb 04, 2023 12:21 pm

Re: Wireguard only works from wg-interface-ip

Fri Feb 10, 2023 11:13 pm

Someone has an idea ? :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard only works from wg-interface-ip

Fri Feb 10, 2023 11:19 pm

Yes.

First, diagrams less helpful than full config
/export file=anynameyouwish ( minus router serial number and any public WANIP information or keys etc.)

1. Confirm the MT device acts as the client for the handshake, it would appear so.
2. What is at the other end of the tunnel, another MT acting as server? Third party VPN provider?
3. if not a 3rd party VPN do you have access/control over the config at the other end?

If MT, would need to see config as well.
If not MT, would need to see the wireguard settings regardless of type of server at other end.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Wireguard only works from wg-interface-ip

Fri Feb 10, 2023 11:45 pm

Hiding critical parts ? What's secret on some private IP address used, except that it is imperative these ranges are 100% correct ?!

Export config's and hide only sensitive private information, but not the config details around wireguard IP, and routes.
You do not have the required permissions to view the files attached to this post.
 
aoakeley
Member Candidate
Member Candidate
Posts: 170
Joined: Mon May 21, 2012 11:45 am

Re: Wireguard only works from wg-interface-ip

Sun Feb 12, 2023 12:14 pm

I set up the route for the wg net (18.1.1.4/30 and the network of the other location) with the wg1 interface on my mikrotik.
3_wg_routes_wg_interface.png
Your route for the remote 192.168 subnet is wrong. Use the remote WireGuard IP Address not the interface wg1 for the route destination.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Wireguard only works from wg-interface-ip

Sun Feb 12, 2023 3:09 pm

That's not it. You can use IP address as gateway, but WG doesn't really care, it decides itself where to send packets, based on peers' allowed-address.

E.g. if you'd have WG interface with 10.0.0.1/24 and two peers:

- peer1, allowed addresses 10.0.0.2, 192.168.2.0/24
- peer2, allowed addresses 10.0.0.3, 192.168.3.0/24

and you'd add route to 192.168.2.0/24 with (wrong) gateway 10.0.0.3 (address belongs to peer2), packets to 192.168.2.x would still go correctly to peer1.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard only works from wg-interface-ip

Sun Feb 12, 2023 3:24 pm

Its very unclear what you are trying to do because you mix up config with requirements.

1. Provide a network diagram.
2. Clearly state in the diagram which device is client and which is server for the initial handshake.
3. what is at the other end............

Then the requirements (without mention of the config)
a. identify what users/groups of users do you have including the admin
b. identify what traffic should they be able to accomplish

Then provide the config at both ends

Who is online

Users browsing this forum: Bing [Bot] and 97 guests