Community discussions

MikroTik App
 
ambor
just joined
Topic Author
Posts: 6
Joined: Sat May 13, 2023 2:35 pm

Wireguard peer Rx/Tx/Last Handshake stats not updating

Tue May 30, 2023 6:52 am

I have 3 peers configured and all working correctly. One is for a macBook, one an iPhone and one a Windows box. The Windows box is running the official Wireguard client. Everything works fine, but the Rx Tx and Last Handshake stats don't update, they just always show 0.

In the WireGuard tab there is Rx/Rx data being shown.

The three Peers are all set up exactly the same with just the Allowed address and public key being different.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard peer Rx/Tx/Last Handshake stats not updating

Tue May 30, 2023 12:09 pm

Please be a bit more specific where the problem is you are describing.
On client devices or on router ?
If it's on client devices (which I assume) and it works as you say, how do you know it works ? Can you access resources 'on the other side' ?
E.g. from your Windows PC or Macbook ping to the router using WG-address ?

On my Windows laptop (and Android devices) using the official wireguard client, counters only show zero when there is no connection.
Otherwise they move just fine.
And be aware the TX counter will normally always move. Wireguard always tries to connect.
 
ambor
just joined
Topic Author
Posts: 6
Joined: Sat May 13, 2023 2:35 pm

Re: Wireguard peer Rx/Tx/Last Handshake stats not updating

Wed May 31, 2023 2:19 pm

This is on the Mikrotik Router using Winbox. (Mikrotik model RB750Gr3, Firmware 7.9)

In Winbox I click WireGuard then when the window opens I click on the Peers tab. There are 4 peers and all show Rx/Tx activity except the one in question. Even though the peer is operating normally (and traffic is visible in Torch and elsewhere) the statistics on that Peers tab don't move. They are stuck at 0 B Rx and 0 B Tx.

Each peer has its own unique Public Key and Allowed Address (10.x.x.x/32) and there is no Preshared Key configured.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard peer Rx/Tx/Last Handshake stats not updating

Wed May 31, 2023 2:52 pm

Then we need to take a look at your config, as well the config of the peer device on the other side.
Export show-sensitive file=anynameyouwish
Place in between [ ] code quotes, easier for reading, remove wan ip and serial number as well as public key (but change it to KEY1, KEY2, ... so we know something is there).
 
ambor
just joined
Topic Author
Posts: 6
Joined: Sat May 13, 2023 2:35 pm

Re: Wireguard peer Rx/Tx/Last Handshake stats not updating

Thu Jun 01, 2023 6:29 am

Here is the masked router config:
# jun/01/2023 09:42:27 by RouterOS 7.9.1
# software id = TYAU-C7QY
#
# model = RB750Gr3
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=18:FD:74:xx:xx:xx auto-mac=no name="br07"
add admin-mac=18:FD:74:xx:xx:xx auto-mac=no name="br88"
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name="eth1"
set [ find default-name=ether2 ] name="eth2"
set [ find default-name=ether3 ] name="eth3"
set [ find default-name=ether4 ] name="eth4"
set [ find default-name=ether5 ] name="eth5"
/interface pppoe-server
add name=pppoe-auxx service=pppoexx user=auxxudmp
/interface wireguard
add listen-port=13231 mtu=1420 name=wg-xxxxxx-xx-xx-xxx private-key=\
    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
add listen-port=13232 mtu=1420 name=wg-rfa private-key=\
    "yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy="
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256 \
    hash-algorithm=sha256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add name=pool88 ranges=192.168.88.10-192.168.88.254
add name=pool07 ranges=192.168.7.10-192.168.7.254
add name=pool00 ranges=129.129.129.129
/ip dhcp-server
add address-pool=pool88 interface="br88" name=dhcp88
add address-pool=pool07 interface="br07" name=dhcp07
/ipv6 dhcp-server
add address-pool="ABB IPv6" interface="br07" name=dhcpv6-07
add address-pool="ABB IPv6" interface="br88" name=dhcpv6-88
/port
set 0 name=serial0
/ppp profile
add dhcpv6-pd-pool="ABB IPv6" dns-server=1.1.1.1,8.8.8.8 \
    local-address=10.0.33.4 name=pppoexx remote-address=129.129.129.129 \
    remote-ipv6-prefix-pool="ABB IPv6" use-ipv6=default
add bridge="br07" dhcpv6-pd-pool="ABB IPv6" local-address=10.0.7.7 \
    name=l2tp-rfa remote-address=pool07 remote-ipv6-prefix-pool="ABB IPv6"
/routing table
add disabled=no fib name=vpn-us-ca
/interface bridge port
add bridge="br88" interface="eth2"
add bridge="br07" fast-leave=yes interface="eth4"
add bridge="br88" interface="eth5"
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set default-profile=l2tp-rfa enabled=yes ipsec-secret=\
    zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz use-ipsec=required
/interface list member
add interface="br88" list=LAN
add interface="eth3" list=LAN
add interface="br07" list=LAN
add interface="eth1" list=WAN
add interface=pppoe-auxx list=LAN
add interface=wg-rfa list=LAN
/interface pppoe-server server
add authentication=pap default-profile=pppoexx disabled=no interface=\
    "eth3" one-session-per-host=yes service-name=pppoexx
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=146.145.133.143 endpoint-port=\
    51820 interface=wg-xxxxxx-xx-xx-xxx persistent-keepalive=25s public-key=\
    "qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq="
add allowed-address=10.7.0.2/32,2222:2222:2222:22::2/128 comment=aaaaa \
    interface=wg-rfa public-key=\
    "rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr="
add allowed-address=10.7.0.3/32,2222:2222:2222:22::3/128 comment="iPhone" \
    interface=wg-rfa public-key=\
    "ssssssssssssssssssssssssssssssssssssssssssss="
add allowed-address=10.7.0.4/32,2222:2222:2222:77::4/128 comment=\
    "(Lucy)" interface=wg-rfa public-key=\
    "tttttttttttttttttttttttttttttttttttttttttttt="
/ip address
add address=192.168.88.1/24 comment=Mikrotik interface="br88" \
    network=192.168.88.0
add address=192.168.7.1/24 comment=RFA interface="br07=\
    192.168.7.0
add address=10.2.0.2/30 interface=wg-xxxxxx-xx-xx-xxx network=10.2.0.0
add address=10.7.0.1/24 interface=wg-rfa network=10.7.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface="eth1"
/ip dhcp-server network
add address=192.168.7.0/24 comment=RFA dns-server=192.168.7.1 gateway=\
    192.168.7.1
add address=192.168.88.0/24 comment=Mikrotik dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=104.49.59.2 list=Banned
add address=64.62.197.234 list=Banned
add address=94.102.61.29 list=Banned
add address=184.105.139.107 list=Banned
add address=146.88.240.4 list=Banned
/ip firewall filter
add action=drop chain=input comment="Drop banned hosts" src-address-list=\
    Banned
add action=accept chain=input comment="allow Wireguard" dst-port=13232 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" \
    in-interface="eth1" protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,1701,4500/udp)" \
    dst-port=500,1701,4500 in-interface="eth1 - WAN ABB" protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes routing-mark=main
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=SiriusXM \
    new-routing-mark=vpn-us-ca passthrough=no
add action=change-mss chain=postrouting new-mss=clamp-to-pmtu out-interface=\
    wg-xxxxxxx-xx-xx-xxx protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN src-address=!222.222.222.222
add action=masquerade chain=srcnat out-interface=wg-xxxxxx-xx-xx-xxx \
    routing-mark=vpn-us-ca src-address-list=""
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" \
    routing-table=vpn-xx-xx scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=\
    "" routing-table=vpn-xx-xx scope=30 suppress-hw-offload=no
add disabled=no dst-address=146.145.133.143/32 gateway=203.203.203.203 \
    routing-table=vpn-xx-xx suppress-hw-offload=no
/ipv6 route
add disabled=no distance=1 dst-address=2222:2222:2222:22::/64 gateway=\
    pppoe-auxx routing-table=main scope=30 target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.88.0/24,192.168.33.0/24 port=2233
set www-ssl address=192.168.88.0/24,192.168.33.0/24 \
    certificate=hex.xxxx.pem disabled=no tls-version=only-1.2
set api disabled=yes
set winbox address=192.168.88.0/24,192.168.33.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 address
add address=::7 from-pool="ABB IPv6" interface="br07" no-dad=yes
add address=::8 from-pool="ABB IPv6" interface="br88"
/ipv6 dhcp-client
add add-default-route=yes interface="eth1" pool-name="ABB IPv6" \
    request=address,prefix use-interface-duid=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall nat
add action=accept chain=srcnat src-address=fe80::8/128
add action=accept chain=srcnat src-address=fe80::aaaa:bbbb:dddd:eeee/128
/ipv6 nd
set [ find default=yes ] other-configuration=yes
/ppp secret
add local-address=10.0.33.4 name=xxxxxxxx password=xxxxxxxxxxxxx \
    profile=pppoexx remote-address=222.222.22.222 service=pppoe
add name=rfa password=xxxxxxxxxxxxxxxxx profile=l2tp-rfa \
    service=l2tp
/system clock
set time-zone-name=Australia/Sydney
/system leds
add interface="eth1" leds=user-led type=interface-activity
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.au.pool.ntp.org
add address=1.au.pool.ntp.org
add address=2.au.pool.ntp.org
add address=3.au.pool.ntp.org
add address=pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-interface=pppoe-auxx
and then on the client (peer) this is the config. The problematic one is with address 10.7.0.4/32... but the others 10.7.0.2/32 and 10.7.0.3/32 are fine.

Image
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard peer Rx/Tx/Last Handshake stats not updating

Sun Jun 04, 2023 4:59 pm

The Windows box is running the official Wireguard client.
Just wondering since I saw another post today related and I 'd like to remove any doubt:
what is official client for you ?
From Microsoft Store or Wireguard website ?
The post I refer to, that user initially used MS-version and couldn't get it working.
After downloading Wireguard client directly from website, it worked straight away.
Personally I would find this very unlikely (and I still think some config issue was hidden) but never say never ...
 
ambor
just joined
Topic Author
Posts: 6
Joined: Sat May 13, 2023 2:35 pm

Re: Wireguard peer Rx/Tx/Last Handshake stats not updating

Mon Jun 05, 2023 7:34 am

what is official client for you ?
Downloaded from this link: https://download.wireguard.com/windows- ... taller.exe

It's so strange that it all works fine (as in, the end user has no problem), but just that the stats aren't updating only on that Peer tab.
 
bort900
just joined
Posts: 1
Joined: Mon May 15, 2023 9:47 pm

Re: Wireguard peer Rx/Tx/Last Handshake stats not updating

Mon Jun 12, 2023 10:59 pm

I also am seeing this issue.

I thought i was having other issues because i was not seeing the last handshake or the tx/rx stats increasing...

After 30 mins of troubleshooting, i looked at my remote end (Ubuntu) and it was showing a handshake! i sent a ping from my MikroTik and it worked!

Its just troubling that i cant depend on the stats to determine if the handshake has occurred or not...

Couple things to note.
1. This is on ROS 7.9.2
2. There are multiple WG interfaces
3. Issue was NOT present on ROS 7.4.1

Thanks!
 
wisi
just joined
Posts: 1
Joined: Tue Jul 18, 2023 10:55 pm

Re: Wireguard peer Rx/Tx/Last Handshake stats not updating

Tue Jul 18, 2023 11:09 pm

I can confirm.
i have multiple wireguard peers.
1 main router: CRS305-1G-4S+ running 7.9 (stable)
8 sub routers: hAP ac^2 running 7.10.2 (stable)
also a few other clients like laptop, phone,..... in total 12 peers on 2 wireguard "hosts".
everything is up and running. everything works. on the "client" side i have all statistics like it should.
But the main side doesnt want to update the stats of 2 of thoseh AP routers. just the same 2. reboots doesnt help.
 
lgraf
just joined
Posts: 1
Joined: Sun Nov 12, 2023 12:26 pm

Re: Wireguard peer Rx/Tx/Last Handshake stats not updating

Sun Nov 12, 2023 12:30 pm

I can confirm this behaviour. I have two working peers on one wireguard interface, but statistic for one peer are missing (never updated).
Last edited by lgraf on Sun Nov 12, 2023 1:31 pm, edited 1 time in total.

Who is online

Users browsing this forum: DeltaCreek and 64 guests