Community discussions

MikroTik App
 
camulodunum
just joined
Topic Author
Posts: 9
Joined: Sat May 27, 2023 3:34 am

Wireguard configured but not handshake

Wed May 31, 2023 2:35 pm

Hi.

Yesterday I tried to configure the wireguard interface on mikrotik router.

from my point of view everything is tuned fine,but no handshake so I must be doing something wrong.

if someone can spot where will be apreciated.

here's the wireguard interface config
Image


here's the ip range assigned to the interface
Image


here's the peer config on the server

Image

and here's the config on the client

Image

P.D:oh and I forgot I have a firewall rule with the wireguard port forwarded to the router local ip
Last edited by camulodunum on Wed May 31, 2023 2:37 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard configured but not handshake

Wed May 31, 2023 2:37 pm

Would need to see the MT config full to assess properly
/export file=anynameyouwish ( minus router serial#, public WANIP information or keys etc. )

So far nothing stands out, but ensure you have a persistent keep alive setting on your MT client device.
 
camulodunum
just joined
Topic Author
Posts: 9
Joined: Sat May 27, 2023 3:34 am

Re: Wireguard configured but not handshake

Wed May 31, 2023 2:39 pm

Would need to see the MT config full to assess properly
/export file=anynameyouwish ( minus router serial#, public WANIP information or keys etc. )

So far nothing stands out, but ensure you have a persistent keep alive setting on your MT client device.
tried that before (putting persistentkeepalive 10 in both router and client config) but didn't change anything
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard configured but not handshake

Wed May 31, 2023 4:07 pm

Why would you put it on the router????
Provide information, if you need assistance
 
camulodunum
just joined
Topic Author
Posts: 9
Joined: Sat May 27, 2023 3:34 am

Re: Wireguard configured but not handshake

Wed May 31, 2023 5:14 pm

removed code
Last edited by camulodunum on Wed May 31, 2023 9:49 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard configured but not handshake  [SOLVED]

Wed May 31, 2023 6:11 pm

This is the main error I see --> You do not use NAT rules for wireguard.
Wireguard is a service on the ROUTER itself, which means you need to do this on the INPUT CHAIN rules.

Delete this rule............. why did you think you were port forwarding ?? ( port forwarding is when you want external users to access your servers on the LAN )
#rule to open upd port for mikrotik wireguard
add action=dst-nat chain=dstnat dst-port=13231 in-interface=pppoe-out1 \
protocol=udp to-addresses=192.168.88.1 to-ports=13231



Add...........
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=accept chain=input dst-port=13231 protocol=udp comment="wireguard handshake"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
[/size]
 
camulodunum
just joined
Topic Author
Posts: 9
Joined: Sat May 27, 2023 3:34 am

Re: Wireguard configured but not handshake

Wed May 31, 2023 8:01 pm

This is the main error I see --> You do not use NAT rules for wireguard.
Wireguard is a service on the ROUTER itself, which means you need to do this on the INPUT CHAIN rules.

Delete this rule............. why did you think you were port forwarding ?? ( port forwarding is when you want external users to access your servers on the LAN )
#rule to open upd port for mikrotik wireguard
add action=dst-nat chain=dstnat dst-port=13231 in-interface=pppoe-out1 \
protocol=udp to-addresses=192.168.88.1 to-ports=13231



Add...........
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=accept chain=input dst-port=13231 protocol=udp comment="wireguard handshake"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
[/size]
ok so,as I understand,the firewall filter is for filtering packages that go directly to the router itself,and the NAT is just for packages that go to devices inside the network

thanks for the help and explanation. :D

P.D:added the new rule but doesn't seems to work,still waiting in the handshake
Last edited by camulodunum on Wed May 31, 2023 8:07 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard configured but not handshake

Wed May 31, 2023 8:06 pm

Not quite......
Input chain is for traffic TO the router ( think router services, VPN, DNS, NTP, WINBOX etc._

Forward chain is for traffic THRU the router WAN to LAN, LAN to WAN, LAN to LAN.

NAT is for part of the firewall and is used to delineate sourcenat rules AND destination nat rules ( of which port forwarding is a subset ).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard configured but not handshake

Wed May 31, 2023 8:10 pm

YOu need to post your new updated config, I only go by evidence not hearsay '=)
 
camulodunum
just joined
Topic Author
Posts: 9
Joined: Sat May 27, 2023 3:34 am

Re: Wireguard configured but not handshake

Wed May 31, 2023 8:14 pm

removed code
Last edited by camulodunum on Wed May 31, 2023 9:49 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard configured but not handshake

Wed May 31, 2023 8:19 pm

Look at POST #6.
I clearly highlighted IN BLUE, the input chain rule you needed to add, to allow an external device to reach the router on the port and start the handshake......


You also failed to remove this rule in your NAT, which I clearly said to remove.
/ip firewall nat
add action=accept chain=input comment="wireguard handshake" dst-port=13231 \
in-interface=pppoe-out1 protocol=udp


Since you appear not to want to cooperate, l8r. Gluck!
 
camulodunum
just joined
Topic Author
Posts: 9
Joined: Sat May 27, 2023 3:34 am

Re: Wireguard configured but not handshake

Wed May 31, 2023 9:55 pm

solution found:

is just as was explained in post #6 just keep in mind that if you add the rule with the mikrotik terminal that will drop the rule to the bottom,and needs to be before the defconf:drop all not coming from LAN rule,since in mikrotik the rules order gives preference so router will always follow the most upper rule

thanks for all the help anav and sorry for not being a good listener
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard configured but not handshake

Thu Jun 01, 2023 1:20 am

No worries, glad you got it fixed.
A trick many use is to find where in the order one wants to put a rule in winbox,
And then copy the rule at that spot, change the settings, make a suitable comment, apply and save and new rule right where you want it.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Wireguard configured but not handshake

Thu Jun 01, 2023 1:51 am

camulodunum, Apparently you posted the config in post 5 and again in post 10, but then deleted it. Why? It makes it very hard for anyone else to follow this thread. Remember, many of the people who read any particular thread are trying to learn. When critical parts of the thread are deleted, it makes it hard to follow, and damn near impossible to learn from others.
Assuming you sanitized your posted config to prevent sensitive information from being made public, there is little to be gained by deleting it.
 
camulodunum
just joined
Topic Author
Posts: 9
Joined: Sat May 27, 2023 3:34 am

Re: Wireguard configured but not handshake

Thu Jun 01, 2023 8:23 am

camulodunum, Apparently you posted the config in post 5 and again in post 10, but then deleted it. Why? It makes it very hard for anyone else to follow this thread. Remember, many of the people who read any particular thread are trying to learn. When critical parts of the thread are deleted, it makes it hard to follow, and damn near impossible to learn from others.
Assuming you sanitized your posted config to prevent sensitive information from being made public, there is little to be gained by deleting it.
I just don't feel comfortable with having all my router's config exposed on an internet forum.

for the shake of other people learning I can post how was the problem,the part of the configuration where it was,and how to solve it. but I don't think having all my config exposed makes any sense.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard configured but not handshake

Thu Jun 01, 2023 2:06 pm

Your caution is natural and not a bad thing, but nothing can be gleaned from the configs you posted, dont worry, Your choice to post or not post or to delete is up to you,.......
 
HighTechLab
just joined
Posts: 5
Joined: Wed Mar 15, 2023 4:42 am
Location: Las Vegas
Contact:

Re: Wireguard configured but not handshake

Sun Feb 25, 2024 8:06 pm


add action=accept chain=input dst-port=13231 protocol=udp comment="wireguard handshake"
Thank you, this solved my "no handshake" issue.
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: Wireguard configured but not handshake

Sun Feb 25, 2024 8:46 pm

@hightechlab, no worries, the important is not to copy and rule stick it in and move on!!.

THe key is understanding that the handshake is TO the router. Such traffic is handled in the input chain.

Who is online

Users browsing this forum: baragoon, ccrsxx, holvoetn and 32 guests