I am struggling to configure Wireguard on my home network, and was hoping to get a second (or multiple) set of eyes on the config.
Basic topology:
- Home network with a physical Mikrotik router running RouterOS 7.14.1 and RouterBOARD 7.14.1
- Test client 1 running on HP ChromeBook (ChromeOS) using the Android Wireguard client
- Test client 2 running latest Android on a Pixel 7 phone
Issue:
Upon attempting to connect to the router via WG, the client logs "Sending Handshake initiation" over and over. No connectivity from client to the home network or the internet either via hostname or IP addresses (e.g. can't hit 192.168.x.x or say dig @8.8.8.. Packet monitoring and inspection is difficult on a ChromeBook at best, but I did manage to get a few packet captures that WireShark shows are essentially the same thing - a repeated msg about Handshake to the public IP of my home router.
I've been up, down, and sideways through this forum and others and am unable to resolve the issue. So I'm reaching out for help...
RouterOS Config:
Code: Select all
# 2024-03-17 15:31:54 by RouterOS 7.14.1
# software id = **ELIDED**
#
# model = RB750Gr3
# serial number =
/interface bridge
add admin-mac=**ELIDED** auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface wireguard
add comment="WG Home Network" listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256-cbc enabled=yes \
require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-endpoint=me.example.com \
comment=ChromeBook interface=wireguard1 public-key=**ELIDED**
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.40.1/24 comment=wireguard1 interface=wireguard1 network=\
192.168.40.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.20 mac-address=**ELIDED** server=defconf
add address=192.168.88.10 mac-address=**ELIDED** server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=**ELIDED** gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=**ELIDED**
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow wireguard" dst-port=13231 log=\
yes log-prefix=wg protocol=udp
add action=accept chain=input comment="allow wireguard Handshake" dst-port=\
13231 log=yes log-prefix=wg protocol=udp
add action=accept chain=input comment="allow wireguard to other networks" \
in-interface=wireguard1 log=yes log-prefix=wg
add action=accept chain=forward comment="allow wireguard to LAN" disabled=yes \
in-interface=wireguard1 out-interface-list=LAN
add action=accept chain=forward comment="allow wireguard to WAN" disabled=yes \
in-interface=wireguard1 out-interface-list=WAN
add action=accept chain=input comment="Allow ICMP ping" protocol=icmp
add action=accept chain=input comment="Allow SSH" dst-port=22221 protocol=tcp
add action=accept chain=input comment="Allow all internal DNS" dst-port=53 \
protocol=udp src-address=192.168.0.0/16
add action=accept chain=forward comment="fwd LAN to WG" disabled=yes \
dst-address=192.168.40.0/24 src-address=192.168.88.0/24
add action=accept chain=forward comment="fwd WG to LAN" disabled=yes \
dst-address=192.168.88.0/24 dst-address-list="" src-address=\
192.168.40.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=reject chain=input in-interface-list=WAN protocol=icmp \
reject-with=icmp-network-unreachable
add action=accept chain=input dst-port=4443 in-interface-list=WAN protocol=\
udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=32400 in-interface=ether1 protocol=\
tcp to-addresses=192.168.88.10
add action=dst-nat chain=dstnat dst-port=4443 in-interface-list=WAN protocol=\
udp to-addresses=192.168.88.10 to-ports=4443
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=dst-nat chain=dstnat dst-port=9098 in-interface=ether1 protocol=\
tcp to-addresses=192.168.88.10
add action=dst-nat chain=dstnat dst-port=9099 in-interface=ether1 protocol=\
tcp to-addresses=192.168.88.10
add action=dst-nat chain=dstnat dst-port=2222 protocol=tcp to-addresses=\
192.168.88.10 to-ports=22
add action=masquerade chain=srcnat comment="masq. wireguard" out-interface=\
ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=xxxxx
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set enabled=yes interfaces=wireguard1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
add interface=ether2 type=internal
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=*2
/ppp secret
add name=vpn
add name=client profile=*1
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=wireguard1 name=wg1-out
add interface=bridge name=wg1-in traffic=received
Client (Peer) Config (ChromeBook)
Code: Select all
[Interface]
ListenPort = 51820
PrivateKey = xxx
Address = 192.168.40.5/32
[Peer]
PublicKey = **ELIDED**
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = me.example.com:13231
Packet Capture:
Note that the RouterOS Config has some cruft left behind from various other troubleshooting steps, but I believe that I've disabled all (or most) of the debris and am back to a stripped down config.
Any thoughts, comments, or inspiration would certainly be appreciated!
Thanks,
Jason