Community discussions

MikroTik App
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

WireGuard VPN - Handshake error

Sat Oct 15, 2022 8:25 am

Good day everyone!

I used RB4011+RM router,having problem in connecting through Static of my ISP in my wireguard
I use the roadwarrior default configuration and I tried to connect in my ANDROID through the static IP of my ISP as my endpoint config in Android but there is a problem in HANDSHAKE ERROR returning "did not complete after 5 seconds".
I can connect in my WireGuard inside my network through wifi but in my android mobile data carrier, I can't connect returning that handshake error.
As I check in the firewall it's hitting this rule but looks like it's not returning the handshake connection
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp place-before=1
I also add to accept UDP traffic in SRCNAT and also accept forward traffic in the firewall but no luck still getting errors and not hitting those firewall rules that I add.


Idk what I missed, I hope someone can guide me and help me troubleshoot. :>
 
pulegium
just joined
Posts: 22
Joined: Wed Feb 02, 2022 11:07 pm

Re: WireGuard VPN - Handshake error

Sat Oct 15, 2022 10:04 am

Hi,

Funny that. I'm having exactly same problem. Followed https://help.mikrotik.com/docs/display/ROS/WireGuard to the letter.

WG interface set up, peer added, firewall rules as well (for local access I just added wg interface to LAN group).

I'm stuck right at the beginning, client (iphone wg app) attempts connection, but never gets to complete the handshake.

I can see the accept rule being hit, packet counters going up with every handshake packet, but that's it.

I enabled wireguard logging on the router and the only message I'm seeing is:
input: in:pppoe-out1 out:(unknown 0), connection-state:new src-mac 42:8f:9d:7f:a1:67, proto UDP, A.A.A.A:4780->X.X.X.X:13231, len 176
 
holvoetn
Forum Guru
Forum Guru
Posts: 1831
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard VPN - Handshake error

Sat Oct 15, 2022 10:21 am

@pulegium
best to start your own thread. It is not always certain the issue is related.
Post link here so we can find you.

Both:
post full config of your Mikrotik as well as setting of client device for wireguard part.
terminal: /export file=<anynameyouwish>
Review export for public info (serial number, public IP, private/public key, ... put something in place so we know it is there but we can not see what it was) then post between [code] tags.
It can also help to have a small drawing of your network indicating how the router is connected to your ISP modem, other devices in between, ... (piece of paper and pencil is good enough)
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Re: WireGuard VPN - Handshake error

Sat Oct 15, 2022 11:41 am

Hi @holvoetn, heres my config
# oct/15/2022 16:21:08 by RouterOS 7.5
# model = RB4011iGS+
/interface bridge
add admin-mac=08:55:31:40:3D:0C auto-mac=no comment="defconf Converge" name=\
    88bridge
add comment="defconf New Lan" name=172bridge
add comment=":defconf PLDT" name=178bridge
add comment="defconf Server Network" name=sapnetwork_bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ConvergeBiz
set [ find default-name=ether2 ] arp=disabled
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client
add allow=chap,mschap1,mschap2 dial-on-demand=yes disabled=no interface=\
    ether2 keepalive-timeout=30 name=PLDTEnterprise user=IMAXS213
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=WIFI name=WIFI
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add add-arp=yes interface=88bridge lease-time=52w1d name=defconfHOME
add add-arp=yes interface=178bridge lease-time=52w1d name=defconENT
add add-arp=yes interface=sapnetwork_bridge lease-time=52w1d name=defonserver
/ip pool
add name=home-dhcp ranges=192.168.88.20-192.168.88.254
add name=enterprise-dhcp ranges=192.168.178.10-192.168.178.254
add name=newlan ranges=172.16.0.20-172.16.1.254
/ip dhcp-server
add add-arp=yes address-pool=newlan disabled=yes interface=172bridge \
    lease-time=52w1d name=defconNewlan
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=yes name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=88_Subnet
add fib name=178_Subnet
add fib name=172_Subnet
add fib name=LAN1_TO_WAN1
add fib name=LAN2_TO_WAN2
add disabled=no fib name=use-WG
add disabled=no fib name=wg-iterf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=88bridge comment=defconf88 ingress-filtering=no interface=ether4
add bridge=sapnetwork_bridge comment="defconf Server Network" \
    ingress-filtering=no interface=ether10
add bridge=88bridge ingress-filtering=no interface=ether5
add bridge=178bridge comment=defconf178 ingress-filtering=no interface=ether6
add bridge=178bridge ingress-filtering=no interface=ether7
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=88bridge list=LAN
add comment=defconf interface=ether1-ConvergeBiz list=WAN
add interface=ether2 list=WAN
add interface=178bridge list=LAN
add interface=PLDTEnterprise list=WAN
add interface=172bridge list=LAN
add interface=sapnetwork_bridge list=LAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
    "TEST"
/ip address
add address=192.168.88.1/24 comment=defconf interface=88bridge network=\
    192.168.88.0
add address=192.168.178.1/24 interface=178bridge network=192.168.178.0
add address=192.168.0.1/24 comment=defconf interface=sapnetwork_bridge \
    network=192.168.0.0
add address=172.16.0.1/23 interface=172bridge network=172.16.0.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add comment=defconf interface=ether1-ConvergeBiz use-peer-dns=no
add add-default-route=no comment="defconf FOR CONVERGE" disabled=yes \
    interface=ether3 use-peer-dns=no
/ip dhcp-server network
add address=172.16.0.0/23 dns-server=172.16.0.1 gateway=172.16.0.1
add address=192.168.0.0/24 dns-server=192.168.0.2 gateway=192.168.0.1 \
    netmask=24
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.178.0/24 dns-server=192.168.178.1 gateway=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.0.116 name=SAPSERVER ttl=1d5s
add address=192.168.0.117 name=HOSTSERVER ttl=1d5s
add address=192.168.178.122 name=SALESSERVER ttl=1d5s
/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
    192.168.100.0/24
add action=accept chain=input comment="allow WireGuard" dst-port=51820 log=\
    yes log-prefix=accepted_wg_con protocol=udp
add action=reject chain=forward comment="blck facebook" disabled=yes \
    layer7-protocol=block_facebook log-prefix=Block protocol=tcp reject-with=\
    tcp-reset src-address-list=!fb_aclist
add action=accept chain=forward comment="ALLOW PORT FORWARDING WEBSERVER" \
    connection-nat-state=dstnat disabled=yes dst-address=192.168.178.122 \
    dst-port=9991 in-interface=PLDTEnterprise protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=NotLAN
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment=\
    "defconf:FastTrack accept established,related Priority Sites" \
    connection-mark=priority-conn connection-state=established,related \
    disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=88bridge log-prefix=!public_from_LAN \
    out-interface=!88bridge
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=178bridge log-prefix=!public_from_LAN \
    out-interface=!178bridge
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=sapnetwork_bridge log-prefix=\
    !public_from_LAN out-interface=!sapnetwork_bridge
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv4
add action=accept chain=icmp comment="echo reply" disabled=yes icmp-options=\
    0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" disabled=yes \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" disabled=yes \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" disabled=yes icmp-options=3:4 \
    protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=yes \
    icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=yes \
    icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" disabled=yes \
    icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=yes
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
    address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
    address-list-timeout=10m chain=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s \
    protocol=tcp tcp-flags=syn,ack
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "browsing-con for Priority websites " connection-bytes=0-1000000 \
    disabled=yes dst-address-list=Priority dst-port=80,443 \
    new-connection-mark=priority-conn passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="Priority TCP Pckt" \
    connection-mark=priority-conn disabled=yes new-packet-mark=priority_pckt \
    passthrough=no
add action=mark-connection chain=prerouting comment="ZOOM TCP" disabled=yes \
    dst-address-list=zoom_ip dst-port=80,443,8801,8802,5091 \
    new-connection-mark=tcp_zoom passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment="ZoomTCP Pckt" \
    connection-mark=tcp_zoom disabled=yes new-packet-mark=zoom_pckt \
    passthrough=no
add action=mark-connection chain=prerouting comment="ZOOM UDP" disabled=yes \
    dst-address-list=zoom_ip dst-port=3478,3479,8801-8810,20000-64000 \
    new-connection-mark=udp_zoom passthrough=yes protocol=udp
add action=mark-packet chain=prerouting comment="ZoomUDP Pckt" \
    connection-mark=udp_zoom disabled=yes new-packet-mark=zoom_pckt \
    passthrough=no
add action=mark-routing chain=prerouting comment="LAN1 TO WAN 1" disabled=yes \
    new-routing-mark=LAN1_TO_WAN1 passthrough=yes src-address-list=\
    "88 Network"
add action=mark-routing chain=prerouting comment="LAN2 TO WAN 2" disabled=yes \
    new-routing-mark=LAN2_TO_WAN2 passthrough=yes src-address-list=\
    "178 Network"
/ip firewall nat
add action=accept chain=srcnat disabled=yes out-interface=PLDTEnterprise \
    src-address=192.168.100.1
add action=masquerade chain=srcnat comment="defconf: All masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    disabled=yes dst-address=255.255.255.255 dst-port=67 in-interface-list=\
    LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv4 log-prefix=badipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=192.168.88.0/24 \
    in-interface-list=WAN
add action=drop chain=prerouting comment=\
    "defconf: drop forward to local lan from WAN" dst-address=\
    192.168.178.0/24 in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
    limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
    icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
    icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
    icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
    icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
    5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
    11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
add action=drop chain=prerouting comment="Defconf: dropping ddos attacker" \
    dst-address-list=ddos-target src-address-list=ddos-attackers
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip route
add comment=CONVERGE disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    192.168.1.254 pref-src="" routing-table=88_Subnet scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="PLDT ENTERPRISE" disabled=no distance=1 dst-address=0.0.0.0/0 \
    gateway=PLDTEnterprise pref-src="" routing-table=178_Subnet scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="REROUTE 88" disabled=yes distance=1 dst-address=0.0.0.0/0 \
    gateway=PLDTEnterprise pref-src="" routing-table=88_Subnet scope=30 \
    suppress-hw-offload=no target-scope=10
add comment="NEW LAN NETWORK" disabled=yes dst-address=0.0.0.0/0 gateway=\
    PLDTEnterprise routing-table=172_Subnet
add comment="REROUTE 178" disabled=yes distance=1 dst-address=0.0.0.0/0 \
    gateway=192.168.1.254 pref-src="" routing-table=178_Subnet scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=USE-WG disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    PLDTEnterprise pref-src="" routing-table=use-WG scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=89
set ssh disabled=yes
set www-ssl disabled=no port=449
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip traffic-flow
set active-flow-timeout=5m interfaces=88bridge
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup-only-in-table comment=88_Subnet disabled=no src-address=\
    192.168.88.0/24 table=88_Subnet
add action=lookup-only-in-table comment=178_Subnet disabled=no src-address=\
    192.168.178.0/24 table=178_Subnet
add action=lookup-only-in-table disabled=no src-address=172.16.0.0/23 table=\
    172_Subnet
add action=lookup-only-in-table disabled=no src-address=192.168.100.2/32 \
    table=use-WG
add action=lookup-only-in-table disabled=no src-address=192.168.100.1/24 \
    table=wg-iterf
/system clock
set time-zone-name=Asia/Manila
/system clock manual
set dst-delta=+08:00 dst-end="jan/01/2029 00:00:00" dst-start=\
    "jan/01/2022 00:00:00" time-zone=+08:00
/system identity
set name=Graphic
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
add name=Reboot on-event="system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=sep/10/2022 start-time=08:00:00
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.88.0/24 interface=88bridge store-on-disk=no
add allow-address=192.168.178.0/24 interface=178bridge store-on-disk=no
add interface=PLDTEnterprise store-on-disk=no
add interface=ether1-ConvergeBiz store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
holvoetn
Forum Guru
Forum Guru
Posts: 1831
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard VPN - Handshake error

Sat Oct 15, 2022 11:57 am

Config of client device as well please.

Just to confirm (since it is not visible):
- Public key of INTERFACE is what is used as public key for peer in wg app of client. yes/no ?
- public key of client (on top of the wg app) is what is used as public key on peer side of mikrotik. yes/no ?
But since it works internal, I assume those are ok.

- you ARE sure that port is reachable from outside on your mikrotik ? Nothing on ISP side which could block that ? No port forwarding needed ?
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Re: WireGuard VPN - Handshake error

Sat Oct 15, 2022 12:22 pm

Config of client device as well please.

Just to confirm (since it is not visible):
- Public key of INTERFACE is what is used as public key for peer in wg app of client. yes/no ?
- public key of client (on top of the wg app) is what is used as public key on peer side of mikrotik. yes/no ?
But since it works internal, I assume those are ok.

- you ARE sure that port is reachable from outside on your mikrotik ? Nothing on ISP side which could block that ? No port forwarding needed ?


Mikrotik Peer Config
/interface wireguard peers
add allowed-address=192.168.100.2/32 interface=wireguard1 public-key=\
    "m41ebBaNxzC3NPDdiYVcwU5gxC/+Z9lJRUpOdWuXdEE="

My Android WG Config
[Interface]
Address = 192.168.100.2/32
DNS = 8.8.8.8
ListenPort = 51820
MTU = 1420
PrivateKey = 

[Peer]
AllowedIPs = 0.0.0.0/0, 192.168.100.2/32
Endpoint = MyISPStaticIP:51820
PersistentKeepalive = 40
PublicKey = UngymIi8GRngu2a1F+yy+V04RGp8Rj2r7lo3pupvZFk=


Yes, those you mention were right in my config. As I said I can connect in WG if I'm using the internal network through my WiFi using the WG IP interface 192.168.100.1 as an endpoint config
but using the external connection "mobile data" and I can't connect if I use the MyISPStaticIP as the endpoint in the android config
 
holvoetn
Forum Guru
Forum Guru
Posts: 1831
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: WireGuard VPN - Handshake error

Sat Oct 15, 2022 1:38 pm

I am not seeing anything obvious right now ...

If you go to IP / Cloud, does it correspond to the static IP you are expecting ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WireGuard VPN - Handshake error

Sat Oct 15, 2022 5:46 pm

I am confused on your wan setup.

(1) (A) First you have pppoe setup which is where normally DHCP is done when connecting to ISP
/interface pppoe-client
add allow=chap,mschap1,mschap2 dial-on-demand=yes disabled=no interface=\
ether2 keepalive-timeout=30 name=PLDTEnterprise user=IMAXS213


(B) Then you have entries in IP DHCP Client?

(C) To top it off you reference two different etherports in this setting??
/ip dhcp-client
add comment=defconf interface=ether1-ConvergeBiz use-peer-dns=no
add add-default-route=no comment="defconf FOR CONVERGE" disabled=yes \
interface=ether3 use-peer-dns=no

(3) Wireguard peer settings seem okay (as per holvoe ensuring keys match up properly)

(4) Slight mod to one of the firewall rules ( the firewall rules setup is a farce bloated unnecessarily complex , but thats just my opinion)
From:
/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.100.0/24 in-interface=Wireguard1

(5) I would add two firewall rules to ensure you are allowing traffic as required....(if your intent was to reach subnets behind the router) and the internet!!
add chain=forward action=accept in-interface=Wireguard1 out=interface-list=LAN
add chain=forward action=accept in-interface=Wireguare1 out-interface-list=WAN


(6) What is with the accept rule in Masquerade rules...........?????
Fix it the first rule should either be.
add action=masquerade chain=srcnat disabled=yes out-interface=PLDTEnterprise \
src-address=192.168.100.0/24

OR
add action=masquerade chain=srcnat disabled=yes out-interface=PLDTEnterprise \
in-interface=Wireguard1


However in this case there is no need for a masquerade rule for wireguard clients as the default Masquerade source nat rule will handle your client to WAN traffic from wireguard.
Thus REMOVE this poorly configured rule......
add action=accept chain=srcnat disabled=yes out-interface=PLDTEnterprise \
src-address=192.168.100.1



(7) What is the purpose of this rule??
add comment=USE-WG disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PLDTEnterprise pref-src="" routing-table=use-WG scope=30 \
suppress-hw-offload=no target-scope=10

Are you telling me you have subnet users that will go out your android phone for internet????

(8) Similarly what the heck is the purpose of this routing rule.......
add action=lookup-only-in-table disabled=no src-address=192.168.100.1/24 \
table=wg-iterf


First of all, there is no route I could see with routing-rule of wg-iterf ???????????????

Secondly, why would you need to control traffic coming out of the wireguard tunnel, its already tied to a specific interface and you can visit your lan subnets or go out local internet without issue.
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Re: WireGuard VPN - Handshake error

Tue Oct 18, 2022 7:12 am

I am confused on your wan setup.

(1) (A) First you have pppoe setup which is where normally DHCP is done when connecting to ISP
/interface pppoe-client
add allow=chap,mschap1,mschap2 dial-on-demand=yes disabled=no interface=\
ether2 keepalive-timeout=30 name=PLDTEnterprise user=IMAXS213


(B) Then you have entries in IP DHCP Client?

(C) To top it off you reference two different etherports in this setting??
/ip dhcp-client
add comment=defconf interface=ether1-ConvergeBiz use-peer-dns=no
add add-default-route=no comment="defconf FOR CONVERGE" disabled=yes \
interface=ether3 use-peer-dns=no

(3) Wireguard peer settings seem okay (as per holvoe ensuring keys match up properly)

(4) Slight mod to one of the firewall rules ( the firewall rules setup is a farce bloated unnecessarily complex , but thats just my opinion)
From:
/ip firewall filter
add action=accept chain=input comment="allow WireGuard traffic" src-address=\
192.168.100.0/24 in-interface=Wireguard1

(5) I would add two firewall rules to ensure you are allowing traffic as required....(if your intent was to reach subnets behind the router) and the internet!!
add chain=forward action=accept in-interface=Wireguard1 out=interface-list=LAN
add chain=forward action=accept in-interface=Wireguare1 out-interface-list=WAN


(6) What is with the accept rule in Masquerade rules...........?????
Fix it the first rule should either be.
add action=masquerade chain=srcnat disabled=yes out-interface=PLDTEnterprise \
src-address=192.168.100.0/24

OR
add action=masquerade chain=srcnat disabled=yes out-interface=PLDTEnterprise \
in-interface=Wireguard1


However in this case there is no need for a masquerade rule for wireguard clients as the default Masquerade source nat rule will handle your client to WAN traffic from wireguard.
Thus REMOVE this poorly configured rule......
add action=accept chain=srcnat disabled=yes out-interface=PLDTEnterprise \
src-address=192.168.100.1



(7) What is the purpose of this rule??
add comment=USE-WG disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
PLDTEnterprise pref-src="" routing-table=use-WG scope=30 \
suppress-hw-offload=no target-scope=10

Are you telling me you have subnet users that will go out your android phone for internet????

(8) Similarly what the heck is the purpose of this routing rule.......
add action=lookup-only-in-table disabled=no src-address=192.168.100.1/24 \
table=wg-iterf


First of all, there is no route I could see with routing-rule of wg-iterf ???????????????

Secondly, why would you need to control traffic coming out of the wireguard tunnel, its already tied to a specific interface and you can visit your lan subnets or go out local internet without issue.
I got two WANs that Ether1 is currently in CGNAT of ISP router that ether2 or PLDT in PPPoE was the static...
Sorry for some out-of-this-world configuration that came from experimenting. Thank you I'll take your correction/advice/correction. I'll give feedback after some workloads get done.
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Re: WireGuard VPN - Handshake error

Tue Oct 18, 2022 11:19 am

I am not seeing anything obvious right now ...

If you go to IP / Cloud, does it correspond to the static IP you are expecting ?

The public IP I get in >IP/Cloud are from my ISP 1 which is behind NAT, so the remote connection won't work for ISP1, I just want to use the Public Static IP of ISP2 which I want to make it work.
 
Eduardo25
newbie
Topic Author
Posts: 26
Joined: Fri Mar 12, 2021 11:49 pm

Re: WireGuard VPN - Handshake error  [SOLVED]

Mon Oct 24, 2022 9:29 am

@holvoetn @anav

I just solved my problem by removing the IP routes of WAN 1 and adding the default routes of my WAN 2
add dst-address=0.0.0.0/0 gateway=PLDTEnterprise routing-table=main 
which has static IP, now I can connect using mobile data when connecting to the static WAN IP.

I usually use the routing rules to separate two subnets to each ISP, the reason I put general routes is the device (Router) won't get internet.

Who is online

Users browsing this forum: bpwl, Moba and 18 guests