Community discussions

MikroTik App
 
pulegium
just joined
Topic Author
Posts: 22
Joined: Wed Feb 02, 2022 11:07 pm

Wireguard - clients cannot complete handshake

Sun Oct 16, 2022 10:15 am

Hi,

Trying to set up Wireguard access from my phone, and followed the instructions here: https://help.mikrotik.com/docs/display/ROS/WireGuard

iOS wg client stuck in loop sending handshake. On the router side, I can see packets hitting input accept firewall rule, but nothing else happens. Wireguard peers show 0 trafic, and no handshake time.

As a first step I'd like to see just handshake completing, will worry about local access or going out to the internet next.

Logs show (where y.y.y.y is external IP)
wgfw input: in:pppoe-out1 out:(unknown 0), connection-state:new src-mac xx:xx:xx:xx:xx:xx, proto UDP, x.x.x.x:3095->y.y.y.y:13231, len 176
router config:

# oct/16/2022 07:36:16 by RouterOS 7.5
# software id = VC32-0YFP
#
# model = RB5009UG+S+
# serial number = XXX
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no igmp-snooping=yes \
    multicast-querier=yes name=bridge protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="PPP uplink"
set [ find default-name=ether2 ] comment=wired
set [ find default-name=ether3 ] comment=wifi
set [ find default-name=ether4 ] comment=services
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=\
    disabled name=pppoe-out1 use-peer-dns=yes user=xxx
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add comment="wired - clients" interface=bridge name=vlan10 vlan-id=10
add comment="wifi - clients" interface=bridge name=vlan11 vlan-id=11
add comment="wifi - guest" interface=bridge name=vlan12 vlan-id=12
add comment=jail interface=bridge name=vlan13 vlan-id=13
add comment=service interface=bridge name=vlan14 vlan-id=14
add comment="podman containers" interface=bridge name=vlan15 vlan-id=15
add comment=management interface=bridge name=vlan99 vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=wired-clients ranges=10.4.10.100-10.4.10.250
add name=wifi-clients ranges=10.4.11.100-10.4.11.250
add name=management ranges=10.4.99.100-10.4.99.250
add name=wifi-guest ranges=10.4.12.100-10.4.12.250
add name=services ranges=10.4.14.100-10.4.14.250
add name=podman ranges=10.4.15.10-10.4.15.30
add name=jail ranges=10.4.13.100-10.4.13.250
/ip dhcp-server
add address-pool=wired-clients interface=vlan10 lease-time=3h name=\
    wired-clients
add address-pool=wifi-clients interface=vlan11 lease-time=23h59m59s name=\
    wifi-clients
add address-pool=management interface=vlan99 name=management
add address-pool=wifi-guest interface=vlan12 lease-time=3h name=wifi-guest
add address-pool=services interface=vlan14 lease-time=3h name=services
add address-pool=podman interface=vlan15 lease-time=12h name=podman
add address-pool=jail interface=vlan13 lease-time=3h name=jail
/interface bridge port
add bridge=bridge comment="wired clients" frame-types=admit-only-vlan-tagged \
    interface=ether2
add bridge=bridge comment=wifi frame-types=admit-only-vlan-tagged interface=\
    ether3
add bridge=bridge comment=management frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether8 pvid=99
add bridge=bridge comment=services frame-types=admit-only-vlan-tagged \
    interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment="wired clients" tagged=bridge,ether2,ether3 \
    vlan-ids=10
add bridge=bridge comment="wifi clients" tagged=ether3,ether2,bridge \
    vlan-ids=11
add bridge=bridge comment=management tagged=ether2,bridge untagged=ether8 \
    vlan-ids=99
add bridge=bridge comment="wifi guest" tagged=ether3,bridge,ether2 vlan-ids=\
    12
add bridge=bridge comment=services tagged=ether4,bridge vlan-ids=14
add bridge=bridge comment="podman containers" tagged=bridge,ether4 vlan-ids=\
    15
add bridge=bridge comment=jail tagged=ether4,bridge vlan-ids=13
/interface list member
add interface=bridge list=LAN
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
add interface=vlan11 list=LAN
add interface=vlan99 list=LAN
add interface=vlan14 list=LAN
add disabled=yes interface=vlan12 list=LAN
add disabled=yes interface=vlan13 list=LAN
add interface=vlan15 list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=xxx endpoint-address="" interface=\
    wireguard1 public-key="bMZ<...>"
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=10.4.10.1/24 comment="wired - clients" interface=vlan10 network=\
    10.4.10.0
add address=10.4.11.1/24 comment="wifi - clients" interface=vlan11 network=\
    10.4.11.0
add address=10.4.99.1/24 comment=management interface=vlan99 network=\
    10.4.99.0
add address=10.4.12.1/24 comment="wifi - guest" interface=vlan12 network=\
    10.4.12.0
add address=10.4.13.1/24 comment=jail interface=vlan13 network=10.4.13.0
add address=10.4.14.1/24 comment=services interface=vlan14 network=10.4.14.0
add address=10.4.15.1/24 comment="podman containers" interface=vlan15 \
    network=10.4.15.0
add address=10.4.200.1/24 interface=wireguard1 network=10.4.200.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.4.10.0/24 dns-server=10.4.15.33 domain=some.domain gateway=\
    10.4.10.1 netmask=24
add address=10.4.11.0/24 dns-server=10.4.15.33 domain=some.domain gateway=\
    10.4.11.1 netmask=24
add address=10.4.12.0/24 dns-server=1.1.1.1 gateway=10.4.12.1 netmask=24
add address=10.4.13.0/24 dns-server=10.4.15.33 domain=some.domain gateway=\
    10.4.13.1 netmask=24
add address=10.4.14.0/24 dns-server=1.1.1.1 gateway=10.4.14.1 netmask=24
add address=10.4.15.0/24 dns-server=1.1.1.1 gateway=10.4.15.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=wireguard dst-port=13231 log=yes \
    log-prefix=wgfw protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input port=25565 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=FW_
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=25565 protocol=tcp to-addresses=\
    10.4.15.43 to-ports=25565
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/London
/system logging
add prefix=wg topics=wireguard
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
ios client config:

[Interface]
PrivateKey = GKc<...>
Address = 10.4.200.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = 50j<...>
AllowedIPs = 0.0.0.0/0
Endpoint = x.x.x.x:13231
PersistentKeepalive = 5

Thank you!!
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 858
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Wireguard - clients cannot complete handshake

Sun Oct 16, 2022 10:57 am

/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=xxx endpoint-address="" interface=\
wireguard1 public-key="bMZ<...>"

The allow-address field on the Mikrotik must not be 0.0.0.0/0 but the remote peer IP !
Also ... the public key does not match ? The key "bMZ<...>" must be on your Android device in the config section in the public field ?
On the "peer" definition on your Android-phone, the remote peer "public key" must match this ? This must be "bMZ<...>"
You might want to test without the "persistentkeepalives"

[Peer]
PublicKey = 50j<...>
AllowedIPs = 0.0.0.0/0
Endpoint = x.x.x.x:13231
PersistentKeepalive = 5


As reference, my config (I use it almost daily and works since day 1 across dozens of RouterOS versions)

/interface wireguard
add comment="WireGuard Network" disabled=no listen-port=13231 mtu=1320 name=wireguard1
/interface wireguard peers
add allowed-address=192.168.1.1/32 comment=GalaxyS21 disabled=no endpoint-address="" endpoint-port=0 interface=wireguard1 public-key="ea<...>"

0 R ;;; WireGuard Network
name="wireguard1" mtu=1320 listen-port=13231 private-key="..." =" public-key="KH<..>"


..then the android-app

[Interface]
PublicKey = ea<...>
Address = 192.168.1.1/32
DNS = 1.1.1.1

[Peer]
PublicKey = KH<...>
AllowedIPs = 0.0.0.0/0
Endpoint = x.x.x.x:13231
(no preshared keys or persistent keepalives used)
 
pulegium
just joined
Topic Author
Posts: 22
Joined: Wed Feb 02, 2022 11:07 pm

Re: Wireguard - clients cannot complete handshake

Sun Oct 16, 2022 1:41 pm

On mikrotik I did try allowed-address 10.4.200.2/32, though same thing - no handshake.

Re keys, I think they are ok?

Mikrotik public key is "50j<...>". On the phone side, the peer is mikrotik, and so the peer's public key is "50j<...>"

Similarly, phone's public key is "bMZ<...>", so on Mikrotik side, peer (phone) public key is "bMZ<...>".

Unless I'm misunderstanding something in how wireguard auth should work?...
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 858
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Wireguard - clients cannot complete handshake

Sun Oct 16, 2022 2:14 pm

Hmm, then I guess I've missed something and interpreted your config wrong. Indeed it should just be (only) that

On the phone the peer points to the public-key of the MT-device. On MT-device "peer" subconfig, the public key should match the "interface" section on the phone.
You are sure no hidden spaces cheeped up in the config on your phone? Did you import a config-file or pushed in the key manually?
Did you configure on Mikrotik in WINBOX or CLI ? (eg. adding the peer etc). Should not matter but...

Did you check more in-depth logging? There is a "topic" wireguard that you can enable in the logging on the Mikrotik side. Does that add anything usefull to the logging-output ?
On my RouterOS release, there is not that much logging, just when the peer is is gone (after I disconnect WG on my phone) I see some messages that peer could not be reached, re-trying etc,etc but nothing fancy more of usefull logging...
 
holvoetn
Forum Guru
Forum Guru
Posts: 1826
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard - clients cannot complete handshake

Sun Oct 16, 2022 2:18 pm

On MIkrotik, allowed address should only be the peer IP, if that's all what needs to be connected.
If you're connecting different LANs with their own subnets, that's something else.

Just to be sure...
- Public key of INTERFACE for Mikrotik is what is used as public key for peer in wg app of client. yes/no ?
- public key of client (on top of the wg app) is what is used as public key on PEER side of mikrotik. yes/no ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14423
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard - clients cannot complete handshake

Sun Oct 16, 2022 2:27 pm

Can you ping the public IP of the mT router from the remote device?
Wireguard peer has to be as JV stated the peer address.

On the peer put for DNS 10.4.200.1
 
pulegium
just joined
Topic Author
Posts: 22
Joined: Wed Feb 02, 2022 11:07 pm

Re: Wireguard - clients cannot complete handshake

Sun Oct 16, 2022 8:40 pm

Can you ping the public IP of the mT router from the remote device?
Can't really ping from the phone (not sure how?). But I can see input firewall rule counter increasing when I start WG client on the phone (ie every second, when phone attempts to intitiate handshake, I see counter increase by 1 on MT. When I stop client, counter stops)
Wireguard peer has to be as JV stated the peer address.
On the peer put for DNS 10.4.200.1
OK, fixed that too now.
Just to be sure...
- Public key of INTERFACE for Mikrotik is what is used as public key for peer in wg app of client. yes/no ?
- public key of client (on top of the wg app) is what is used as public key on PEER side of mikrotik. yes/no ?
Yes to both.

on MT:
- interface public key: 50j<...>
- peer public key: bMZ<...>

on IOS:
- interface public key (top entry): bMZ<...>
- peer public key: 50j<...>
You are sure no hidden spaces cheeped up in the config on your phone? Did you import a config-file or pushed in the key manually?
Did you configure on Mikrotik in WINBOX or CLI ? (eg. adding the peer etc). Should not matter but...
emailed keys between my workstation that I use to configure MT and the phone. Then copy pasted. Look ok, tried multiple times. I'm not using any fancy clients, so shouldn't be converting to utf8.
I configured using web UI (don't have windows machine), though CLI "print" commands show same output as expected/described in the manual.
Did you check more in-depth logging? There is a "topic" wireguard that you can enable in the logging on the Mikrotik side. Does that add anything usefull to the logging-output ?
On my RouterOS release, there is not that much logging, just when the peer is is gone (after I disconnect WG on my phone) I see some messages that peer could not be reached, re-trying etc,etc but nothing fancy more of usefull logging...
not seeing anything in the logs, except that firewall message. It's almost like the packet hits MT, is accepted by firewall, but then never reaches WG interface. Counters on wg interface never increase. I know WG is L3 interface, but aren't some routing rules required to "move" traffic from ppp interface to wg interface? I mean, what happens (or should happen) when WG UDP packet hits external interface (PPP in this instance)? hits firewall, matched against input chain rule, which says, it's ok, accept. and then what?

WG interface is configured to listen on 13231, does that mean it listens on all interfaces on MT?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14423
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard - clients cannot complete handshake

Sun Oct 16, 2022 9:24 pm

Post the config on both again so we are talking about the latest config please.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 858
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Wireguard - clients cannot complete handshake

Sun Oct 16, 2022 9:28 pm

Like in your config, the INPUT-chain must have 1 rule to allow UDP/xxxxx (whatever you run WG on) on the WAN-interface.
Now all depends on the config, but my FORWARD chain also has 2 rules to allow traffic FROM/TO the "peers" (eg. a peer that needs to connect to my Plex-server on LAN etc)
I do NOT have my wireguard1 interface mapped on "LAN".

But even without these rules I would think you should be able to establish the connection and various "drops" would become visible on the logs if your peer wants to reach some internal resource and is not allowed (off course IF you log it...)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14423
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard - clients cannot complete handshake

Mon Oct 17, 2022 12:37 am

add interface=wireguard1 list=LAN
Yeah his rules should suffice for connectivity........makes no sense.....
For example all but LAN should be blocked to the router via input chain.
All traffic on forward chain is allowed except WAN not natted.
 
pulegium
just joined
Topic Author
Posts: 22
Joined: Wed Feb 02, 2022 11:07 pm

Re: Wireguard - clients cannot complete handshake

Tue Oct 18, 2022 7:10 pm

Hi, below is current configuration, updated as per above.

Client:

[Interface]
PrivateKey = GKc<...>
Address = 10.4.200.2/32
DNS = 10.4.200.1

[Peer]
PublicKey = 50j<...>
AllowedIPs = 0.0.0.0/0
Endpoint = <external ip>:13231

MT config

# oct/18/2022 16:55:18 by RouterOS 7.5
# software id = VC32-0YFP
#
# model = RB5009UG+S+
# serial number = <...>
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no igmp-snooping=yes \
    multicast-querier=yes name=bridge protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="PPP uplink"
set [ find default-name=ether2 ] comment=wired
set [ find default-name=ether3 ] comment=wifi
set [ find default-name=ether4 ] comment=services
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=\
    disabled name=pppoe-out1 use-peer-dns=yes user=<...>
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add comment="wired - clients" interface=bridge name=vlan10 vlan-id=10
add comment="wifi - clients" interface=bridge name=vlan11 vlan-id=11
add comment="wifi - guest" interface=bridge name=vlan12 vlan-id=12
add comment=jail interface=bridge name=vlan13 vlan-id=13
add comment=service interface=bridge name=vlan14 vlan-id=14
add comment="podman containers" interface=bridge name=vlan15 vlan-id=15
add comment=management interface=bridge name=vlan99 vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=wired-clients ranges=10.4.10.100-10.4.10.250
add name=wifi-clients ranges=10.4.11.100-10.4.11.250
add name=management ranges=10.4.99.100-10.4.99.250
add name=wifi-guest ranges=10.4.12.100-10.4.12.250
add name=services ranges=10.4.14.100-10.4.14.250
add name=podman ranges=10.4.15.10-10.4.15.30
add name=jail ranges=10.4.13.100-10.4.13.250
/ip dhcp-server
add address-pool=wired-clients interface=vlan10 lease-time=3h name=\
    wired-clients
add address-pool=wifi-clients interface=vlan11 lease-time=23h59m59s name=\
    wifi-clients
add address-pool=management interface=vlan99 name=management
add address-pool=wifi-guest interface=vlan12 lease-time=3h name=wifi-guest
add address-pool=services interface=vlan14 lease-time=3h name=services
add address-pool=podman interface=vlan15 lease-time=12h name=podman
add address-pool=jail interface=vlan13 lease-time=3h name=jail
/interface bridge port
add bridge=bridge comment="wired clients" frame-types=admit-only-vlan-tagged \
    interface=ether2
add bridge=bridge comment=wifi frame-types=admit-only-vlan-tagged interface=\
    ether3
add bridge=bridge comment=management frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether8 pvid=99
add bridge=bridge comment=services frame-types=admit-only-vlan-tagged \
    interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment="wired clients" tagged=bridge,ether2,ether3 \
    vlan-ids=10
add bridge=bridge comment="wifi clients" tagged=ether3,ether2,bridge \
    vlan-ids=11
add bridge=bridge comment=management tagged=ether2,bridge untagged=ether8 \
    vlan-ids=99
add bridge=bridge comment="wifi guest" tagged=ether3,bridge,ether2 vlan-ids=\
    12
add bridge=bridge comment=services tagged=ether4,bridge vlan-ids=14
add bridge=bridge comment="podman containers" tagged=bridge,ether4 vlan-ids=\
    15
add bridge=bridge comment=jail tagged=ether4,bridge vlan-ids=13
/interface list member
add interface=bridge list=LAN
add interface=pppoe-out1 list=WAN
add interface=vlan10 list=LAN
add interface=vlan11 list=LAN
add interface=vlan99 list=LAN
add interface=vlan14 list=LAN
add disabled=yes interface=vlan12 list=LAN
add disabled=yes interface=vlan13 list=LAN
add interface=vlan15 list=LAN
add interface=wireguard1 list=LAN
/interface wireguard peers
add allowed-address=10.4.200.2/32 endpoint-address="" \
    interface=wireguard1 public-key=\
    "bMZ<...>"
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
add address=10.4.10.1/24 comment="wired - clients" interface=vlan10 network=\
    10.4.10.0
add address=10.4.11.1/24 comment="wifi - clients" interface=vlan11 network=\
    10.4.11.0
add address=10.4.99.1/24 comment=management interface=vlan99 network=\
    10.4.99.0
add address=10.4.12.1/24 comment="wifi - guest" interface=vlan12 network=\
    10.4.12.0
add address=10.4.13.1/24 comment=jail interface=vlan13 network=10.4.13.0
add address=10.4.14.1/24 comment=services interface=vlan14 network=10.4.14.0
add address=10.4.15.1/24 comment="podman containers" interface=vlan15 \
    network=10.4.15.0
add address=10.4.200.1/24 interface=wireguard1 network=10.4.200.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.4.10.0/24 dns-server=10.4.15.33 domain=some.domain gateway=\
    10.4.10.1 netmask=24
add address=10.4.11.0/24 dns-server=10.4.15.33 domain=some.domain gateway=\
    10.4.11.1 netmask=24
add address=10.4.12.0/24 dns-server=1.1.1.1 gateway=10.4.12.1 netmask=24
add address=10.4.13.0/24 dns-server=10.4.15.33 domain=some.domain gateway=\
    10.4.13.1 netmask=24
add address=10.4.14.0/24 dns-server=1.1.1.1 gateway=10.4.14.1 netmask=24
add address=10.4.15.0/24 dns-server=1.1.1.1 gateway=10.4.15.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=wireguard dst-port=13231 log=yes \
    log-prefix=wgfw protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input port=25565 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=FW_
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=25565 protocol=tcp to-addresses=\
    10.4.15.43 to-ports=25565
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/London
/system logging
add prefix=wg topics=wireguard
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I'm totally out of ideas what to try...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14423
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard - clients cannot complete handshake

Tue Oct 18, 2022 7:32 pm

Me too I see nothing wrong with your selection for wireguard. The only dfifference on my iphone is I use DNS settings of 1.1.1.1,9.9.9.9


The one error I see is this..........
add action=accept chain=input port=25565 protocol=tcp
add action=dst-nat chain=dstnat dst-port=25565 protocol=tcp to-addresses=\
10.4.15.43 to-ports=25565


Dst-Nat takes precedence so that input chain rule is useless besides the fact it has no business being there.

So the question is why doesnt the handshake complete.
Im assuming the input chain rule counts one on the attempt aka it receives traffic but the tunnel never connects???
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14423
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard - clients cannot complete handshake

Tue Oct 18, 2022 7:39 pm

Just for giggles and testing add three rules.

add chain=input action=accept in-interface=wireguard1 ( before the last rule in the IN chain )
add chain=forward action=accept in-interface=wireguard1 out-interface-list=WAN (before the last rule in FW chain)
add chain=forward action=accept in-interface=wireguard1 out-interface-list=LAN (before the last rule in FW chain)

If that doesnt work suggest reload with vers 7.6 firmware and put the config back in...........
 
holvoetn
Forum Guru
Forum Guru
Posts: 1826
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard - clients cannot complete handshake  [SOLVED]

Tue Oct 18, 2022 7:59 pm

Maybe time to netinstall and then import config again

Not the first who has solved an issue this way.
 
pulegium
just joined
Topic Author
Posts: 22
Joined: Wed Feb 02, 2022 11:07 pm

Re: Wireguard - clients cannot complete handshake

Tue Oct 18, 2022 11:06 pm

Im assuming the input chain rule counts one on the attempt aka it receives traffic but the tunnel never connects???
Looks like it... Hitting the 13231 accept rule, and disappearing in to the ether...
Just for giggles and testing add three rules.
OK just tried that. Same. and none of them are being hit.
If that doesnt work suggest reload with vers 7.6 firmware and put the config back in...........
Maybe time to netinstall and then import config again
Oh man... was fearing this. and btw, I did try a reboot, also, no joy.
 
pulegium
just joined
Topic Author
Posts: 22
Joined: Wed Feb 02, 2022 11:07 pm

Re: Wireguard - clients cannot complete handshake

Tue Oct 18, 2022 11:15 pm

did an upgrade to 7.6, same. is upgrade massively different from complete reinstall (netboot?)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14423
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Wireguard - clients cannot complete handshake

Tue Oct 18, 2022 11:51 pm

Well try wireguard with 7.6 and if that is still not working then perhaps neinstall may be in order............. In other words the config inherited some issue and its being kept and hidden.
Could happen I suppose if you used any beta firmwares along the way.
 
holvoetn
Forum Guru
Forum Guru
Posts: 1826
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wireguard - clients cannot complete handshake

Wed Oct 19, 2022 12:27 am

did an upgrade to 7.6, same. is upgrade massively different from complete reinstall (netboot?)
Netinstall is really starting from pristine clean system, no leftovers from previous versions.
 
pulegium
just joined
Topic Author
Posts: 22
Joined: Wed Feb 02, 2022 11:07 pm

Re: Wireguard - clients cannot complete handshake

Fri Dec 30, 2022 1:10 pm

sorry for no updates, but arranging for a maintenance window is much harder at home than anywhere else :)

anyway, problem solved:
* complete reinstall (netinstall)
* reapply same config (I just exported existing and gave that as a script parameter to netinstall)
* still not working
* deleted wg interface/peer
* deleted wg config on my phone
* created new wg config on both ends
* everything's working!

I did regenereate keys on the phone few times to make sure the key is only [a-zA-Z0-9] set of chars, not sure if relevant, but I wanted to avoid '/', etc just to be sure. Not going to experiment if that's really a problem, but something I've done as part of the reconfig.

Thanks everyone for your help!!

Who is online

Users browsing this forum: Amazon [Bot], mkx, MrMarcie, PiRo and 19 guests