Community discussions

MikroTik App
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

wireguard on android

Tue Oct 04, 2022 4:35 pm

Hello My friends..! so anyone try to use wireguard on android phone, and the connection work proberly ..?
this is my configuration in both mikrotik and in my phone and until now i don't have a connection .
side Note-1: i previously setup wireguard on my pc and the connection work normaly.
Side Note-2: in endpoint section i put my public ip address
Side Note-3:i set up a firewall rule in my mikrotik router for this connection as follow
chain:input
protocol:UDP
DStPort:47222
action:accept
You do not have the required permissions to view the files attached to this post.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 860
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: wireguard on android

Tue Oct 04, 2022 4:49 pm

Works fine here.
In your screenshots I see counters on both Rx / Tx and "last handshake values so it seems a connection WAS established.
I would think THE CONNECTION itself is working, but perhaps DNS not working ?

What do you mean "I don't have a connection" ?
 
erlinden
Forum Guru
Forum Guru
Posts: 1290
Joined: Wed Jun 12, 2013 1:59 pm

Re: wireguard on android

Tue Oct 04, 2022 4:53 pm

Difference I see when I look at my settings in Android (and please provide /wireguard export excluding the keys):

MTU left auto
Persistent keepalive left empty

What you can do (besides above):
Check if the firewall filter rule is hit
Check if the peer shows on the router
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

Re: wireguard on android

Tue Oct 04, 2022 5:16 pm

Works fine here.
In your screenshots I see counters on both Rx / Tx and "last handshake values so it seems a connection WAS established.
I would think THE CONNECTION itself is working, but perhaps DNS not working ?

What do you mean "I don't have a connection" ?
yes i notice that but the connection is not exist, every 1 minute i get 2KiB -give or take- i compare those value with my PC that already have an active wireguard so there is a big difference in the value
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

Re: wireguard on android

Tue Oct 04, 2022 5:23 pm

Difference I see when I look at my settings in Android (and please provide /wireguard export excluding the keys):

MTU left auto
Persistent keepalive left empty

What you can do (besides above):
Check if the firewall filter rule is hit
Check if the peer shows on the router
i try your setting but still no connection ..
so what about allow address, is this 0.0.0.0/0 good..?
in my windows machine wireguard i remember that when i change the allowed address from 0.0.0.0/0 to 172.16.0.1/24 -that's represent My LAN address- the connection became active. but in my android scenario i cant change the allowed address to any thing have /24 i don't know why ..! so any suggestion..?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 860
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: wireguard on android

Tue Oct 04, 2022 5:26 pm

0.0.0.0/0 is fine, I also have it on my Android phone. (meaning = everything is pushed through the tunnel)
but remember, make sure your Mikrotik is configured correctly then to allow this Wireguard-client to make DNS-lookups, make sure it has NAT-config to access internet if the range of wireguard-peer is differently from your Mikrotik-LAN/Bridge range etc.

Meaning, putting 0.0.0.0/0 has consequences! If you only put like 192.168.0.0/16 or something then nothing destined for "Internet" is going to the central Mikrotik! Only packets with destinations 192.168.0.0/16

I don't use any keepalives on my phone-config, that field is empty.
Last edited by jvanhambelgium on Tue Oct 04, 2022 7:49 pm, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 1831
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: wireguard on android

Tue Oct 04, 2022 6:49 pm

As indicated above (and verified on my setup):
Leave MTU to auto
No persistent keepalive
0.0.0.0/0 is perfectly fine
The fact you see TX/RX moving on that peer, means there is handshake so both peers see each other.

192.168.2.2 is your local DNS server ? Already tried replacing it with the more common (and Evil :lol: ) Google DNS 8.8.8.8 (just to rule out that problem) ?

Then I am more interested in the complete config on your MT device (masquerade sensitive info like serial number, keys, etc...)
terminal: /export show-sensitive file=<anynameyouwish>

And post here between [code] quotes.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard on android

Tue Oct 04, 2022 7:14 pm

Complete config is needed for sure. /export (minus serial number and any public WANIP info as well).

Two comments:
First, try using 192.168.50.1 as DNS server on the android client, rest looks fine
Second, which config will show are the firewall rules on the MT device, which may not be set up right.

The return route from the client will be auto created at the MT so thats not an issue.
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

Re: wireguard on android

Tue Oct 04, 2022 7:58 pm

so this is my MT configuration .. i try all this stuff but until now it seems that there is no traffic between my android device and my mikrotik router
Side Note: when i turn the wireguard tunnel on my android on, i lose the internet connection, as you see in the screen below
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard on android

Tue Oct 04, 2022 8:30 pm

(1) Why the duplicate pool?
/ip pool
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.200
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.200
add name=dhcp_pool3 ranges=192.168.1.100-192.168.1.150
add name=l2tp ranges=192.168.100.1-192.168.100.200


(2) What is the purpose of this rule.........??
add action=passthrough chain=forward

Its best practice to put all rules in one chain together so they are easy to read and less prone to error

(3) Wouldnt hurt to add a forward chain rule
add chain=forward action=accept in-interface=wireguard2 out-interface=ether1
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

Re: wireguard on android

Tue Oct 04, 2022 8:40 pm

(1) Why the duplicate pool?
/ip pool
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.200
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.200
add name=dhcp_pool3 ranges=192.168.1.100-192.168.1.150
add name=l2tp ranges=192.168.100.1-192.168.100.200


(2) What is the purpose of this rule.........??
add action=passthrough chain=forward

Its best practice to put all rules in one chain together so they are easy to read and less prone to error

(3) Wouldnt hurt to add a forward chain rule
add chain=forward action=accept in-interface=wireguard2 out-interface=ether1
1- the duplicate rule is for testing purpose so no thing significant
2-most firewall rules that you see here is from mikrotik default firewall rules, so this passthrough is one of them, really i don't know what is the purpose of this rule
3-yes i add this rule but still no connection
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard on android

Tue Oct 04, 2022 9:13 pm

Not that it probably makes a difference but the MTU on the android does not match the setting on the MT device.
Other than that I dont see the issue in plain sight.
 
holvoetn
Forum Guru
Forum Guru
Posts: 1831
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: wireguard on android

Tue Oct 04, 2022 9:18 pm

What interface list wireguard belongs to ?
I was looking for the drop rule to see if it is allowed to pass but those firewall rules are a bit too messy to my liking... especially when reading that config on a phone screen.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard on android

Tue Oct 04, 2022 9:36 pm

It does not, but the forward chain rules are basically non-existant and thus everything is allowed (poor setup).

I concur, if it was my MT, I would remove all the ddos and other crappy rules and firewall address lists, and go with a modern clean set of firewall rules.......

/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="android handshake" dst-port=47222 protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN

add action=accept chain=forward comment="allow wg to internet" in-interface=wireguard out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
 
holvoetn
Forum Guru
Forum Guru
Posts: 1831
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: wireguard on android

Tue Oct 04, 2022 9:41 pm

In your example wireguard interface also needs to be added to LAN list or you will not be able to access the router nor forward traffic.
Correct ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard on android

Tue Oct 04, 2022 9:58 pm

Nope, did not presume LAN list since the fellow seems to avoid list as you can see I added a wg to internet forward rule, but concur one small change to what I have would be needed.
I suppose one should change all WAN interface-list entries to interface=ether1 as well..............

{Input Chain}
add action=accept chain=input comment="android handshake" dst-port=47222 protocol=udp
add action=accept chain=input in-interface=wireguard comment="android dns udp" dst-port=53 protocol=udp
add action=accept chain=input in-interface=wireguard comment="android dns tcp" dst-port=53 protocol=tcp

{forward chain}
add action=accept chain=forward comment="allow wg to internet" in-interface=wireguard out-interface=ether1

I do agree if he used lists then
add wireguard2 list=LAN

Then Would simplify matters to such that the three rules i created would not be required and would be covered by already existing two rules.
{Input Chain}
add action=accept chain=input comment="android handshake" dst-port=47222 protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface=ether1
Last edited by anav on Sat Jan 14, 2023 5:51 pm, edited 1 time in total.
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

Re: wireguard on android

Wed Oct 05, 2022 5:04 am

Not that it probably makes a difference but the MTU on the android does not match the setting on the MT device.
Other than that I dont see the issue in plain sight.
the MTU in client side must be lower than server side inorder for this connection to work..! .however, i try alot of different values but with no avail.
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

Re: wireguard on android

Wed Oct 05, 2022 5:09 am

Nope, did not presume LAN list since the fellow seems to avoid list as you can see I added a wg to internet forward rule, but concur one small change to what I have would be needed.
I suppose one should change all WAN interface-list entries to interface=ether1 as well..............

{Input Chain}
add action=accept chain=input comment="android handshake" dst-port=47222 protocol=udp
add action=accept chain=input comment="android dns udp" dst-port=53 protocol=udp
add action=accept chain=input comment="android dns tcp" dst-port=53 protocol=tcp

{forward chain}
add action=accept chain=forward comment="allow wg to internet" in-interface=wireguard out-interface=ether1

I do agree if he used lists then
add wireguard2 list=LAN

Then Would simplify matters to such that the three rules i created would not be required and would be covered by already existing two rules.
{Input Chain}
add action=accept chain=input comment="android handshake" dst-port=47222 protocol=udp
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface=ether1
i disable my rules and put your rules, and know i am out of mikrotik so your rule kick me out, so know i have to go back to my office to disable the rule. my wireguard tunnel that's already active in my windows machine is know unactive and also i can't reach my mikrotik via puplic ip ...
Last edited by Techsystem on Wed Oct 05, 2022 7:43 am, edited 2 times in total.
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

Re: wireguard on android

Wed Oct 05, 2022 5:14 am

so this is my last config
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard on android

Wed Oct 05, 2022 11:12 am

:You are missing the interface list and interface list members in your config........ otherwise you would not have been locked out.
If I had known you were goiing to get rid of all your rules I would have provided additional info
 
holvoetn
Forum Guru
Forum Guru
Posts: 1831
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: wireguard on android

Wed Oct 05, 2022 12:20 pm

... and the reason why I made my remark about those lists...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard on android

Wed Oct 05, 2022 2:31 pm

Yup, Concur. one shouldnt make changes unless.
a. one understands what each line does,
b. one understands that the config is the sum of its parts and interrelated.
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

Re: wireguard on android

Thu Oct 06, 2022 7:27 pm

0.0.0.0/0 is fine, I also have it on my Android phone. (meaning = everything is pushed through the tunnel)
but remember, make sure your Mikrotik is configured correctly then to allow this Wireguard-client to make DNS-lookups, make sure it has NAT-config to access internet if the range of wireguard-peer is differently from your Mikrotik-LAN/Bridge range etc.

Meaning, putting 0.0.0.0/0 has consequences! If you only put like 192.168.0.0/16 or something then nothing destined for "Internet" is going to the central Mikrotik! Only packets with destinations 192.168.0.0/16

I don't use any keepalives on my phone-config, that field is empty.
Hello Mr jvanhambelgium..!
so clearly enough it seems that i have a DNS problem in my config and i don't know in which side..so please can you clarify more what you mean by this sentence "make sure your Mikrotik is configured correctly then to allow this Wireguard-client to make DNS-lookups,"
how can i enable this DNS lookup on my mikrotik device..?
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

Re: wireguard on android

Thu Oct 06, 2022 7:30 pm

:You are missing the interface list and interface list members in your config........ otherwise you would not have been locked out.
If I had known you were goiing to get rid of all your rules I would have provided additional info
Hello Mr anav...so the connection is active again.. if you want to add any info or advise i am listening . go a head..
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 860
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: wireguard on android

Thu Oct 06, 2022 8:14 pm

Hello Mr jvanhambelgium..!
so clearly enough it seems that i have a DNS problem in my config and i don't know in which side..so please can you clarify more what you mean by this sentence "make sure your Mikrotik is configured correctly then to allow this Wireguard-client to make DNS-lookups,"
how can i enable this DNS lookup on my mikrotik device..?
[/quote]
Remember that once packets exit the "wireguard" interface there is the aspect of firewallling!
So in your wireguard-config you provide 192.168.1.1 to the client as DNS to use. Fine, no problem with that.
Now ARE the packets from the wireguard-client ALLOWED to talks to the 192.168.1.1

TEST1 : Setup/Activate your wireguard on Android and use "ping" tool. Can you ping 192.168.1.1 ?!

192.168.1.1 = Your "LAN" and your Wireguard is not part of that so you cannot just think you can reach any network-destination.

What are your current firewall rules for input/forward chains ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard on android

Thu Oct 06, 2022 8:16 pm

Yes post COMPLETE config
/export (minus serial number and any public WANIP info)
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

Re: wireguard on android

Thu Oct 06, 2022 8:30 pm

Hello Mr jvanhambelgium..!
so clearly enough it seems that i have a DNS problem in my config and i don't know in which side..so please can you clarify more what you mean by this sentence "make sure your Mikrotik is configured correctly then to allow this Wireguard-client to make DNS-lookups,"
how can i enable this DNS lookup on my mikrotik device..?
Remember that once packets exit the "wireguard" interface there is the aspect of firewallling!
So in your wireguard-config you provide 192.168.1.1 to the client as DNS to use. Fine, no problem with that.
Now ARE the packets from the wireguard-client ALLOWED to talks to the 192.168.1.1

TEST1 : Setup/Activate your wireguard on Android and use "ping" tool. Can you ping 192.168.1.1 ?!

192.168.1.1 = Your "LAN" and your Wireguard is not part of that so you cannot just think you can reach any network-destination.

What are your current firewall rules for input/forward chains ?
[/quote]
no i can't ping 192.168.1.1..
so this is my firewall rule
ip firewall filter
add action=accept chain=forward in-interface=wireguard2 out-interface=ether1
add action=accept chain=input comment="allow WireGuard" dst-port=47333 \
protocol=udp
add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment=l2tp-ipsec in-interface=ether1 protocol=\
ipsec-esp
add action=accept chain=input comment=ipsec in-interface=ether1 protocol=\
ipsec-ah
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input dst-address=127.0.0.1
add action=drop chain=input connection-state=invalid

also maybe that can make more sence for you
You do not have the required permissions to view the files attached to this post.
Last edited by Techsystem on Thu Oct 06, 2022 8:47 pm, edited 1 time in total.
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

Re: wireguard on android

Thu Oct 06, 2022 8:35 pm

Yes post COMPLETE config
/export (minus serial number and any public WANIP info)
this is my complete config.
You do not have the required permissions to view the files attached to this post.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 860
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: wireguard on android

Thu Oct 06, 2022 9:01 pm

add action=accept chain=forward in-interface=wireguard2 out-interface=ether1

What is this supposed to do ? Adapt this rule, remove the "out-interface" critera to start.
You have a generic "masquerading" rule that will NAT everything going out via "ether1" , so I don't understand why the above rule is needed.
Did this rule ever had any hits ?

Now, on the DNS part => 192.168.1.1 = Mikrotik "interface" itself (on which you want DNS resolving)
Hence you must have on your INPUT-chain a rule allowing that! Try to add the rule in bold allowing traffic from the wireguard2 interface to "hit" your Mikrotik interface(s)
(finetuning can be done later, first get it working)

/ip firewall filter
add action=accept chain=input in-interface=wireguard2
add action=accept chain=input comment="allow WireGuard" dst-port=47333 protocol=udp
add action=accept chain=input comment="allow WireGuard" dst-port=13231 protocol=udp
add action=accept chain=input comment=l2tp-ipsec in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment=ipsec in-interface=ether1 protocol=ipsec-ah
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input dst-address=127.0.0.1
add action=drop chain=input connection-state=invalid



Retest that ping ?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard on android

Thu Oct 06, 2022 9:06 pm

Your firewall rules are pratically non-existant and thus should SHOULD pass everything through. This is a blind terrible approach.

The better approach is to use the deafult rule set with drop rules at the end of both input chain and forward chain. In that regard you know exactly what is allowed and everything else is dropped.
Much clearer and cleaner. (aka get rid of the disorganized noise you have)

BUT FIRST!!!! you need to add interface list and interface list members so the rule can be properly applied.
Add these rules......
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=LTE name*** list=WAN ( whatever the interface name is that gets the WANIP, sometimes its just ether1 )
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=WLAN1 list=LAN

Now for the firewall default rules that you should be using, and below that the rules you should add!!!!
/ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else" *****
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
.....................

In your case would add the following rules to the input chain:
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=accept chain=input comment="allow WireGuard" dst-port=13231 \
protocol=udp
add action=accept chain=input comment="allow WireGuard" dst-port=47333 \
protocol=udp
add action=accept chain=input comment=l2tp-ipsec in-interface=ether1 \
protocol=ipsec-esp
add action=accept chain=input comment=ipsec in-interface=ether1 protocol=\
ipsec-ah
add action=accept chain=input in-interface=wireguard2 comment="allow admin to config router"

add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else


AND
In your case would add the following rules to the forward chain just before the last drop all rule.......

add chain=forward action=accept in-interface=wireguard2 out-interface-list=LAN comment="wg to LAN traffic"
add chain=forward action=accept in-interface=wireguard2 out-interface-list=WAN comment="wg to internet"

add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
Last edited by anav on Thu Oct 06, 2022 9:12 pm, edited 3 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard on android

Thu Oct 06, 2022 9:09 pm

Concur with the previous poster, the forward chain rule you have for wireguard to ether1 is useless.

You will note that I have added the proper input chain rule above, you were trying to construct, so that the admin can access the router for configuration purposes.
Also CHANGE on ANDROID settings. DNS server to 192.168.50.1
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

Re: wireguard on android

Fri Oct 07, 2022 11:39 am

Hello My friends ..! So for everyone who share his advise or opinion in this discussion i want to say very thanksful for you ...!
i didn't solve the problem yet. i realised that the problem on my android device so when i create a wireguard interface in another devices with the same router and configuration, the connection work very well . so now i have to know what is the problem with my device, not with my mikrotik router.
very thanksful ..!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 14471
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: wireguard on android

Fri Oct 07, 2022 12:58 pm

Ensure you let us know what the issue is when you find it please.
 
User avatar
Techsystem
Member Candidate
Member Candidate
Topic Author
Posts: 219
Joined: Tue Dec 21, 2021 5:12 am

Re: wireguard on android

Fri Oct 07, 2022 12:59 pm

Ensure you let us know what the issue is when you find it please.
i will Mr anav..!
 
User avatar
satman1w
Member Candidate
Member Candidate
Posts: 253
Joined: Mon Oct 02, 2006 11:47 am

Re: wireguard on android

Sat Jan 14, 2023 5:48 pm

Ensure you let us know what the issue is when you find it please.
i will Mr anav..!
Hi, did you make any progress??

Who is online

Users browsing this forum: Hominidae and 16 guests