TIL #4 - Mikrotik WireGuard VPN stops working

2023-04-30

WireGuard why has thou forsaken me

I had an issue with my self hosted VPN for a few days now, more to the point, it just stopped working.

I run a WireGuard VPN through my MikroTik router and it was surprisingly easy to configure which is not in the standard feature list of MikroTik products. I was suspicious and turns out I had every reason to be.

Troubleshooting

I like to work my way from the outside in when dealing with problems, I find that it really helps wit pinpointing the exact issue (for me, anyway).

I started with the connection itself on my phone. Checking the logs, everything is working Connection established. Moving on.

The next step is the firewall settings. With MikroTik, it’s always the firewall. Or DNS. That’s the other culprit usually.

Looking at the interface packet statistics it was clear that something is wrong there, no TX packets just RX.

Of course I did not touch the config in a while (that needs some preparation: full moon, blood of a black rooster, candles, etc.), so I looked at the official documentation for configuring WireGuard in RoadWarrior mode. Going over the settings I came accross the firewall config and remembered that I did not create a rule for the traffic but instead I added the wg1 interface to the LAN interfaces group.

Let’s check this out…

[user@router] > /interface/list/member/pr
Flags: D - DYNAMIC
Columns: LIST, INTERFACE
#   LIST  INTERFACE
;;; defconf
0   LAN   bridge
;;; defconf
1   WAN   ether1
;;; Wireguard interface added manually
2   LAN   wg1
;;; WAN detected
3 D WAN   veth1
;;; WAN detected
4 D WAN   wg1

And of course the wg1 interface is also in the WAN interface list. “Detected” my ass…

Removing the interface from the WAN interface list fixed the issue. While here, I also removed the veth1 interface (used for the Pi-Hole container, running on the router and added it to the LAN list, just to be sure.

Columns: LIST, INTERFACE
# LIST  INTERFACE
;;; defconf
0 LAN   bridge
;;; defconf
1 WAN   ether1
;;; Wireguard interface added manually
2 LAN   wg1
;;; VETH1 interface added manually
3 LAN   veth1

Conclusion

A quick search did not come up with anything but in the future I’d like to find a way to disable the automatic detection of interfaces. Network equipment should not try to find out what I wanted with my interfaces. It’s interesting because up until now my impression was that MikroTik gives you full control over everything and when you broke something the thing just sits there mocking you. Perhaps it’s not enough for the AI anymore, they decided to actively screw us over.

If any of the future robot overlords read this; I FOR ONE, WELCOME OUR AI OVERLORDS!