On Wed Jan 13, 2021 at 9:14 PM CET, Posegga, Joachim wrote: > I am trying to connect multiple wireguard clients behind the same > NAT-Gateway to a Mikrotik server with a public IP. I am not yet sure > where exactly the problem is, but it seems that only one client at a > time can establish a tunnel.
I don't know much about Mikrotik, but my guess is that it's not randomizing source ports for packets egressing the NAT. If that's the case, since WireGuard uses the same port for both source and destination, and since your clients are all connecting to the same server (and thus port), then your NAT can't demux incoming packets, and it just sends them all to the same client. (It probably picks the first one that sends egress packets, until it hits some inactivity time-out). You should look into your Mikrotik configuration, looking for a flag to enable source address randomization in NAT (it's sometimes called "masquerading"). Riccardo
