On 14-01-2021 18:09, Riccardo Paolo Bestetti wrote:
On Wed Jan 13, 2021 at 9:14 PM CET, Posegga, Joachim wrote:
I am trying to connect multiple wireguard clients behind the same
NAT-Gateway to a Mikrotik server with a public IP. I am not yet sure
where exactly the problem is, but it seems that only one client at a
time can establish a tunnel.
I don't know much about Mikrotik, but my guess is that it's not
randomizing source ports for packets egressing the NAT.
If that's the case, since WireGuard uses the same port for both source
and destination, and since your clients are all connecting to the same
server (and thus port), then your NAT can't demux incoming packets, and
it just sends them all to the same client. (It probably picks the first
one that sends egress packets, until it hits some inactivity time-out).
WireGuard doesn't have to use the same local port for all clients. In
fact, if you don't give a ListenPort explicitly, an ephemeral port is
assigned. This could theoretically still conflict between clients on
different machines, but it is unlikely to happen in practice.
If NAT is broken, it should be fixed anyway, but letting WireGuard use
ephemeral ports would also likely solve the problem in practice.
Kind regards,
Maarten
