Thanks for all who responded. The setup is hard to debug, since the clients
behind NAT are on the other side of the globe and I am configuring and
debugging via Layer 8 ;-).
Meanwhile I created the client configurations and configured the Mikrotik
server from scratch again, it now provides a seperate wireguard interface for
each client; each client now uses a different target port on the server. I have
some doubts if this really addresses the source of the problem, and it is
certainly not very elegant, but it does the trick for now. The Mikrotik
implementation is still a beta, so you cannot expect a stable server.
Best,
Joachim.
-----Original Message-----
From: Riccardo Paolo Bestetti [mailto:p...@bestov.io]
Sent: Friday, 15 January, 2021 16:22
To: Maarten de Vries; Posegga, Joachim; wireguard@lists.zx2c4.com
Subject: Re: Multiple Clients behind NAT
On Fri Jan 15, 2021 at 3:21 PM CET, Maarten de Vries wrote:
> WireGuard doesn't have to use the same local port for all clients. In
> fact, if you don't give a ListenPort explicitly, an ephemeral port is
> assigned. This could theoretically still conflict between clients on
This is correct. I mistakenly thought that, by default, WireGuard used
the target port as a source port as well (when available). Ephemeral
makes more sense & is also what really happens.
So yes, Joachim should both fix the NAT and drop ListenPort from his
clients.
Riccardo
