Multiple Clients behind NAT
Riccardo Paolo Bestetti
pbl at bestov.io
Thu Jan 14 17:09:37 UTC 2021
On Wed Jan 13, 2021 at 9:14 PM CET, Posegga, Joachim wrote:
> I am trying to connect multiple wireguard clients behind the same
> NAT-Gateway to a Mikrotik server with a public IP. I am not yet sure
> where exactly the problem is, but it seems that only one client at a
> time can establish a tunnel.
I don't know much about Mikrotik, but my guess is that it's not
randomizing source ports for packets egressing the NAT.
If that's the case, since WireGuard uses the same port for both source
and destination, and since your clients are all connecting to the same
server (and thus port), then your NAT can't demux incoming packets, and
it just sends them all to the same client. (It probably picks the first
one that sends egress packets, until it hits some inactivity time-out).
You should look into your Mikrotik configuration, looking for a flag to
enable source address randomization in NAT (it's sometimes called
"masquerading").
Riccardo
More information about the WireGuard
mailing list