🔧 About Wireguard and MikroTik

Wireguard network: 10.11.18.0/30 allow to set exactly two IP addresses, if you have more routers you will need a larger range.

	Site 1 (Router 1)	Site 2 (Router 2)
Wireguard IP	`10.11.18.1/30`	`10.11.18.2/30`
Reouter IP	`192.168.8.1/24`	`172.17.17.1/24`
Network	`192.168.8.0/24`	`172.17.17.0/24`

Router 1 (a.k.a. Server)

Addresses configuration

IP Address: 192.168.8.1/24
Network: 192.168.8.0/24
WG Address: 10.11.18.1/30

1/ip address
2add address=192.168.8.1/24 comment="Router 1's home network" interface=\
3    bridge-local network=192.168.8.0
4add address=10.11.18.1/30 interface=WG01 network=10.11.18.0

WireGuard interface

1/interface wireguard
2add listen-port=13251 mtu=1420 name=WG01 private-key=\
3    "<--private-key-is-generated-while-creating-interface-->"

Wireguard peer configuration

allowed-address: put there addresses of networks/devices that should be accessed trough VPN tunnel

1/interface wireguard peers
2add allowed-address=10.11.18.2/30,172.17.17.0/24 interface=WG01 public-key=\
3    "<--put-here-public-key-from-Router-2's-WG-interface-->"

Routing

Destination address: network behind router 2 172.17.17.0/24
Gateway: WireGuard IP address from router 2 10.11.18.2

1/ip route
2add comment="Routing to Router 2's network" disabled=no distance=1 dst-address=172.17.17.0/24 \
3    gateway=10.11.18.2 pref-src="" routing-table=main scope=30 \
4    suppress-hw-offload=no target-scope=10

Router 2 (a.k.a. Client)

Addresses configuration

IP Address: 172.17.17.1/24
Network: 172.17.17.0/24
WG Address: 10.11.18.2/30

1/ip address
2add address=172.17.17.1/24 comment="Router 2's home network" interface=br1 network=\
3    172.17.17.0
4add address=10.11.18.2/30 interface=WG01 network=10.11.18.0

WireGuard Interface

1/interface wireguard
2add listen-port=13251 mtu=1420 name=WG01 private-key=\
3    "<--private-key-is-generated-while-creating-interface-->"

WireGuard peer configuration

persistent-keepalive : It must be set for at least 10 seconds, otherwise the router will not dial the connection.

1/interface wireguard peers
2add allowed-address=192.168.8.0/24,10.11.18.0/30 endpoint-address=\
3    mipapredajna.dyndns.org endpoint-port=13251 interface=WG01 \
4    persistent-keepalive=10s public-key=\
5    "<--put-here-public-key-from-Router-1's-WG-interface-->"

Routing

Destination address: network behind router 1 192.168.8.0/24
Gateway: WireGuard IP address from router 1 10.11.18.1

1/ip route
2add comment="Routing to Router 1's network"
3    disabled=no distance=1 dst-address=192.168.8.0/24 gateway=10.11.18.1 \
4    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
5    target-scope=10

Summary

WG Interfaces generating their own keys while configuring interface
Put public key of Router 1’s WG interface to peer configuration on Router 2 and vice versa
On Router 1 add router to Router 2’s network and as gateway use Router 2’s WG IP address and vice versa (on Router 2, Router 1’s network and as gateway use Router 1’s WG IP address)

#Administering #Tutorial