I have the setup from below diagram. Wireguard between two sites connects and works well. I am trying to dial in this setup from my Android phone using same WG interface.
The Phone connects ok and gets the 192.168.46.3, but cannot access any hosts from both LANs.
i tried to change allowed-addresses to 0.0.0.0/0 but it doesn’t work neither.
i don’t see any drops in Firewall rules during tests. NAT config is not yet familiar to me.
Your diagram is almost clear.
It seems to indicate that both Routers dont have direct access to a public IP but the upstream router can forward ports to either one???
Not stated but assumed is that wireguard M, is the server for handshake.
Dont understand the config presented for example subnets on allowed IPs that are not router M, so thats weird and then some allowed addresses that dont make sense.
Need both complete configs to assess properly but I see lots of errors
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
correct. Both sites upstream WAN routers forward ports to my routers WAN.
both Router point to each other public IP:13231 since both sites have this port forwarded to MK. So i’m not sure which is to be considered “server”.
192.168.100.1 is SiteM upstream[ISP] router i can access. i allowed it to be able to access ISP router from SiteM being in SiteD.
192.168.46.0/28 is the range for the WG peers. Not sure if it is necessary to “allow” the peer’s won WG address.
updated the diagram a bit and attached the configs. configM.rsc (6.47 KB) configD.rsc (7.64 KB)
You have to decide for the peer to peer connection, which side is going to initiate the handshake ( client ) and which is going to receive the handshank ( server ).
Only the server needs an input chain rule for example.
How you handle Allowed IPs is very much driven by this initial relationship.
the WG between sites works well, it connects, and all LANs are accessible. From site D i can access everything in site M, including ISP router from site M.
my issue is with Mobile-to-siteD Wireguard setup. Obviously here only routerD has a static PubIP. Mobile is dynamic by operator. Handshake is ok, then keepalive is sent to the Mobile.
Solved the mobile phone part, with some insights from HERE.
in Mikrotik, the mobile phone Peer config “Allowed Address” should be the assigned WG IP for this phone. By default it is ::/0. Since it’s a terminal, i made it /32.
Now my laptop as WG client has a routing issue. Ping from WG-Laptop to both LAN networks is ok, but no other traffic seem to work.
I’ll troubleshoot it myself first. Is it better to open a new Topic for Laptop WG access [symptoms are the same: wg connect is OK but no traffic]?
Solved the laptop issue by lowering the Wireguard interfaces MTU to 1280 from 1420.
before that Laptop could successfully connect to WG, ping to LANs was OK but no web page from LAN could open.
Another issue was the upload speed between sites: M-to-D ~300Mbps, D-to-M ~5kbps.
