Hi all!
I have 2 routers, a 5009 and a RB750
The 5009 is at home and it have a public IP
The RB750 is remote, behind a router and his WAN is the private LAN IP of firend of mine
I would like the RB750 connect to the 5009 at home, to reach from home the NAS there is on the RB750 LAN.
I would use Wireguard, but I fount only guides with both routers with public IP or portforwarding, and I cannot do it
There is a way to do it? Or it is better to use SSL OVPN (I tried, months ago, going crazy with certificates)
Thanks!
Re: Wireguard between routers
Wireguard should work well. Do your homework....
https://help.mikrotik.com/docs/display/ROS/WireGuard
https://www.youtube.com/watch?v=vn9ky7p ... G1pa3JvdGl
https://help.mikrotik.com/docs/display/ROS/WireGuard
https://www.youtube.com/watch?v=vn9ky7p ... G1pa3JvdGl
Re: Wireguard between routers
Thank you a lot!
But in the guide seems that each router needs to have a public address (o a portforwardinh from public IP).
I do not know the remote router public address. then I cannot create
But in the guide seems that each router needs to have a public address (o a portforwardinh from public IP).
I do not know the remote router public address. then I cannot create
Code: Select all
/interface/wireguard/peers
add allowed-address=10.1.101.0/24 endpoint-address=REMOTE PUBLIC endpoint-port=13231 interface=wireguard1 \
public-key="v/oIzPyFm1FPHrqhytZgsKjU7mUToQHLrW+Tb5e601M="Re: Wireguard between routers
Incorrect!
Only the peer that is acting as server for handshake has to have a reachable public IP in the standard wireguard setup.
(Note: with new wg BTH functionality available on most MT routers, one need not have any reachable IPs).
So the Remote Device should have allowed IPs like so.
/interface/wireguard/peers
add allowed-address=10.1.101.0/24 endpoint-address=SERVER-PEER-ADDRESS endpoint-port=13231 interface=wireguardR2 \
persistent-keep-alive=35s public-key="++++++="
The Local Device MAIN router ( acting as server for handshake )
/interface/wireguard/peers
add allowed-address=10.1.101.2/32 interface=wireguardR1 \
public-key="++++++++" comment=remote-mt-router
add allowed-address=10.1.101.3/32 interface=wireguardR1 \
public-key="++++++++" comment=remote-admin-laptop[/i]
etc..
Note1: I like to have different Wireguard interface names at the different routers so I know which config I am working on..........
Note2: At the remote router if you wish to visit subnets at the main router you need to add those subnets to allowed addresses, or same if those subnets need to visit the remote router subnets.
Note3: If the remote router needs to use the internet of the main router than single entry of 0.0.0.0/0 for allowed IPs suffices for all entries.
Note4: I added a road warrior, that would typically use 0.0.0.0/0 for allowed IPs on the remote device, when connecting to the Main Router.
Only the peer that is acting as server for handshake has to have a reachable public IP in the standard wireguard setup.
(Note: with new wg BTH functionality available on most MT routers, one need not have any reachable IPs).
So the Remote Device should have allowed IPs like so.
/interface/wireguard/peers
add allowed-address=10.1.101.0/24 endpoint-address=SERVER-PEER-ADDRESS endpoint-port=13231 interface=wireguardR2 \
persistent-keep-alive=35s public-key="++++++="
The Local Device MAIN router ( acting as server for handshake )
/interface/wireguard/peers
add allowed-address=10.1.101.2/32 interface=wireguardR1 \
public-key="++++++++" comment=remote-mt-router
add allowed-address=10.1.101.3/32 interface=wireguardR1 \
public-key="++++++++" comment=remote-admin-laptop[/i]
etc..
Note1: I like to have different Wireguard interface names at the different routers so I know which config I am working on..........
Note2: At the remote router if you wish to visit subnets at the main router you need to add those subnets to allowed addresses, or same if those subnets need to visit the remote router subnets.
Note3: If the remote router needs to use the internet of the main router than single entry of 0.0.0.0/0 for allowed IPs suffices for all entries.
Note4: I added a road warrior, that would typically use 0.0.0.0/0 for allowed IPs on the remote device, when connecting to the Main Router.