Hi!
I have a Mikrotik router as L2TP server with public static ip, and have som customers MikroTik Routers connected as clients. Then I have my computer connected over wireguard to that mikrotik server.
All PPPs are masqueraded so I have full access to the client routers when I'm connected to the wireguard.
NOW I want to migrate all my L2TP clients to WG clients. I don't want any routed traffic, just connection so I can get to the router thru Winbox. All of thes clients are behind NAT.
Can someone here help me with an example of the WG config for this?
Best regards
Re: Wireguard router clients
Are you saying you wish to connect all the clients' routers to your MT server router via WG?
Are they all MT routers?
Not much different from roadwarrior setup.
No input chain rule (no handshake on client router)
Still need IP address
Still need allowed IPs ( not 0.0.0.0 likely but something like 192.168.10.0/24,SubnetA,SubnetB
Meaning, each client should have the wireguard subnet as an allowed IP and then any subnets that
a. local users need to visit at any of the other routers including the MT server router subnets
b. external user subnets that need to visit the local client router subnets.
AND IP routes to cover off all the subnetA, subnetB traffic pointing to the wireguard interface, table main.
Relevant forward firewall rules as well of course, for LAN traffic
Relevant input chain rule, if you the admin need to access client router for config purposes.
Are they all MT routers?
Not much different from roadwarrior setup.
No input chain rule (no handshake on client router)
Still need IP address
Still need allowed IPs ( not 0.0.0.0 likely but something like 192.168.10.0/24,SubnetA,SubnetB
Meaning, each client should have the wireguard subnet as an allowed IP and then any subnets that
a. local users need to visit at any of the other routers including the MT server router subnets
b. external user subnets that need to visit the local client router subnets.
AND IP routes to cover off all the subnetA, subnetB traffic pointing to the wireguard interface, table main.
Relevant forward firewall rules as well of course, for LAN traffic
Relevant input chain rule, if you the admin need to access client router for config purposes.
Re: Wireguard router clients
yesAre you saying you wish to connect all the clients' routers to your MT server router via WG?
Are they all MT routers?
No easy setup doh
But I have to give it a try. The l2tp is very much easier. just masq. the connection 
Re: Wireguard router clients
Its not hard as you already have a wireguard interface,
Just assign each router a wireguard IP.
On the main router
add a line for allowed IPs to each router.
ipaddressRouterClient1/32,subnetC,subnetD...... ( either local users going to remote subnet, OR , remote subnets coming into the main router )
interface=wireguard public-key=xxxxxxx
ipaddressRouterClient2/32,subnetF,subnetG......
interface=wireguard public-key=xxxxxxx
Applicable Routes for any applicable subnets table main based on the above allowed addresses. (remember they are not local so you have to tell MAIN router about them)
Applicable firewall rules
- to allow traffic from other routers to your subnets as picky as you need to be
- to allow traffic from local subnets into the tunnel to reach other router subnets
- ONE KEY RELAY RULE
add chain=forward action=accept in-interface=wireguard out-interface=wireguard.
Ex. This will allow any subnet from router 1 to reach MAIN server Router and reach router 6.
Traffic from subnet A, needs to reach subnet M
You have two routes existing
add dst-address=subnetA gateway=wireguard table=main
add dst-address=subnetM gateway=wireguard table=main
So the router knows where to send originating and return traffic!!
The Relay firewall allows the traffic to hit MAIN from Router 1 and then renter the tunnel headed for Router 6.
Its Peer to Peer!!
Just assign each router a wireguard IP.
On the main router
add a line for allowed IPs to each router.
ipaddressRouterClient1/32,subnetC,subnetD...... ( either local users going to remote subnet, OR , remote subnets coming into the main router )
interface=wireguard public-key=xxxxxxx
ipaddressRouterClient2/32,subnetF,subnetG......
interface=wireguard public-key=xxxxxxx
Applicable Routes for any applicable subnets table main based on the above allowed addresses. (remember they are not local so you have to tell MAIN router about them)
Applicable firewall rules
- to allow traffic from other routers to your subnets as picky as you need to be
- to allow traffic from local subnets into the tunnel to reach other router subnets
- ONE KEY RELAY RULE
add chain=forward action=accept in-interface=wireguard out-interface=wireguard.
Ex. This will allow any subnet from router 1 to reach MAIN server Router and reach router 6.
Traffic from subnet A, needs to reach subnet M
You have two routes existing
add dst-address=subnetA gateway=wireguard table=main
add dst-address=subnetM gateway=wireguard table=main
So the router knows where to send originating and return traffic!!
The Relay firewall allows the traffic to hit MAIN from Router 1 and then renter the tunnel headed for Router 6.
Its Peer to Peer!!
Re: Wireguard router clients
Its not hard as you already have a wireguard interface,
Just assign each router a wireguard IP.
On the main router
add a line for allowed IPs to each router.
ipaddressRouterClient1/32,subnetC,subnetD...... ( either local users going to remote subnet, OR , remote subnets coming into the main router )
interface=wireguard public-key=xxxxxxx
ipaddressRouterClient2/32,subnetF,subnetG......
interface=wireguard public-key=xxxxxxx
Applicable Routes for any applicable subnets table main based on the above allowed addresses. (remember they are not local so you have to tell MAIN router about them)
Applicable firewall rules
- to allow traffic from other routers to your subnets as picky as you need to be
- to allow traffic from local subnets into the tunnel to reach other router subnets
- ONE KEY RELAY RULE
add chain=forward action=accept in-interface=wireguard out-interface=wireguard.
Ex. This will allow any subnet from router 1 to reach MAIN server Router and reach router 6.
Traffic from subnet A, needs to reach subnet M
You have two routes existing
add dst-address=subnetA gateway=wireguard table=main
add dst-address=subnetM gateway=wireguard table=main
So the router knows where to send originating and return traffic!!
The Relay firewall allows the traffic to hit MAIN from Router 1 and then renter the tunnel headed for Router 6.
Its Peer to Peer!!
very carefully described
I will give it a try then ...Big thanks!