2x MikroTik U009 and WG VPN

RouterOS Beginner Basics
1

Hello, MikroTik experts! I am working on setting up a network that includes two MikroTik L009 routers (office and lab), a MikroTik cAP ac access point (on office router), and a WireGuard VPN server running on a VPS. The goal is to achieve seamless connectivity, having separate network and still having some previledged connectivity between two network. And allowing remote access to network. Since I don’t have public IP but has a vps with public ip. So Installed Wireguard VPN server on that. Below is my network overview, configuration details, and the issues I need help resolving.

Network Overview:
• Devices:
o office Router: MikroTik L009 (IP: 192.168.10.1/24)
o lab Router: MikroTik L009 (IP: 192.168.20.1/24)
o WireGuard VPN Server: VPS with a public IP.

• Goals:
o Configure both routers to have separate network (192.168.10.0/24 and 192.168.20.0/24) and for few user to allow communication between office and lab networks.
o Enable access to both networks through WireGuard VPN which is installed on VPS server with public IP.
Network Diagram: as attached in photo

WireGuard VPN (VPS):
o VPS (VPN Server)Address = 10.0.0.1/24
o teo_office Router: 10.0.0.2/24
o teo_lab Router: 10.0.0.3/24

Can any one have a look and help me configure the setup?
network_infrastructure.jpg

2

I am confused.
It would appear tthat the two L009 devices are physically connected already??
There is no requirement I can see for them to see each other over wireguard???

Your explanation is weak. Of course you have a public IP, there is no way to reach VPS without one!!!
THe public IP may only be available on the single upstream ISP router and thus the need to obtain a VPS wireguard connection.

Question:

  1. confirm two routers are connected by cable.
  2. confirm you want lab device to act as a router and not a switch
  3. confirm you do or do not want to access the internet from either router via the VPS???
  4. confirm you want the admin or remote external users to be able to access any LAN on either router via wireguard.

Note: Router to Router LAN traffic should be accomplished by forward chain and input chain firewall rules as required, and some static routes on either side as well.
There is no requirement to attempt to connect the LANs over wireguard VPS.

IF I was setting up the network
I would use VLANS to separate my office and lab, and the second lab1009 would simply act as as switch.
However it would appear you want it as a router for specific reasons and thats fine.