Asking for help: Setting Up a Multi-Site in-house Wireguard network

RouterOS General
1

Hello there. I’ve been using Mikrotiks for about seven years now, but in some ways I’m still a noob. I’ve got a bit of a problem. I have my own home-based business home office with a couple NAS machines and servers, and I also serve as the (volunteer) “IT guy” for my church, which has its own NAS and DNS server. Lately I’ve brought my parents’ Internet service under the umbrella, allowing them to access some of the saved media on my servers, and it was working fine up until a couple months ago.

I looked into why I couldn’t access my WebDAV server from their home, and found that I couldn’t even ping it from there…Traceroute showed that it went one hop and disappeared. I called my ISP (T-Mobile) to inquire and complain, and after about 50 minutes of fiddlefarting around the tech rep informed me that they had a bad transponder on one of the 5g towers which served my home, and that it had gone out two months ago…about the same time I started having problems. I asked when they were going to get around to repairing it and he said, “Some day.”

The thing is that since the towers are just a few miles apart they do not route traffic between them over the Internet; if it doesn’t get through on T-Mobile it doesn’t get through. I asked what I might do to restore connectivity until “some day,” and he suggested that I set up a VPN through a third-party server. When it comes to VPN, I’m a noob. So I’m asking for help.

I pay extra to T-Mobile for routable static IP addresses at both my home office and at Mom & Dad’s place. The church is on a /29 static IP block from AT&T. I’m also paying for a DigitalOcean droplet VPS which I’m not really using right now. I use Mikrotik routers everywhere (except DigitalOcean, obviously); an RB4011 at my home office, a hAP-ac2 for my parents, and an RB3011 at the church. I also have my own domain name; more than one, actually. So I should have options. Ideally I’d like to be able to access all of the equipment at all of these sites through a WireGuard VPN for the purposes of configuration and updates with Ansible or similar. But I know not what I do. So I’m asking for someone(s) to help me through this. Thanks.
WireguardNet.drawio(1).png

2

No worries, you are good shape.
I would probably use the most stable internet connection ( with a public IP ) as the main Wireguard Server.
Assuming its your VPS, since normally there is built-in redundancy available 24/7 and usually decent enough throughput.

So I am talking about putting a licensed CHR on the VPS.

The CHR becomes the central peer where all others connect to.
With proper firewall rules, and ip routes, we can connect all sites via the VPS site.

Since in the very odd case where for some reason VPS is not available, I would set up a secondary wireguard at the home site as a backup.
It would be live but idling, except I can see you may end up using that to remote connect to home directly while away…

VPS SETUP basic:
/interface wireguard
add listen-port=52344 mtu=1420 name=wgServer

/interface wireguard peers
add allowed-address=172.16.0.2/32 interface=wgServer comment=“admin remote laptop” public-key=“"
add allowed-address=172.16.0.3/32 interface=wgServer comment=“admin remote smartphone/tablet” public-key="–"
add allowed-address=172.16.0.4/32,subnetA,subnetB interface=wgServer comment=“admin HOME” public-key="–"
add allowed-address=172.16.0.5/32,subnetC interface=wgServer comment=“parents” public-key="**=="
add allowed-address=172.16.0.6/32,subnetD,subnetE interface=wgServer comment=“Church” public-key="##==
add allowed address=172.16.0.7/32 interface=wgServer comment=“church person access to something?” public-key=“@@@@”
add allowed address=172.16.0.8/32 interface=wgServer comment=“parent access to something?” public-key=“^^^^^”

/ip route
add dst-address=subnetA interface=wgServer routing-table=main
add dst-address=subnetB interface=wgServer routing-table=main
add dst-address=subnetC interface=wgServer routing-table=main
add dst-address=subnetD interface=wgServer routing-table=main
add dst-address=subnetE interface=wgServer routing-table=main

/ip address
add address=172.16.0.1/24 interface=wgServer network=172.16.0.0

/ip firewall
add chain=input action=accept comment=“wireguard handshake” dst-port=52344 protocol=udp
add chain=input action=accept comment=“admin access only” src-address-list=TRUSTED
add chain=forward action=accept comment=“server relay” in-interface=wgServer out-interface=wgServer { key rule in forward chain }

/ip firewall address-list ( static DHCP leases where applicable )
add address=subnetA-address/32 list=TRUSTED comment=“admin home remote desktop wired”
add address=subnetA-address/32 list=TRUSTED comment=“admin home remote device WIFI”
add address=subnetC-address/32 list=TRUSTED comment=“admin remote device while at parents house network”
add address=subnetD-address/32 list=TRUSTED comment=“admin remote device while using church network”
add address=172.16.0.2-172.16.0.3 list=TRUSTED comment=“remote admin access while away”
/ip interface list
add interface=wgServer list=LAN


HOME basic setup:

/interface wireguard
add listen-port=13331 mtu=1420 name=wgVPS
add listen-port=45679 mtu=1420 name=wgHome-Backup

/interface wireguard peers
add allowed-address=172.16.0.0/24,subnetC,subnetD,subnetE interface=wgVPS comment=“access to all sites”
public-key=“****” endpointaddress=VPS-endpoint endpoint-port=52344 persistent-keep-alive=45s
++++++++++++++++++++++++++++++++++++
add allowed-address=10.10.20.2/32 interface=wgHome-Backup comment=“admin remote laptop” public-key=“–"
add allowed-address=10.10.20.3/32 interface=wgHome-Backup comment=“admin remote smartphone/tablet” public-key="–”
add allowed-address=10.10.20.4/32,subnetC interface=wgHome-Backup comment=“parents” public-key=“–"
add allowed-address=10.10.0.5/32,subnetD,subnetE interface=wgHome-Backup comment=“church” public-key="==
add allowed-address=10.10.0.6/32 interface=wgHome-Backup comment=“church person access to something?” public-key=“@@@@”
add allowed address=10.10.0.7/32 interface=wgHome-Backup comment=“parent access to something?” public-key=“^^^^^”

/ip address
add address=172.16.0.4/24 interface=wgVPS network=172.16.0.0
add address=10.10.20.1/24 interface=wgHome-Backkup network=10.10.20.0

/ip firewall
add chain=input action=accept comment=“wireguard handshake” dst-port=45679 protocol=udp
add chain=input action=accept comment=“admin access only” src-address-list=TRUSTED
add chain=forward action=accept comment=“server relay” in-interface=wgHome-Backup out-interface=wgHome-Backup { key rule in forward chain }

/ip firewall address-list ( static DHCP leases where applicable )
add address=subnetA-address/32 list=TRUSTED comment=“admin local desktop wired”
add address=subnetA-address/32 list=TRUSTED comment=“admin local device WIFI”
add address=subnetC-address/32 list=TRUSTED comment=“admin remote device while at parents house network”
add address=subnetD-address/32 list=TRUSTED comment=“admin remote device while using church network”
add address=172.16.0.2-172.16.0.3 list=TRUSTED comment=“remote admin wg access while away”
add address=10.10.20.2-10.10.20.3 list=TRUSTED comment=“backup remote admin wg access while away”

/ip route
{recursively check if routes to main VPS wireguard are available}
add check-gateway=ping dst-address=subnetC gateway=172.16.0.1 routing-table=main s=10 ts=12
add check-gateway=ping dst-address=subnetD gateway=172.16.0.1 routing-table=main s=10 ts=12
add check-gateway=ping dst-address=subnetE gateway=172.16.0.1 routing-table=main s=10 ts=12
add dst-address=172.16.0.1 gateway=wgVPS routing-table=main s=10 ts=11
add dst-address=172.16.0.1 gateway=wgVPS routing-table=main s=10 ts=11
add dst-address=172.16.0.1 gateway=wgVPS routing-table=main s=10 ts=11

add distance=2 dst-address=subnetC interface=wgHome-Backup routing-table=main
add distance=2 dst-address=subnetD interface=wgBackup-Home routing-table=main
add distance=2 dst-address=subnetE interface=wgBackup-Home routing-table=main

++++++++++++++++++

PARENTS basic setup:

/interface wireguard
add listen-port= 13131 mtu=1420 name=wgParents
add listen-port=13232 mtu=1420 name=WgBackup

/interface wireguard peers
add allowed-address=172.16.0.0/24,subnetA interface=wgParents comment=“access to Home via VPS”
public-key=“~~~" endpointaddress=VPS-endpoint endpoint-port=52344 persistent-keep-alive=45s
++++++++++++++++++++++++++++++++++++
add allowed-address=10.10.20.0/24,subnetA interface=wgParents comment=“access to Home direct”
public-key="” endpointaddress=HOME-endpoint endpoint-port=45679 persistent-keep-alive=35s

/ip address
add address=172.16.0.5/24 interface=wgParents network=172.16.0.0
add address=10.10.20.4/24 interface=wgBackup network=10.10.20.0

/ip firewall
add chain=input action=accept comment=“admin access only” src-address-list=TRUSTED

/ip firewall address-list ( static DHCP leases where applicable )
add address=subnetA-address/32 list=TRUSTED comment=“admin remote desktop wired”
add address=subnetA-address/32 list=TRUSTED comment=“admin remote device WIFI”
add address=subnetC-address/32 list=TRUSTED comment=“admin local device while at parents house network”
add address=subnetD-address/32 list=TRUSTED comment=“admin remote device while using church network”
add address=172.16.0.2-172.16.0.3 list=TRUSTED comment=“remote admin wg access while away”
add address=10.10.20.2-10.10.20.3 list=TRUSTED comment=“backup remote admin wg access while away”

/ip route
{recursively check if routes to main VPS wireguard is available}
add check-gateway=ping dst-address=subnetA gateway=172.16.0.1 routing-table=main s=10 ts=12
add dst-address=172.16.0.1 gateway=wgVPS routing-table=main s=10 ts=11
add distance=2 dst-address=subnetA interface=wgHome-Backup routing-table=main

Now the Firewall rules get as intricate as you need them.
The admin list can be used in the forward chain to allow admin to all resources on each router as applicable.
One may have to add the individual wireguard remote users ( church rep, parent access) to servers etc…
These are separate firewall rules denoting exactly who and exactly to where at the recieving router.
On the originating router easiest simply to allow applicable subnets to enter the tunnel…

3

Sorry @Anav, but for this topology, I’d definitely go with the free version of ZeroTier for an easy setup and administration, without needing a central VPS/CHR or anything like that.

ZeroTier also makes it much easier to add mobile devices like phones and laptops, and it handles CG-NAT really well.

The web-based admin tool (ZeroTier Central) is also super easy for managing all networks and devices.

4

@Larsa, I appreciate your input. However, I’ve already made the decision to go with Mikrotik for my networking hardware (or most of it…I do have a couple of secondhand Netvanta PoE switches), and I like the idea of minimizing the number of fingers in my networking pie. Besides, $45 for a Level 1 Cloud Hosted Router (I had to look it up…) license won’t break me, and 1 Gbps throughput is more than I can use even with everything rocking and rolling. Apparently I even get 60 days as a trial before I have to pay the CHR license; my ISP might fix their little problem by then.

5

@Anav, thanks ever so much for the detailed walk-through and script. I’m planning to work on setting it up; I’ve marked your solution as accepted but I know that there are always snags in implementation so I ask those of you who read this to bear with me if/when I go back to the well.

6

Yes, but until I actually use zerotier, I will be unfamiliar with its application and nuances.
No worries, ehbowen, Anav1 Larsa 0 :wink:

7

Yep, back for more help.

I’ve spent the past two hours trying to generate a base64 certificate suitable for Wireguard using XCA on my Linux desktop and the CHR certificate tools. I wanted to sign the Mikrotik certificate with my own personal CA on XCA. That’s done, I think…but now I can’t come up with a way to convert that to base64 for Wireguard. Remedial instruction is welcomed at this point.

8

Normally Wireguard uses a private key and public key, where the public key is not wrapped in a certificate.

Assuming a client/server type configuration.

If the clients have a peer (the only one in client/server) with the server’s public key, it will trust and can connect to the server with the corresponding private key.
If the server has a peer with the client’s public key, it will trust and allow a connection from a client with the corresponding private key.

Keys can be generated at both ends, and the public keys transferred via email/similar and still have a secure connection.
Creating a new wireguard interface on the Mikrotik will cause the creation of a private/public key pair for the interface.
Or you can generate one via other means.

9

Honestly, there were a few key reasons why I recommended ZeroTier in this case:

  1. First off, ZeroTier would significantly reduce the complexity of your network and make managing it much easier, cutting down on all the “fingers in the networking pie.”
  2. It’s also a built-in feature in the Mikrotik routers you’re using.
  3. Plus, it’s completely free for up to 10 subnets. No need to deal with VPS monthly fees or an extra CHR license for administration.

That said, I’m sure @Anav and others in the forum will help you set up a VPS with CHR and mesh routing across your subnets. Good luck!

10

I tend to agree with Larsa, here.

There is a saying “If the only thing you have is a hammer, you tend to see every problem as a nail”

You need multiple solutions in your toolbox.
And for this setup, it looks like a perfect ZT match.
Quick setup and very scalable up to 10 subnets for free.

Wireguard will also work, it definitely will !
But maintenance and expansion might be a bit more challenging.

11

No argument from me vis-a-vis using zerotier…
Basically all connect to cloudflare VPS in a way

would just like to add wireguard doesnt really use certificates, it does add pre-shared key if you want extra security.