Hello to all,
I am Looking for a easy and userfriendly support resp connectivity to my customers mikrotiks.
To setup a ‘wg site to site’ connectivity from my to all customers mikrotiks would be an idea (the connection would not always be active. Only in a case od support issue).
How are you supporting all your mt’s? L2tp?
Tx
Korg
Of course the WG tunnels would always be active.
YOur work or home router would serve as the Server for handshake and all the client devices would have persistent keep alive set.
You dont even need a separate wireguard interface for all your devices either.
You can separate them by IP address…
add address=172.168.0.1/24 interface=WireguardControl network=172.168.0.0
add address=172.168.1.1/24 interface=WireguardControl network=172.168.1.0
add address=172.168.2.1/24 interface=WireguardControl network=172.168.2.0
…
…
add address=172.168.n.1/24 interface=WireguardControl network=172.168.n.0
Much easier IMHO as you only need to produce one Public KEY to put on all the devices!
Easy for firewall rules too.
This is my test setup. It is just simple setup with two goals:
.get the wg connectivity running between spine and leaf1 and spine and leaf2. not between leaf1 and leaf2.
.getting correct ip address of the VPC’s on leaf1 and leaf2.
IP addresses:
spine 10.10.100.0/24
leaf1 10.20.100.0/24
leaf2 10.30.100.0/24
wg connectivity is working, as it suppose to.. but.. what i am experiencing is that on the VPC of a leaf1 and leaf2.. when doing DHCP function do NOT GET THE IP address of the leaf itself (10.20.100.x and 10.30.100.x respectively) but the ip address of the spine! Again, no ‘nuclear physics’ mikrotik setup .. pretty simple. Where am i doing/making/‘enabling’ error?
Here is the spine code
# apr/02/2024 10:53:30 by RouterOS 7.9.1
# software id =
#
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13299 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.10.100.1-10.10.100.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=192.168.216.135 endpoint-port=\
13299 interface=wireguard1 public-key=\
"sdfdsfsdfsd"
add allowed-address=0.0.0.0/0 endpoint-address=192.168.216.138 endpoint-port=\
13299 interface=wireguard1 public-key=\
"sdfdsfsdfsd="
add allowed-address=0.0.0.0/0 endpoint-address=192.168.216.136 endpoint-port=\
13299 interface=wireguard1 public-key=\
"sdfdsfsdfsd="
/ip address
add address=10.10.100.254/24 interface=bridge1 network=10.10.100.0
add address=172.16.0.100/24 interface=wireguard1 network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.10.100.0/24 gateway=10.10.100.254
/ip firewall filter
add action=accept chain=input disabled=yes dst-port=13299 protocol=udp \
src-port=""
/ip route
add comment="Connection to xy" disabled=no distance=1 dst-address=\
10.20.100.0/24 gateway=wireguard1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="connection to zy" disabled=no distance=1 dst-address=\
10.30.100.0/24 gateway=wireguard1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=10.40.100.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no
/system identity
set name="MT SPINE WG"
/system note
set show-at-login=no
Here is a leaf1 code
# apr/02/2024 10:53:44 by RouterOS 7.9.1
# software id =
#
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13299 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.20.100.1-10.20.100.253
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=192.168.216.137 endpoint-port=\
13299 interface=wireguard1 public-key=\
"papapapaapa"
/ip address
add address=10.20.100.254/24 interface=bridge1 network=10.20.100.0
add address=172.16.0.200/24 interface=wireguard1 network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.20.100.0/24 gateway=10.20.100.254
/ip firewall filter
add action=accept chain=input dst-port=13299 protocol=tcp
/ip route
add disabled=no distance=1 dst-address=10.10.100.0/24 gateway=wireguard1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/system identity
set name="MT Leaf1 WG"
/system note
set show-at-login=no
and a leaf2 code
# apr/02/2024 10:53:56 by RouterOS 7.9.1
# software id =
#
/interface bridge
add name=bridge1
/interface wireguard
add listen-port=13299 mtu=1420 name=wireguard1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.30.100.1-10.30.100.253
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=10.10.100.254 endpoint-port=\
13299 interface=wireguard1 public-key=\
"bkakakakakaa"
/ip address
add address=10.30.100.254/24 interface=bridge1 network=10.30.100.0
add address=172.16.0.110/24 interface=wireguard1 network=172.16.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=10.30.100.0/24 gateway=10.30.100.254
/ip firewall filter
add action=accept chain=input dst-port=13299 protocol=udp
/ip route
add disabled=no dst-address=10.10.100.0/24 gateway=wireguard1 routing-table=\
main suppress-hw-offload=no
/system identity
set name="MT Leaf2 WG"
/system note
set show-at-login=no
??? There is no DHCP in wireguard, its not a regular type of subnet, its really an IP address and an interface.
(1) Allowed IPs on spine are incorrect,
a. you need to put the actual IP assigned to the leaf peer ( and any remote subnets local users are visiting, or any remote subnets visiting your local subnets)
b. you dont put endpoint address or port
(2) Allowed IPs on leaf1 & 2… missing persistent keep alive setting
(3) Allowed IPs on leaf2, incorrect, the endpoint address you put is not based on the spine public IP address ???
just use zerotier + romon is much simpler and use routing if you need to reach LAN subnet, just my 0.2$
/interface wireguard peers
add allowed-address=10.20.100.0/24 endpoint-address=192.168.216.135 (or if the public ip address is dynamic, i put here cloud dns address?) endpoint-port=13299 interface=wireguard1
add allowed-address=10.30.100.0/24 endpoint-address=192.168.216.137 (or if the public ip address is dynamic, i put here cloud dns address?) endpoint-port=13299 interface=wireguard1
add allowed-address=10.40.100.0/24 endpoint-address=192.168.216.138 (or if the public ip address is dynamic, i put here cloud dns address?) endpoint-port=13299 interface=wireguard1
/interface bridge port
add bridge=bridge1 disabled=yes interface=ether2
add bridge=bridge1 disabled=yes interface=ether3
add bridge=bridge1 disabled=yes interface=ether4
2./interface wireguard peers
add allowed-address=10.10.100.0/24 endpoint-address=192.168.216.137 endpoint-port=13299 interface=wireguard1
you mean… you have a ‘ready to go’ solution?
ZeroTier is easier to setup, but even if idle it ZeroTier does use more bandwidth than WG. Plus as more routers are connect to same ZT network, even more bandwidth is used to maintain the bridge/paths. And the ZeroTier builtin to Mikrotik does not support ZeroTier “low bandwidth mode”. If it’s a fiber line, it wouldn’t be an issue. But on DSL or similar slower upstream, ZT’s overhead can be noticeable.
While with WG… if there is no traffic flowing between the peers (e.g. you’re not connected to customer router), traffic should be pretty minimal traffic since it’s just WG heartbeat messages between the peer.
Tx Amm0.. i am using 4G connectivity as fiber for me resp for the town where i’m living is like future far away!
So, zerotier is no option for me 
tx anyway
In-my-opinion , WireGuard is far easier to setup and far more efficent to run when KISS is applied … but if you are a Rocket Scientist then ZeroTier is your cup of Tea. 
KISS?
We initially started using WireGuard but as we scaled up it became unmanageable (a real pain in the neck to be honest) to administer so we’ve completely transitioned to ZeroTier for OOB administration. Also, the overhead for path search traffic is negligible, even in 4G. ZeroTier is extremely easy to get started with and manage, as are most other similar SD-WAN solutions.
Once you’ve experienced the benefits of SD-WAN, you’ll never want to go back to the hassle of manually managing static VPN links. This is especially true as your network grows and becomes more complex..
EDIT:
KISS = acronym “keep it simple” = ZeroTier ;- )
I guess that you have not tried the PRO WIREGUARD MANAGEMENT solution from someone that you respect highly ???
KISS = acronym “keep it simple” = for PRO’s only
only when scalling becomes an issue with WireGuard
It’s kinda “pick your poison” situation if you ask me. All involve some complexity. 
. Plus you need ARM-based routers for ZT, which can be a big blocker to using ZeroTier…
Pure WG on mikrtoik be fine if you have some fixed IP at logical “hub” (yes there all peers but…). More just a fair amount of manual config between the subnets/routing/firewall/etc. If pretty familiar with RouterOS’s firewall, totally manageable. More when you multiple by # of routers, it gets complex to maintain routes/rules everywhere manually & more config, more potential troubles. Certainly stuff like Tailscale, headscale, ProCustodibus, etc can help fill in those gaps. Just none are integrated into RouterOS.
While do think ZT use slightly more bandwidth than WG, it likely not significant on a decent 4G link for half dozen sites. One note here with 4G LTE is that it’s often CGNAT. And ZT does deal with NAT hole punching (and perfer IPv6 automatically to tunnel Layer2 ZT traffic). So if Site1 need to talk to Site2, both on 4G with CGNAT, ZT would allow that, while WG won’t. Or if 4G connection has IPv6, it use that to tunnel, while your traffic/network can still be IPv4-only if you want.
ZT can also distribute routes from the controller that get dynamically added to RouterOS. This can be useful since the routes could be whatever, including WG paths if you wanted. Now using both WG and ZT, kinda violates KISS.
You all be missing the point…
Zerotier, besides the limitation to ARM devices, is forcing the OP to be dependent upon THIRD PARTY.
Wireguard is direct and thus more secure and independent → and ZT may conflict with Company Policy…
I mean its unlikely that cloudflare is going to read your traffic, but then again Google had Incognito browsing LOL…
Mozerd, how easy is it to integrate PRO WG MGMT with MT devices?? Does it run on windows PC?
By “THIRD PARTY,” I presume you mean third-party “cloud services.” Most SD-WAN solutions offer both cloud-based services and on-premises support. If you prefer, Mikrotik ZeroTier includes an on-premises controller that makes you independent of third-party cloud services.
However, bear in mind that the major strength of SD-WAN is simplified operations. This becomes especially important when your network grows and becomes more complex. WireGuard is simply a tunneling protocol, nothing else.
how many aliases do you have anav?
The Pro Custodibus agent won’t run on MikroTik’s RouterOS … would be very nice if it did 
… so if a MikroTik Router is used as a WireGuard hub, Pro Custodibus isn’t a good fit.
Pro Custodibus would be a better fit if one had vanilla Linux servers inside (or outside) the MikroTik network that one used as hubs for WireGuard access – like if you had a fileshare or custom application that a bunch of users connected to directly from their devices through WireGuard then that would work.
Your Security point is a very good one …
All these point are fair.
But the diagram here shows 4 routers. In total, it’s ~5-10 lines of config per router for “pure” WG… That seems manageable & I’d listen to @anav on config.
It’s when these change a lot or you have dozens of routers, then something outside of Mikrotik is often needed.
Ok…
so according to @anav, spine should be
/interface wireguard peers
add allowed-address=10.20.100.0/24,10.30.100.0/24,‘whatever remote ip of the peer the spine should connect to’ endpoint-address=public ip address resp. dyndns(cloud) address of the leaf(s) endpoint-port=13299 interface=wireguard1
and on the leaf side(s)
/interface wireguard peers
add allowed-address=‘ip address of the wireguard interface of the spine’ endpoint-address=dyndns address of the spine endpoint-port=13299 interface=wireguard1 persistent-keepalive=25s
are this setting now correct?