Instructions for configuring the WireGuard interface on two routers to combine two Offices into a single network

Kranker · June 28, 2023, 8:58am

WireGuard appeared in the seventh firmware !!
Oh miracle,
but where can I find the WireGuard setting, at least for two networks? Below I wrote how to quickly and easily connect two offices to a peer-to-peer network.
OFFICE-1 LAN=192.168.2.0/24
OFFICE-2 LAN=192.168.0.0/24
inet_ip_OFFICE- White IP address

# The WireGuard interfaces must be configured on both sites to allow automatic key generation.
# 
# \\--The command to be executed on both routers:
# 
/interface wireguard
add listen-port=13232 name=WireGuardTunel
/interface list member
add interface=WireGuardTunel list=LAN
#Or just add the WireGuard interface to the list of "LAN" interfaces.
# 
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13232 protocol=udp place-before=1
# To allow remote devices to connect to RouterOS services (for example, query DNS),
# allow the WireGuard subnet in the input chain.
# ***
# Both private and public keys must now be visible when printing interface details to allow sharing.
# No private key will ever be needed on the remote device - hence the name private.
# 
# OFFICE-1
/interface/wireguard print
Flags: X - disabled; R - running 0  R name="WireGuardTunel" mtu=1420 listen-port=13232 private-key="<private-key_OFFICE-1>"
      public-key="<public-key_OFFICE-1>"
# 
# OFFICE-2
/interface/wireguard/print
Flags: X - disabled; R - running 0  R name="WireGuardTunel" mtu=1420 listen-port=13232 private-key="<private-key_OFFICE-2>"
      public-key="<public-key_OFFICE-2>"
# 
# Peer configuration determines who can use the WireGuard interface and what traffic can be sent through it.
# To identify a remote host, you must specify its public key along with the generated WireGuard interface.
# 
#\\--Setting up each MikroTik router:
# OFFICE-1
/interface/wireguard/peers
add allowed-address=192.168.0.0/24 endpoint-address=<inet_ip_OFFICE-1> endpoint-port=13232 interface=WireGuardTunel \
public-key="<public-key_OFFICE-2>"
#Configure IP and routing and firewall to allow traffic to pass through the tunnel.
/ip/address
add address=10.255.255.1/30 interface=WireGuardTunel
/ip/route
add dst-address=192.168.0.0/24 gateway=WireGuardTunel
/ip/firewall/filter
add action=accept chain=input comment="allow WireGuard" dst-port=13232 protocol=udp src-address=<inet_ip_OFFICE-1>
/ip/firewall/filter
add action=accept chain=forward comment="allow WireGuard" dst-address=192.168.2.0/24 src-address=192.168.0.0/24
add action=accept chain=forward comment="allow WireGuard" dst-address=192.168.0.0/24 src-address=192.168.2.0/24
# 
# OFFICE-2
/interface/wireguard/peers
add allowed-address=192.168.2.0/24 endpoint-address=<inet_ip_OFFICE-2> endpoint-port=13232 interface=WireGuardTunel \
public-key="<public-key_OFFICE-1>"
# Configure IP and routing and firewall to allow traffic to pass through the tunnel.
/ip/address
add address=10.255.255.2/30 interface=WireGuardTunel
/ip/route
add dst-address=192.168.2.0/24 gateway=WireGuardTunel
/ip/firewall/filter
add action=accept chain=input comment="allow WireGuard" dst-port=13232 protocol=udp src-address=<inet_ip_OFFICE-2>
/ip/firewall/filter
add action=accept chain=forward comment="allow WireGuard" dst-address=192.168.0.0/24 src-address=192.168.2.0/24
add action=accept chain=forward comment="allow WireGuard" dst-address=192.168.2.0/24 src-address=192.168.0.0/24
# 
# Firewall Recommendations
# RouterOS firewall by default blocks proper tunnel creation.
# Traffic must be accepted in the "input" chain before any drop rules on both sites.
# It's also possible that "forward" chaining also restricts communication between subnets,
# so such traffic should also be accepted before any drop rules.
# Check with command
/interface wireguard print 
# on each router to make sure the WireGuard interface is up and running.

Please check if the instructions are correct. Did I miss something?

anav · June 28, 2023, 7:48pm

When you have complete configs to review will have a look, is there an issue??

Kranker · June 30, 2023, 10:15am

Here is a modified and redesigned setting specifically in the WireGuard part! And there is no point in laying out the entire config. And yet, I figured it out, now everything works in both directions! I post the WireGuard setup for connecting the network 192.168.0.0-office 1 and 192.168.2.0-office 2 via WireGuard.

# The WireGuard interfaces must be configured on both sites to allow automatic key generation.
# 
# \\--The command to be executed on both routers:
# 
/interface wireguard
add listen-port=13232 name=WireGuardTunel
/interface list member
add interface=WireGuardTunel list=LAN
#Or just add the WireGuard interface to the list of "LAN" interfaces.
# 
/ip firewall filter
add action=accept chain=input comment="allow WireGuard" dst-port=13232 protocol=udp place-before=1
# To allow remote devices to connect to RouterOS services (for example, query DNS),
# allow the WireGuard subnet in the input chain.
# ***

# OFFICE-1 (Lan=192.168.0.0\24 Wan = <inet_ip_OFFICE-1>)
/interface/wireguard print
Flags: X - disabled; R - running 0  R name="WireGuardTunel" mtu=1420 listen-port=13232 private-key="<private-key_OFFICE-1>"
      public-key="<public-key_OFFICE-1>"

# OFFICE-2 (Lan=192.168.2.0\24 Wan = <inet_ip_OFFICE-2>)
/interface/wireguard/print
Flags: X - disabled; R - running 0  R name="WireGuardTunel" mtu=1420 listen-port=13232 private-key="<private-key_OFFICE-2>"
      public-key="<public-key_OFFICE-2>"

# Peer configuration determines who can use the WireGuard interface and what traffic can be sent through it.
# To identify a remote host, you must specify its public key along with the generated WireGuard interface.

#\\--Setting up each MikroTik router:
# OFFICE-1
/interface/wireguard/peers
add allowed-address=192.168.0.0/24 endpoint-address=<inet_ip_OFFICE-1> endpoint-port=13232 interface=WireGuardTunel \
public-key="< public-key _OFFICE-2>"
#Configure IP and routing and firewall to allow traffic to pass through the tunnel.
/ip/address
add address=10.255.255.2/24 interface=WireGuardTunel
/ip/pool
add address=10.255.255.1-10.255.255.250 name=WireGuardTunel

/ip/route
add dst-address=192.168.0.0/16 gateway=WireGuardTunel
/ip/route
add dst-address=10.255.255.0/30 gateway=WireGuardTunel

/ip/firewall/filter
add action=accept chain=input comment="allow WireGuard" dst-port=13232 protocol=udp 
/ip/firewall/filter
add action=accept chain=forward comment="allow WireGuard" dst-address=192.168.2.0/24 src-address=192.168.0.0/16
add action=accept chain=forward comment="allow WireGuard" dst-address=192.168.0.0/16 src-address=192.168.2.0/24
# 
# OFFICE-2
/interface/wireguard/peers
add allowed-address=192.168.2.0/24 endpoint-address=<inet_ip_OFFICE-2> endpoint-port=13232 interface=WireGuardTunel \
public-key="<public-key_OFFICE-1>"
# Configure IP and routing and firewall to allow traffic to pass through the tunnel.
/ip/address
add address=10.255.255.2/24 interface=WireGuardTunel
/ip/route
add dst-address=192.168.2.0/24 gateway=WireGuardTunel
/ip/route
add dst-address=10.255.255.0/30 gateway=WireGuardTunel

/ip/firewall/filter
add action=accept chain=input comment="allow WireGuard" dst-port=13232 protocol=udp 
/ip/firewall/filter
add action=accept chain=forward comment="allow WireGuard" dst-address=192.168.0.0/24 src-address=192.168.2.0/24
add action=accept chain=forward comment="allow WireGuard" dst-address=192.168.2.0/24 src-address=192.168.0.0/24
# 
# Firewall Recommendations
# RouterOS firewall by default blocks proper tunnel creation.
# Traffic must be accepted in the "input" chain before any drop rules on both sites.
# It's also possible that "forward" chaining also restricts communication between subnets,
# so such traffic should also be accepted before any drop rules.
# Check with command
/interface wireguard print 
# on each router to make sure the WireGuard interface is up and running.
Use it to your health!

Now I’m interested in how to hook 192.168.3.0 office 3 and 192.168.4.0 office 4.

erlinden · June 30, 2023, 1:20pm

There is not so much of a difference in having a single or multiple site-2-site vpn’s.
You probably already have found this document:

https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-SitetoSiteWireGuardtunnel

Be aware, you will have to take care of possible loops

Kranker · July 19, 2023, 7:27am

It’s time for fine tuning. How to restrict traffic to only certain ports, like “Only 1560-1591 and 9999 are allowed”? Maybe someone will tell?

erlinden · July 19, 2023, 7:29am

Firewall, block all forwarding and allow only the above.

anav · July 19, 2023, 1:41pm

Is there an issue? If not, sounds like listening to yourself talk LOL In which case recommend DISCORD MT channel.

Kranker · July 19, 2023, 2:26pm

YA! Is there an issue?
does not close

McGremlin · July 19, 2023, 4:58pm

Are you instructing others how to do it? It looks like that. I believe that Anav did some great work and such an instruction is already somewhere here.
If someone is looking only for basic config than

To anyone who just wants to copy-paste Wireguard configs from this post - I HIGHLY recommend to get KNOWLEDGE about Wireguard in the first place. If you are in a workplace which needs site2site connection you HAVE TO have knowledge about network basics. Combining this two will lead you slightly to achieving your Wireguard goal. If you are struggling with something - write a topic on the forum.
If you don't have basic networking knowledge and only want to copy-paste you should probably change your job.