paging @anav or anyone else who can help
I’m sure this has been asked before but I’m having trouble finding the answer for this particular set up. I want to set up a wireguard server on my mikrotik solely for passing through road warrior traffic. The remote device should pass all traffic intended for internet access through the WG connection, HOWEVER I don’t want it to have any access to my lan. I can do this easily with ipsec, but I have no idea how to do it with wireguard.
Thanks
Thats easy…
Remember your remote wireguard traffic is controlled by firewall rules.
So best to add the wireguard interface to your LAN interface list.
This allows the RWs to get DNS and to get WAN access.
For ex. typically everyone has a
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN
make sure though to have a drop all rule at the end of your forward chain.
add chain=forward action=drop comment=“drop all else”
You dont need special sourenat or anything either.
You dont need special IP route either.
So basically with a drop all rule in place, there is no way RW users will reach LAN.