Private IP can be accessed by public IP via WireGuard

Hello members,

In mainland China (PRC), due to limited IPv4, most of customers (private IP) can only connect to the Internet via CGNAT (Carrier-Grade NAT). However they have internal IP cameras or router(s), external public IP cannot directly connect them due to internal IP.

The following diagram shows the connection:

private IP router (R1) —> router (public ISP) —> Internet —> public IP router (R2) <— notebook PC

In R1 (NAT) we can connect to R2 using the site-to-site method. R2 cannot connect R1 because R1 is private IP.

We use two PC WireGuard configuration files (Table 1 for router R1 and Table 2 for user) in a notebook PC. The notebook PC tests two configuration files without any problems. The router R2 WireGuard server is showed in Table 3. In fact R2 can be any WireGuard server and do not be a MikroTik router. Based on the Table 1 settings, it builds the configuration in Table 4.

Since routers are used in mainland China (PRC) and if you switch to other countries, the following items:

1. DNS in Table 1 and 2 should be changed to 8.8.8.8 or omitted to use local DNS servers
2. Endpoint adc.xyz.org in Table 1, 2 and 4 should be changed the corrected one.
3. Some values in Table 4 is based on Table 1 such as
   a) Table 1 address is 10.2.100.5/32 changed to 10.2.100.5/24
   b) The persistent-keepalive=25 must be in place since R1 is in private IP and keep the line connected
4. In R1 firewall filter should allow WinBox tcp=8291 and ICMP to allow ping

Operation:

1. In the router R1 used codes in Table 4 such that R1 is connected to R2
2. Open the PC notebook any place and connected the Internet.
3. Click the WirGuard icon and then select “fs-gu-us” in Table 2 to connect to router R2
4. Open WinBox and select “10.2.100.5”, admin/password to connect R1 the private IP router.

Remarks:

1. This is the same as Back-To-Home and not limited to ARM CPU.
2. Many MikroTik routers RB5009, CCR1009 are tested without any problems.

Table 1: PC WireGuard configuration file for R1 to server R2

#############################################
#fs-gu-mt
#PublicKey = 6SS1XAlmf2kYDr/tl0fHnVyTgWATeRyf/CKY1tgLTjE=

[Interface]
PrivateKey = mNFjsoTI5IQqMsRlT8uCN6Hkwd1s3J10QEYqOFI/pGU=
Address = 10.2.100.5/32
DNS = 223.5.5.5, 119.29.29.29

[Peer]
PublicKey = pHfm7nZ/PTR0A7ca5I5gVJqr1bTS6eXL0wB4v8cl+RU=
PresharedKey = +LTmCJ3lK4HKRsDzBis4omPjMSLEIJ6qsUTxbwU6x1s=
AllowedIPs = 0.0.0.0/0
Endpoint = abc.xyz.org:60279
PersistentKeepalive = 25

Table 2: PC WireGuard configuration file for user to server R2

####################################
#fs-gu-us
#PublicKey = 9XfvhtbOjt5f6R+KZptEuifQ9sTRPmPrmy2Tax0ZPhg=

[Interface]
PrivateKey = cIvH/Z9TIcp5EHRmUhyRnthUu2D5TQhVuuxshFrSPFc=
Address = 10.2.100.2/32
DNS = 223.5.5.5, 119.29.29.29

[Peer]
PublicKey = pHfm7nZ/PTR0A7ca5I5gVJqr1bTS6eXL0wB4v8cl+RU=
PresharedKey = 4LHcT1qU4ybbILKpOWw2by/pQhVZt9jrApUC9NmDg3Q=
AllowedIPs = 0.0.0.0/0
Endpoint = abc.xyz.org:60279
PersistentKeepalive = 25

Table 3: R2 WireGuard server settings

##########################################
#R2 WireGuard server
#PublicKey = pHfm7nZ/PTR0A7ca5I5gVJqr1bTS6eXL0wB4v8cl+RU=

[Interface]
PrivateKey = KPje8vVVILP7WeR9cOmlfYYfmcni1sCNeAFB61Hk/EA=

[Peer]
PublicKey = 6SS1XAlmf2kYDr/tl0fHnVyTgWATeRyf/CKY1tgLTjE=
Address = 10.2.100.5/32
PresharedKey = +LTmCJ3lK4HKRsDzBis4omPjMSLEIJ6qsUTxbwU6x1s=

[Peer]
PublicKey = 9XfvhtbOjt5f6R+KZptEuifQ9sTRPmPrmy2Tax0ZPhg=
Address = 10.2.100.2/32
PresharedKey = 4LHcT1qU4ybbILKpOWw2by/pQhVZt9jrApUC9NmDg3Q=

Table 4: Router 1 WireGuard settings based on Table 1

/interface wireguard
add listen-port=13232 mtu=1420 name=wg-fs private-key=\
"mNFjsoTI5IQqMsRlT8uCN6Hkwd1s3J10QEYqOFI/pGU=" \
comment="WG FS"

# Assign address to the router on the new interface.
/ip address
add address=10.2.100.5/24 comment="Wireguard" interface=wg-fs \
    network=10.2.100.0

# Set up FS peer
/interface wireguard peers      
add name=fs allowed-address=10.2.100.5/24 comment="fs" \
    endpoint-address=abc.xyz.org endpoint-port=60279 \
    interface=wg-fs public-key=\
    "pHfm7nZ/PTR0A7ca5I5gVJqr1bTS6eXL0wB4v8cl+RU=" \
    preshared-key="+LTmCJ3lK4HKRsDzBis4omPjMSLEIJ6qsUTxbwU6x1s=" \
    persistent-keepalive=25

I am not sure what you are trying to say?
Wireguard normally requires one end to have access to a public IP, or at least an ISP router with a public IP that can forward ports, like the wireguard port to the LANIP of the MT device on its LAN ( also the WANIP of the MT device).

BTH is designed for when one has no such options.
a. their MT device gets a private IP.
b. they have no other friend or MT router with access to a public IP that can provided connectivity to the internet at that location, plus allow one to reach the first router for config purposes or its subnets when at a coffee shop or hotel.
c. they cannot afford to host CHR on a cloud device.
d. do not want to use zerotier between two MT routers.

So the configuration you show, is a standard client peer for handshake connecting to a server peer for handshake scenario.
What is being provided here that is new?

Please re-read the statements again and other posts do not show detailed procedures.

BTH is good at the site provided by MikroTik. However when it is used in mainland China (MC), the response will be jeopardised due different location Latvia and MC. In order to overcome I use a WireGuard server in MC. Therefore the speed below the notebook PC and the test router is very fast.

Perhaps you should read what I posted. Normally people use WG as a Server, using BTH is only needed when you are unable to get a public IP.