Mikrotik-Router as ISP Router and wireguard server
… has LAN: 192.168.200.0/24 with IP 192.168.200.1
… uses Wireguard-VPN: 192.168.201.0/24 with IP 192.168.201.1
… has static route to Site B LAN 192.168.0.0/24 via 192.168.201.3
Site B
Linux machine, running Wiregards as Peer to conenct to Site A (which works)
… uses VPN Peer IP: 192.168.201.3
… has LAN: 192.168.0.0/24 with IP 192.168.0.133
Site B runs a AVM FritzBox (which also provides the 192.168.0.0/24 network and is it’s default gateway) for internet connectivity and has a static route configured: 192.168.200.0/24 via Gateway 192.168.0.133 (=Linux Machine with Wireguard VPN Peer)
What is working:
Site B Linux Machine can ping Wireguard VPN 192.168.201.x network without any issue.
Site B Linux Machine can ping Site A LAN 192.168.200.x network without any issue.
Any PC on Site A can ping Site B’s VPN peer 192.168.201.3
What is not working:
From Site A I cannot ping on any host any 192.168.0.x IP → Destination Host Unreachable
From Site A Mikrotik Router Terminal I cannot ping 192.168.0.133 or any other IP from Site B LAN. → Host unreachable
When I tcpdump the traffic in the wireguard interface on Site B’s Linux Machine, I cannot see any ICMP traffic to/from 192.168.0.x Only 192.168.201.x is visible.
So, from my understanding, there is something wrong with my route on the mikrotik router to 192.168.0.0/24 network. No 192.168.0.0/24 traffic is not routed to SIte B’s VPN peer.
Routing table in Site A’s mikrotik router looks like this:
Flags: D - DYNAMIC; I, A - ACTIVE; c, s, v, y - COPY; H - HW-OFFLOADED
Columns: DST-ADDRESS, GATEWAY, DISTANCE
# DST-ADDRESS GATEWAY DISTANCE
[...]
0 As 192.168.0.0/24 192.168.201.3 1
[...]
What is the purpose of this… on Main Router.
.. has static route to Site B LAN 192.168.0.0/24 via 192.168.201.3 ???
The connection between the two sites is via the wireguard tunnel!!
MAIN ROUTER SETTINGS
WG interface name any
Set the listening port
Generate public KEY for Remote client peer settings
PEER Settings
Add public key generated by CLient device
Allowed addresses (incoming IPs): for example if you want to allow your site b main subnet access put 192.168.0.0/24
If you only wanted to allow a specific device put 192.168.0.X/32
CLIENT Router SETTINGS
WG interface name any
Generated public Key to be used on Main Router Peer Settings.
CLient PEER settings
Allowed address: (destination IPs) → what you want your peer users to be able to access (just a subnet on other main server router, or everything, aka internet through the other main server router??)
Typically for internet 0.0.0.0/0
Endpoint IP address ( ip cloud of other router typically used and PORT if not separated as different entries then typically in formal dyndns-name:XXXXXX
public key from Main Router Server
The main difference if adding an IP address for the wg interface on teh server is as follows.
/IP address
add interface=wg-interface address=192.168.0.254/24 network=192.168.0.0
Then you no longer require an IP route as it will added dynamically by the Main Router.
access to internet is not yet guaranteed, it depends on your firewall rules.
Methods:
add wg-interface as LAN interface member.
If you have an existing firewall rule, as such you are good to go.
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
create a specific firewall rule for the interface.
add action=accept chain=forward in-interface=wg-interface out-interface-list=WAN
Ahh okay now understand…
After the initial connection of the tunnel you want LAN users on Main router to be able to access the Subnet on the remote client site.
In this case…
MAIN ROUTER…
I believe all you need is a firewall rule permitting such…
add chain=forward action=accept src-address=192.168.200.0/24 out-interface=wg-interface
You already have the route established
/ip route
add dst-address=192.168.0.0/24 gwy=wg-interface
A = 192.168.200.0/24
WG = 192.168.201.0/24
WG1 = 192.168.201.1
WG2 = 192.168.201.3
B = 192.168.0.0/24
On “A” I need a route to network “B”. And the gateway to network “B” is part of network WG, to be more specific, Peer WG2 …
So, to reach network B from A I need a route to 192.168.0.0/24 via 192.168.201.3 …
Or Am I missing something?
I can’t tell the router on network “A” that it just uses interface for WG (=wireguard1)… That does not work. It needs to know IP of the gateway to network “B”.
anyhow… issue is solved. was the limitation of allowed IPs on wireguard server’s peer-definition.
Actually I tried… did not work. At least with my current setup not (0.0.0.0/0). Will try with 192.168.201.0/24 + 192.168.0.0/24 …
[update]
AllowedIPs for peer set to:
192.168.201.0/24, 192.168.0.0/24
Route gateway set to “wireguard1” instead of peer IP …
→ did not work. can’t ping anymore from A to B …
Provide latest config.
/export hide-sensitive file= anynameyoywish
I only have wg gateway in my routes going over wireguard. No destination ip addresses.
If WG interface doesn’t have any IP address, it won’t work from router itself. But subnet behind router will. To make it work from router, you’d need to either set source address for whatever you use, e.g.: