I have successfully set up a WireGuard VPN to Surfshark (manual setup is possible since August 2022) and would like to set up a second connection. The problem is that the network address for a different location is exactly the same as for the existing VPN network, 10.14.0.2/16. So I can’t have a second address list with exactly the same ip’s even though this would be on a different interface.
Is there maybe a clever way around this problem?
Your description is not really clear, so I may have guessed wrong what is your use case.
It’s not usual nor recommended, but you can have the same IP address at multiple interfaces in the system. So if you want to use Surfshark public IP addresses in two different countries simultaneously, use a dedicated wireguard interface (with a dedicated local-side port) for each of the two Surfshark connections, and use the names of those interfaces, rather than an IP address, as the gateway parameters of the default routes in the two routing tables. That should be enough, the rest is standard - a masquerade rule matching on either of the two Wireguard interfaces, and assignment of one or the other routing table name to various LAN->internet connections according to some classification parameters.
You guessed right. It is my intention to set up a second WireGuard interface and then route that through to a local area network. The setup up for the first WireGuard involved:
Just following some setup instructions (actually for another WireGuard service) I also set up the address list, which is where I ran into problems, because of the duplication I thought I needed. I’ll try the setup for the second interface without doing this to see what happens.
Thanks for pointing me in the right direction and for guessing right!
Hi there, I am more interested in the requirements ( although on the surface Sindy’s solution seems plausible ).
The reason I am leery still, is the WHY>?
Why do you need a second wireguard to surfshark.
Think about it, typically one has such a connection to funnel all ones internet out a wireguard connection someplace else.
So what is driving you to get another connection to do the same thing?
Is your intention to send one subnet out WG1 and another subnet out WG2?
Is your intention to send out internet traffic WG1 for all users and just use WG2 for you as the admin to remotely config your home router while away??
@sindy, these third party vpn annoy the crap outta me, Why cannot they just assign a single wireguard IP address to the customer.
The challenge I would have is making the structure for Wireguard IP network on the mikrotik?
What would be the two different wireguard IP addresses that would work???
10.14.0.2.254/24
10.14.0.X/YY
he has been assigned the same IP for both?
If traffic is heading outbound 0.0.0.0/0 how does the router know which wireguard tunnel to use??? Yes by gwy=wg1 or gwy=wg2
Just so that my overall logic is clear, I have:
Not crazy LOL, just needed to understand the why.
Waiting on sindy to comment on wireguard IP address structure for two different wireguard interfaces and a third party vendor that insists on giving you the same IP at their end…
In the meantime, can you post your complete config on the MT
/export (less the serial number and any actual public IP info (wanip gateway ip etc.)
I’ve attached it as a file in an email to you. It contains so much rubbish not related to the issue in hand like ipsec settings (not now used), scripts, wireless settings etc etc that it would drive most readers here crazy
I’ve tried to get the two WIreGuard VPN’s working. Both now have live connections, but without an address list: 10.14.0.2/16 network 10.14.0.0 interface [WireGuard interface] I can’t get the VPN to work. So I’m back to my original problem
Looking at your profile I see we are similarly seasoned people 
Thank you too for spending time on this for me
Oh, so it is a “dialect” issue. In the command line dialect, there is an /ip address table and an /ip firewall address**-list** table; in the Winbox dialect, the former one is titled Address List (I’m not the one to ask why).
So when someone mentions an “address list”, all command-line folks understand it as the latter, which is usually used to match traffic in firewall rules.
Since you actually have in mind the IP address as your post shows, go ahead and assign exactly the same IP address and mask to both the WG interfaces. Or, if doing so would cause headache to you, you may not assign that address to any of the WG interfaces, and just use an action=srcnat to-addresses=10.14.0.2 instead of action=masquerade in chain srcnat of /ip firewall nat for traffic outgoing via those WG interfaces.
Yes, you’re right. I’ve been using WinBox so much and reading the title “Address List” when it’s really a table of addresses, that I’ve confused most readers. I also had a mental block about assigning two interfaces to one one address, but this is actually okay.
So assigning the two interfaces to one ip address, 10.14.0.2/16, has solved the problem. I now have a LAN here linked to a UK VPN and one device on the network linked to a non-UK, non-EU (Serbian) VPN. All seems to be working.
Many, many thanks @sindy and @anav for all your time and help. I’ve learnt alot with this issue. Just an overblown amateur here really 
Me, too, I think we are actually sane, and do not have the same mental block, but all those that accept and like to use the same IP address for different interfaces are insane 
Regardless if its perfectly legitimate LOL.
Glad you got it working!!
Pertty please show us the two DAC routes created by such a monstrous approach.
presuming
10.14.0.0/24 gwy=wireguard1 table=main
10.14.0.0/24 gwy=wireguard2 table=main
Is this the magic mushroom that you wanted to see?
Yes, felt strange doing this, but works. So I’ve joined the club of the insane. Making progress then…
Nice! Glad its working for you.
Just an addendum to all this. Traffic on one of the WireGuard VPN’s had connections failling even though outward traffic was flowing okay
The problematic VPN was the one with route marking from a single device. I originally had the address in the list (yes, the address list this time 
) set as 192.168.99.64 (the other VPN was passing traffic for a whole network 192.168.88.0/24 and was working fully)
Turns out that I had to change the single ip address to include the network mask as well, ie 192.168.99.64/24, then everything was fine. Not sure I understand exactly why, but is all okay now
A great learning weekend for me!
Yup the IP address for each wireguard interface should be fully setup, in order for the router to work its magic.
IP address=W.X.Y.Z**/24** gwy=wireguardinterface_name
Thats all you need to do the router will fill in the rest…
That’s really strange, looks like the IP address of the “Serbian” host is actually not 192.168.99.64 but something else in 192.168.99.0/24. If you add any address with a prefix length other than 32 to an address-list, it is automatically converted to a network address:
_[me@myTik] > ip firewall address-list add list=teszt address=192.168.99.64/24
[me@myTik] > ip firewall address-list print where list=teszt
Flags: X - disabled, D - dynamic
0 teszt 192.168.99.0/24 sep/26/2022 10:00:36_
Hi im facing same problem can you elaborate how did you made it work, because when i try to assign same ip to 2 wireguard interface the other turns red and invalid
Hi anav I always saw your replies on the forum which always helped me, can I ask for help with this one same scenario and same problem, but i cant assign same ip address to both of my wireguard interface the other always turn red and it says invalid. how can i replicate his success. Thanks
Hmm good question.
Post your config.
/export file=anynameyouwish ( minus router serial number, public WANIP informaiton, keys, long dhcp lease lists etc.)
Hi sindy I cannot replicate what solved the problem Im facing the same scenario and same problem but everytime i try to assign same ip to my 2 wireguard interface the other turns red and says invalid. Please help
Something else must be wrong or you are running a strange version of RouterOS:
[me@myTik] > ip address/print where interface~"w"
Columns: ADDRESS, NETWORK, INTERFACE
# ADDRESS NETWORK INTERFACE
...
2 192.168.144.1/24 192.168.144.0 wg-wst-srv
3 192.168.144.1/24 192.168.144.0 wg1
Nothing red, no complaints, not even in Winbox. RouterOS 7.12.
Show your export.