Using a Droplet/CHR as a public IP gateway over WireGuard

ehbowen · May 29, 2026, 6:10pm

I really need to buckle down and study networking. But, in the meantime, I'd like some quick advice as to how to accomplish the following:

Let's say that you have two sites, A & B. At each site, you have two servers which you want to access from WAN, A1 & A2 and B1 & B2. You may wish to make these accessible to untrusted clients for file sharing, etc, without exposing the balance of your network to the outside.

How would you set up a CHR on a virtual server (DigitalOcean droplet, specifically, with a single static/routable/rDNS IP), and configure it so that packets addressed to the CHR at gateway.mydomain.com are sent to:

a1.mydomain.com goes to server 1 at site a,
a2.mydomain.com goes to server 2 at site a,
b1.mydomain.com goes to server 1 at site b,
b2.mydomain.com goes to server 2 at site b

(Assuming that both site A and site B are on Mikrotik routers running current RouterOS.)

For bonus points, how to set it up so that site traffic between sites A & B stays within the infrastructure and does not go out on the public Internet 'in the clear,' as it were?

Edit To Add: All of the sites (gateway.mydomain.com; a1.mydomain.com; a2.mydomain.com; b1.mydomain.com; b2.mydomain.com) point to the same shared static IP for the CHR. I need to know how to direct and route them from there.

TheCat12 · May 29, 2026, 9:07pm

After consulting an AI for a general approach (please don't burn me at the stake!) and some thought from my side too, I came up with the following:

Add SRV records in DigitalOcean pointing to different ports
Create Wireguard tunnels (as you suggested) between the CHR and the two sites
dst-nat the different ports to the appropriate servers with the correct service ports, e.g.

/ip firewall nat
add action=dst-nat chain=dst-nat dst-port=12345 in-interface=ether1 protocol=tcp to-addresses="wireguard_site_ip" to-ports="correct_service_port"

Bonus points question answer: policy routing using routing rules

jaclaz · May 29, 2026, 9:18pm

Please don't burn me at the stake!

https://www.imdb.com/it/title/tt0079470/quotes/?item=qt0471984

ehbowen · May 29, 2026, 11:53pm

Okay. I'd prefer something along the lines of setting up a proxy server, preferably using Container Manager. With your approach, a port scan would expose portals I might prefer not to expose.

Ideally, I'd like to only have ports 80 and 443 open on the gateway, and direct the packets from that point using internal DNS. I've never set that up before, and I'm hoping to find some guidance.

anav · May 30, 2026, 1:01am

I would go the CAT direction.
I would also use a separate wireguard to what you have stated but not clearly enough is communication between the two devices ........ do you mean server A1 to serverB1 and serverA2 to server B2 or something else......

Which side does traffic originate between the two devices and possibly servers or do you mean somthing else.