vpn between two router

RouterOS Beginner Basics
1

Hello

I want to connect vpn (the solution who works for this situation)
I have a rb2011 behind a sophos (I CANT MANAGE THIS SOPHOS) and i have a HAP series in my company.
I want create a vpn between this two equipement.
I test ovpn but that dont work .
How can i manage this ??

2

If the hap has a public IP (dynamic or static) or the ISP modem before it can forward port to hap, you can use wireguard.
Zerotier can not be used since at least one of your devices is not arm based (RB2011 is certainly not, you did not specify which hap).

Best to make an as complete as possible drawing indicating which device is sitting where and what other devices are in between (a cloud for the Big Internet will be sufficient :laughing: )
And also specify the requirements:
what is the connection needed for ?
What traffic ?
From where to where ?
How much traffic (give or take) ?

3
  1. You have access to both routers (assuming yes!)
  2. Sophos connected Router gets a private IP and you cannot forward ports (fact!)
  3. Does your office router have an accessible public IP address? If so then you create a wireguard connection. Good to go!
  4. Even if your office router didnt get a public IP, assuming its behind an ISP router/modem, could you forward ports on this ISP modem/router?
  5. Worst case scenario, both routers non public IPs and unable to affect changes on upstream routers WE STILL HAVE THE NEW BTH VPN. (Back to Home VPN)


    THis uses a MIKROTIK CLOUD as the relay device. We connect both routers to this connection point and thus now have connectivity between devices (for configuration or access to subnets).
    Either end could then use the internet at the other site as well. Think of this as a FREE RELAY POINT (third party thru mikrotik).
4

Anav, point 2 is a NO.
He made that quite explicit.

Point 5 (still waiting on confirmation WHICH hap) is also a no for RB2011 (MIPSBE is not supported (yet ?) for BTH).

5

Ahh, drats, lets hope office HAP gets a public IP, then we are golden or its upstream modem.router is accessible.

6

This is the schema (im french i can more explain in french)
20230808_172405.jpg

7

No problem with French but for IT stuff I prefer English :slight_smile:

Do I see correctly your other Tik is hAP AC2 ?
Bbox from Orange, can you do port forwarding on it ?

8

Yes i can

9

ISP:
do UDP port forward of a port you want (e.g. 12321) towards your hAP AC2 x.x.x.249

hAP AC2:

  • firewall accept input for UDP port 12321, move that rule above the input drop rule
  • IP Cloud enable DDNS

Rest of Wireguard setup as per excellent instructions by anav (use port 12321 or whatever you have chosen):
https://forum.mikrotik.com/viewtopic.php?t=182340

Use DDNS name from hAP AC2 as endpoint for setup on RB2011.

10

The WireGuard menu is not present on my MikroTik router. Could you please guide me on how to install it?

11

Hmm, what version of software are you on? Suggesting 7.11rc2 unless its production and thus use 7.10.2 stable.
Best to ensure you download the correct version of the software for your router,

For example RB2011 is MIPSBE ---->
HapAC2 is arm32 ---->

Firmware.jpg

12

Bonjour

J’ai reussi le vpn depuis le routeur derriere le sophos grace a wireguard.
Je ping bien les equipement derriere mais je n’arrive pas a acceder a un serveur de telephonie en page web .
Si on peut discuter au telephone ca pourrait m’aider a expliquer d’avantage .

Merci a vous