What type of VPN should I use to connect 4 sites?

Hi everyone, I need your expert advice on which vpn to use.
We need to connect 4 sites to each other, there are no VLANs and we only use a Fritzbox 7530 as a VoIP PBX (it’s a client of site A).

Site 1
192.168.1.1/24 → MikroTik hEX
192.168.1.2/24 → AVM Fritzbox 7530

Site 2
192.168.2.1/24 → MikroTik hEX
192.168.2.2/24 → VoIP Phone

Site 3
192.168.3.1/24 → MikroTik hEX
192.168.3.2/24 → VoIP Phone

Site 4
192.168.4.1./24 → MikroTik hEX
192.168.4.2/24 → VoIP Phone

It is important that when the internet connection of one office does not work, the others can still communicate (VoIP excluded)

What would you use?
For example, GRE Tunnel+IPSec, WireGuard, OpenVPN or what?
Zerotier is not supported but I couldn’t use it anyway, VPN managed by external services are not allowed.

Thanks

Personally I use wireguard(+eoip layered on top where higher MTU is needed. this also allows bridged configurations) wherever I can.
But some enterprise environments won’t approve such setups and prefer to use the likes of ipsec (well, that’s to their disadvantage then, isn’t it)
I guess one disadvantage with this approach is the sheer amount of configuration needed, especially if you want a mesh-like topolology and have several nodes. This is where tailscale containers may come in handy (MikroTik has ZeroTier built-in, but that didn’t work as well for me personally when testing in my setups)

+1 for wireguard.
Much faster then any other VPN given same HW.

would interconnect those 4 sites with WIREGUARD and setup a OSPF instance for dynamic routing
so every router has 1 wg-interface and 3 peers and via those wg-interface you could setup OSPF (optionally; otherwise static routing)

SWEET suggestion !!

Just adding: I am glad I am not the only one struggling with ZT

i think yours suggestion wants all of 4 Mikrotik with Public ip

Not static IP.
All 4 having a dynamic (but public accessible) IP is sufficient.

But the remark is valid, all 4 should be externally accessible (static or dynamic).
Otherwise you can not make this scheme.

Simple method to get you up and running.
Select the Site that you control directly or best internet connection!!

Yup if only one site had an accessible WANIP, it would still work.
All three units would wireguard into the one router and all would be able to reach the others… One Wireguard interface.

Main Router
/ip address
192.168.50.1/24 interface=wireguard-main network=192.168.50.0

/allowed-addresses=192.168.50.2,subnetA,subnetB ( assuming subnets A,B are on peer router 2 )
/allowed-addresses=192.168.50.3,subnetC,subnetD ( assuming subnets C,D are on peer router 3 )
/allowed-addresses=192.168.50.4,subnetE,subnetF ( assuming subnets E,F are on peer router 4 )
/allowed-addresses=192.168.50.5 ( remote admin peer laptop )
/allowed-addresses=192.168.50.6 ( remote admin peer iphone/ipad)

/ip route
add address=subnetA dst=address=wireguard-main routing-table=main
add address=subnetB dst=address=wireguard-main routing-table=main
add address=subnetC dst=address=wireguard-main routing-table=main
add address=subnetD dst=address=wireguard-main routing-table=main
add address=subnetE dst=address=wireguard-main routing-table=main
add address=subnetF dst=address=wireguard-main routing-table=main

/firewall rules (input chain)
add action=accept chain=input dst-port=listening port protocol=udp
add action=accept chain=input in-interface=wireguard-main src-address-list=admins

/firewall address list
add address=192.168.50.5 list=admins
add address=192.168.50.6 list=admins
add address=LANIP of admin on router2 list=admins
add address=LANIP of admin on router3 list=admins
add address=LANIP of admin on router4 list=admins

/firewall rules forward chain
add chain=forward action=accept in-interface=wireguard-main out-interface-wireguard main comment=relay
add chain=forward action=accept in-interface-list=LAN out-interface=wireguard-main { allow internal subnets to access other subnets }
add chain=forward action=accept in-interface=wireguard-main out-interface=LAN { limit by src remote address or by out interfaces allowed access, may have several rules here }

Router2
/ip address
192.168.50.2/24 interface=wireuard-two network=192.168.50.0
/allowed-addresses=192.168.50.0/24,subnetC,subnetD.subnetE,subnetF,subnetX,subnetY ( assuming subnets X,Y are on Main router )
pesistent-keep-alive=35s

/ip route
add address=subnetX dst=address=wireguard-two routing-table=main
add address=subnetY dst=address=wireguard-two routing-table=main
add address=subnetC dst=address=wireguard-two routing-table=main
add address=subnetD dst=address=wireguard-two routing-table=main
add address=subnetE dst=address=wireguard-two routing-table=main
add address=subnetF dst=address=wireguard-two routing-table=main

/firewall rules (input chain)
add action=accept chain=input in-interface=wireguard-two src-address-list=admins

/firewall address list
add address=192.168.50.5 list=admins
add address=192.168.50.6 list=admins
add address=LANIP of admin on router3 list=admins
add address=LANIP of admin on router4 list=admins

/firewall rules forward chain
add chain=forward action=accept in-interface-list=LAN out-interface=wireguard-two { allow internal subnets to access other subnets }
add chain=forward action=accept in-interface=wireguard-two out-interface=LAN { limit by src remote address or by out interfaces allowed to access, may have several rules here }

Router3
/ip address
192.168.50.3/24 interface=wireguard-three network=192.168.50.0
/allowed-addresses=192.168.50.0/24,subnetA,subnetB.subnetE,subnetF,subnetX,subnetY
pesistent-keep-alive=40s

/ip route
add address=subnetX dst=address=wireguard-three routing-table=main
add address=subnetY dst=address=wireguard-three routing-table=main
add address=subnetAdst=address=wireguard-three routing-table=main
add address=subnetB dst=address=wireguard-three routing-table=main
add address=subnetE dst=address=wireguard-three routing-table=main
add address=subnetF dst=address=wireguard-three routing-table=main

Router4
/ip address
192.168.50.4/24 interface=wirguard-four network=192.168.50.0
/allowed-addresses=192.168.50.0/24,subnetA,subnetB.subnetC,subnetD,subnetX,subnetY
pesistent-keep-alive=45s

/ip route
add address=subnetX dst=address=wireguard-four routing-table=main
add address=subnetY dst=address=wireguard-four routing-table=main
add address=subnetAdst=address=wireguard-four routing-table=main
add address=subnetB dst=address=wireguard-four routing-table=main
add address=subnetC dst=address=wireguard-four routing-table=main
add address=subneD dst=address=wireguard-four routing-table=main


/firewall rules (input chain)
add action=accept chain=input in-interface=wireguard-four src-address-list=admins

/firewall address list
add address=192.168.50.5 list=admins
add address=192.168.50.6 list=admins
add address=LANIP of admin on router2 list=admins
add address=LANIP of admin on router3 list=admins

/firewall rules forward chain
add chain=forward action=accept in-interface-list=LAN out-interface=wireguard-four { allow internal subnets to access other subnets }
add chain=forward action=accept in-interface=wireguard-four out-interface=LAN { limit by src remote address or by out interfaces allowed to access, may have several rules here }


+++++++++++++++++++++++++++++

Example user on Router4 subnetF, wants to access server on Router 2 Subnet A.

1. Router 4
   a. Route exists for such traffic and tells router the route is through wireguard-four interface.
   b. Firewall rule allows subnet G to enter Tunnel
   c. Router matches dst-address to existing allowed address and peer ( main router )
   d. Traffic is sent to Router MAIN.

2. MAIN
   a. traffic from subnetF is filtered from corresponding peer and incoming subnet F source address is matched and allowed to exit the tunnel
   b. subnet F traffic is now, relatively speaking, on the LAN side of MAIN,
   c. Router has an IP route for the destination traffic to subnet A through wireguard interface-main
   d. Router has a firewall rule to allow traffic from wireguard interface to re-enter wireguard interface (relay)
   e. Router seaches for destination address on peer list and matches to PEER (Router 2) and sends traffic to correct peer

3. Router2
   a. traffic coming in on the tunnel from Router MAIN haas source address subnet of subnet F, which is on the allowed list and thus traffic exits the tunnel
   b. subnet F traffic is now relatively speaking, on the LAN side of Router2
   c. firewall rules determine if the traffic is allow to any LAN subnets (forward chain) or Router (input chain)
   d. Return traffic is automagic as IP routes ensures the return traffic for destination subnet F has a route back into the tunnel!

Thank you all!
You are always a great help

I’ll follow your advice and use wireguard, it seems much simpler to me than IPSec.
hEX has hardware acceleration for IPSec but that doesn’t matter, WireGuard will be faster.

Anav,

this is great guide…you should create more of those…I have wiregued and zerotier between 3 locations and I have some troubles in routing. Im trying to start OSFP. Could you please implement OSFP into your guide above? I will use it as learning how to set up OSFP between MT locations. Thank you

Hahaha, I will think about it but do keep in mind I dont even know what OSPF stands for…

Oklahoma State Poultry Federation

(serious: Open Shortest Path First)

WHEN USING OSPF, some common wireguard concerns are handled within OSPF.
a. one does not need to delineate all the separate IP routes via WG for subnet traffic. That is handled within the OSPF configuration.
b. one does not need to delineate forward chain rules so subnets can talk to each other. That is handled within the OSPF configuration.

Assumption all four routers have publicly accessible WANIPs…
Needed Steps:

(1) Each router has 3 wireguard interfaces ( one to each of the routers )
(2) Each router has settings of 0.0.0.0/0 for each peer.

Done!!

++++++++++++++++++++++
If your are asking for OSPF guidance/setup… → https://www.youtube.com/watch?v=f9FDNCTFfeY&list=PLNRJTwfzNNlYJY6Sd4E5Q0H3oaBTlWK3_&index=2

4 wireguard interfaces.
Your own and 3 others.

Are you adding requirements behind my back???
The setup is to connect four routers for OSPF via wireguard.

If the OP wants to remotely connect to any of the existing routers
Sure he can create a fourth wg interface for remote access.

you know that only 1 wg IF is needed on each router and the rest is peer configuration, right?

after that OSPF or BGP if wanted/needed for route exchange

Nope not aware, as I said I have no experience with OSPF.

that has nothing to do with ospf
it is the vpn peering among the 4 routers
every router has 1 WG IF and 3 wg-peers

all interfaces in a common /29 address space, which is also included in “allowed addresses” for the wireguard config, and you should be good to go

ospf comes after thatbif needed (could also be achieved with static routing)
only thing to be aware here is, ospf needs to be NBMA or PtMP (preferably nbma)

Really?
Dont see that working at all but you are entitled to your opinion.

@spippan
Isn’t that a possible single point of failure ?
Hence the need for 4 wg interfaces.