Wireguard Back to Home additional user

dl1nux · January 29, 2026, 10:19pm

Hi,

I have a main site with activated back to home function via wireguard. Works perfect with my mobile device.

I have also a second “remote” site where I want to put a mikrotik router. I would like to connect from the remote site via wireguard to the main site to access resources on the main site.

Would it be enough to add a new user to the back to home setup, and set up a wireguard device on the remote site with connection data of the addes BTH user? Will this work or is there more configuration needed for a permanent connection?

Second question. If it works, I can access devices on the main site from the remote site. But will it be also possible to connect devices on the remote site from the main site with this BTH connection? I have different IP networks on the two sites.

Thanks for your ideas.

lurker888 · January 30, 2026, 6:23am

A new user can be assigned and its configuration can be added to a new remote Mikrotik. As far as I'm aware, the configuration has to be added manually to the new remote device.

The BTH is explicitly for connecting a remote device (as in a single one) to your main network. This means that with an appropriate srcnat rule, the devices behind the new remore router will be able to access the main network, but they will all show up with a single ip (the one assigned to the new BTH user.)

anav · January 30, 2026, 3:21pm

dl1nux · January 30, 2026, 10:47pm

Thanks for the infos. I will try it tomorrow.

dl1nux · January 31, 2026, 5:32pm

Hi,

I’ve installed the Mikrotik Router (hap ac) on the remote site. I was able to establish a Wirequard Connection to the main site and I can reach all devices from the remote site on the main site.

From the main site, I can ping and connect the remote router via the wireguard tunnel perfectly. But I can’t reach devices behind the remote router.

I tried this on the remote site:

I’ve added nat masquerading for incoming traffic from the wireguard tunnel to the local network on the remote site (192.168.178.0/24).

On the main site I’ve added a static route for the remote subnet via the bth-vpn interface:

Dst. Address: 192.168.178.0/24
Gateway: back-to-home-vpn

The traffic is being routed to the remote router through the tunnel, and ends there.

Ping to the remote subnet leads to this messages:

timeout - Status 126 (no error information)
192.168.216.1,Reply size 84, TTL 64, host unreachable

This IP ist the BTH Router transfer net IP on the main site. Remote router transfer net IP is 192.168.216.4.

So, what can I do or check to be able to access from the main site the network on the remote site?

Thanks for any help.

anav · January 31, 2026, 6:33pm

I would need to see

a. export file from both sites.
/export file=anynameyouwish (minus router serial number, any public WANIPinformation, keys, dhcp lease lists

Screen shots of all th BTH relevant pages, covering any wanip info or keys etc…..

dl1nux · January 31, 2026, 7:23pm

Hi anav,

I had to cut some config which is not related to vpn or firewall, but here it is:

Main site (BTH Server):

/interface wireguard
add comment=back-to-home-vpn listen-port=53764 mtu=1420 name=back-to-home-vpn
/ip address
add address=10.0.0.1/24 interface=bridge-LAN network=10.0.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-user
add allow-lan=yes comment="router.dl1nux.hamnet.radio | CRS328-24P-4S+" name=\
    "iPhone 15 Pro" public-key="xxxxx"
add allow-lan=yes comment="hap ac Gro\DFheirath" name=Grossheirath \
    public-key="xxxxx"
/ip firewall filter
add action=accept chain=forward comment="Allow Hamnet Local -> LAN Acsess" \
    out-interface=bridge-LAN src-address=44.149.25.64/27
add action=accept chain=input comment="Allow full LAN User Access" \
    in-interface=!sfp1-FTTH
add action=accept chain=input comment="Allow Established + Related" \
    connection-state=established,related
add action=reject chain=forward comment="Allow GUEST INTERNET only" \
    in-interface=bridge-GAST log=yes out-interface=!sfp1-FTTH reject-with=\
    icmp-admin-prohibited
add action=drop chain=input comment="Drop direct access OTHER User" \
    in-interface=sfp1-FTTH
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerading > WAN" \
    out-interface=sfp1-FTTH
add action=masquerade chain=srcnat comment="Masquerade LAN>Gro\DFheirath" \
    out-interface=back-to-home-vpn
/ip route
add disabled=no dst-address=192.168.178.0/24 gateway=back-to-home-vpn \
    routing-table=main suppress-hw-offload=no

And this is the remote side (net 192.168.178.0/24 reveived via DHCP client from the wan router)

/interface bridge
add name=Gast-Bridge
add name=LAN-bridge
/interface wireguard
add listen-port=51820 mtu=1420 name=wireguard-out
/caps-man datapath
add bridge=LAN-bridge client-to-client-forwarding=yes name=\
    "WLAN-Gro\DFheirath"
add bridge=Gast-Bridge name=WLAN-Gastzugang
/interface bridge port
add bridge=LAN-bridge interface=ether5
add bridge=LAN-bridge interface=ether4
add bridge=LAN-bridge interface=ether3
add bridge=LAN-bridge interface=ether2
add bridge=LAN-bridge interface=ether1
/ip firewall connection tracking
set udp-timeout=10s
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-allowed-address=::/0 endpoint-address=\
    hk10axmbwtd.vpn.mynetname.net endpoint-port=53764 interface=wireguard-out \
    name=peer3 persistent-keepalive=30s public-key=\
    "xxxxx"
/ip address
add address=192.168.188.1/24 interface=Gast-Bridge network=192.168.188.0
add address=192.168.216.4 interface=wireguard-out network=192.168.216.4
/ip dhcp-client
add default-route-tables=main interface=LAN-bridge
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Gast-Bridge name=dhcp1
/ip dhcp-server network
add address=192.168.188.0/24 dns-server=192.168.188.1 gateway=192.168.188.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=reject chain=forward comment=\
    "Sperre alles au\DFer Inernet f\FCr G\E4ste" dst-address=!0.0.0.0/0 \
    in-interface=Gast-Bridge reject-with=icmp-net-prohibited
/ip firewall nat
add action=masquerade chain=srcnat comment="Maskiere Gast-User" in-interface=\
    Gast-Bridge out-interface=LAN-bridge
add action=masquerade chain=srcnat comment="Wireguard-Out masquerade" \
    out-interface=wireguard-out
add action=masquerade chain=srcnat comment=\
    "Masquerade Wireguard>Gro\DFheirath" in-interface=wireguard-out \
    out-interface=LAN-bridge
/ip route
add disabled=no distance=1 dst-address=10.0.0.0/24 gateway=wireguard-out \
    routing-table=main scope=30 target-scope=10
add disabled=no dst-address=192.168.216.0/24 gateway=wireguard-out \
    routing-table=main
/ipv6 address
add address=fc00:0:0:216::4/128 advertise=no interface=*20
add address=fc00:0:0:216::4/128 advertise=no interface=wireguard-out
/ipv6 nd
set [ find default=yes ] advertise-dns=yes

I hope this helps to analyze.

Thanks