WireGuard between 3 sites

Hello everybody. For the last two weeks, I’ve been trying to set up 3 WireGuard VPN’s. I was successful once, but it ended up in something I didn’t want.

I’ve got these three devices:

Main router with public IP:

subnet: 192.168.1.0/24

WireGuard interface: 172.20.20.1/29 (port: 13232)

WireGuard peer to: sub-router (allowed: 172.20.20.2/32,172.20.20.0/29), sub-router2 (allowed: 172.20.20.3/32,172.20.20.0/29)

Ip>filter: 1: accept input 17(udp) dst.port:13232

2: accept input src.address: 172.20.20.0/29

ip>nat: action:dst-nat chain:dstnat protocol:6(tcp) dst.port:8096 in.interface:wireguard-tunnel to-adresses: 192.168.1.10 to-ports:8096

nat: action:dst-nat chain:dstnat protocol:6(tcp) dst.port:8000 in.interface:wireguard-tunnel to-adresses: 192.168.1.11 to-ports:80

Sub router with natted public IP:

subnet 192.168.2.0/24

WireGuard interface: 172.20.20.2/29 (port: 13233)

WireGuard peer to: main-router (allowed: 172.20.20.2/32,172.20.20.0/29)

Ip filter: 1: accept input protocol:17(udp) dst.port: 13233

2: accept input src.address: 172.20.20.0/29

Second sub router with natted public IP:

subnet 192.168.3.0/24

WireGuard interface: 172.20.20.3/29 (port: 13234)

WireGuard peer to: main-router (allowed: 172.20.20.3/32,172.20.20.0/29)

Ip filter: 1: accept input protocol:17(udp) dst.port: 13234

2: accept input src.address: 172.20.20.0/29

I successfully set this up by dstnatting and srcnatting lan subnets at first, but I don’t want to access the whole subnet from each router. I would like to access the WireGuard subnet on each router’s subnet, so I can access my Jellyfin media server and my Nextcloud from the two sub-routers.

So my idea is I put 172.20.20.1:8096 in the web browser on one of the subnet’s machines or dst-nat it to the router and access it from there.

I can successfully ping each device from the Mikrotik terminal or SSH into it, but not from the local network.

I appreciate your help in advance.

does it have to be NAT even on the internal multiple WireGuards?

wouldn’t it be simpler to just configure OSPF, and only publish the WireGuards in the OSPF areas on all instead?

where are the routes ?

Another crappy post because Mikrotik has no sense to give new poster better guidance and direction to make a post. AKA no fault of the OP.

Hi dbiskup.

In order for us to assist accurately and efficiently we need some basic communication.

1. Requirements:
   a. identify all the user(s)/device(s) (external and internal) including the admin on the network
   b. identify all the traffic they must accomplish.

2. Provide a network diagram showing the devices you have and conceptually all the subnet traffic/server traffic etc, and the ISP connection point.

3. Provide the three configs
   /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, dhcp lease lists )

4. Detail all the wan specifics in terms of is it public or private WANIP, is it dynamic or static WANIP.
   If more than one, is it failover or load balancing.......

Sorry, I posted this yesterday afternoon with frustration, so I quickly wrote this post and it's unreadable. I'll send the config once I'll get to the sites.

I tried site-to-site setup from WireGuard - RouterOS - MikroTik Documentation

and it's good, it works, but it allows all of the devices through the tunnel and I want only those two ip’s with those two ports to go through.

If I set it back when I had site-to-site setup, how can I allow only router ip, jellyfin server ip and port, nextcloud ip to go through and nothing else? IPs being 192.168.1.1 for router, 192.168.1.10 for jellyfin and 192.168.1.11 for nextcloud? The 192.168.1.10 is my docker machine, which has like over 100 ports open.

The only nat rule I had with that setup was masquerade to wan, the filter rule took care of everything like it is described in the help page.

Thank you for the answers.

My answer remains the same................ 1, 3 at least, 2 helps and 4 only if multi wan.