Wireguard between routers

cesco78 · March 9, 2024, 10:58am

Hi all!
I have 2 routers, a 5009 and a RB750

The 5009 is at home and it have a public IP
The RB750 is remote, behind a router and his WAN is the private LAN IP of firend of mine

I would like the RB750 connect to the 5009 at home, to reach from home the NAS there is on the RB750 LAN.
I would use Wireguard, but I fount only guides with both routers with public IP or portforwarding, and I cannot do it

There is a way to do it? Or it is better to use SSL OVPN (I tried, months ago, going crazy with certificates)

Thanks!

anav · March 9, 2024, 12:35pm

Wireguard should work well. Do your homework…
https://help.mikrotik.com/docs/display/ROS/WireGuard
https://www.youtube.com/watch?v=vn9ky7p5ESM&pp=ygUSd2lyZWd1YXJkIG1pa3JvdGl

cesco78 · March 9, 2024, 2:27pm

Thank you a lot!
But in the guide seems that each router needs to have a public address (o a portforwardinh from public IP).
I do not know the remote router public address. then I cannot create

/interface/wireguard/peers
add allowed-address=10.1.101.0/24 endpoint-address=REMOTE PUBLIC endpoint-port=13231 interface=wireguard1 \
public-key="v/oIzPyFm1FPHrqhytZgsKjU7mUToQHLrW+Tb5e601M="

anav · March 9, 2024, 2:52pm

Incorrect!
Only the peer that is acting as server for handshake has to have a reachable public IP in the standard wireguard setup.
(Note: with new wg BTH functionality available on most MT routers, one need not have any reachable IPs).

So the Remote Device should have allowed IPs like so.
/interface/wireguard/peers
add allowed-address=10.1.101.0/24 endpoint-address=SERVER-PEER-ADDRESS endpoint-port=13231 interface=wireguardR2
persistent-keep-alive=35s public-key=“++++++=”

The Local Device MAIN router ( acting as server for handshake )
/interface/wireguard/peers
add allowed-address=10.1.101.2/32 interface=wireguardR1
public-key=“++++++++” comment=remote-mt-router
add allowed-address=10.1.101.3/32 interface=wireguardR1
public-key=“++++++++” comment=remote-admin-laptop[/i]
etc..

Note1: I like to have different Wireguard interface names at the different routers so I know which config I am working on…

Note2: At the remote router if you wish to visit subnets at the main router you need to add those subnets to allowed addresses, or same if those subnets need to visit the remote router subnets.

Note3: If the remote router needs to use the internet of the main router than single entry of 0.0.0.0/0 for allowed IPs suffices for all entries.

Note4: I added a road warrior, that would typically use 0.0.0.0/0 for allowed IPs on the remote device, when connecting to the Main Router.