I already have a working WireGuard VPN setup on my MikroTik router, and all clients are connected and functioning correctly. I want to implement a second WAN as a failover connection, which uses CGNAT.
My question is: Can I configure a “Back to Home” (BTH) WireGuard connection on the MikroTik when WAN failover activate without changing any client configurations?
That is, the clients would keep their current WireGuard settings and still reach the router, regardless of which WAN (public IP or CGNAT) is active.
Can I copy all the peer’s configurations and paste them into the BTH so they can reach the server with the same configs?
Interesting question but the answer is no, as you would need completely different wireguard interface which the router creates.
Its kind of automagic…
You start the BTH process, enable it on the router.
Then you setup the master Smartphone account on your smartphone.
Then from your smartphone you basically create and send all your clients their information.
I also dont see how one turns off one wireguard and the other one off, nor would I know how to force BTH to use wan2 either…
Now there is the option of ONLY USING BTH and ditching your current wireguard setup.
In this case BTH is smart enough to use local WAN (public IP) if available and if not then use the MT relay server for when behind CGNAT.
So thinking this may be the better solution for you!
One thing that I didn’t knew, was, if my router has a public ip (not cgnat, not local ip) back to home don’t use Mikrotik relay and can connect directly to my router.
But I can’t find any Mikrotik documentation where says that… cause have a big impact… without Mikrotik relay latency it’s 5ms… with Mikrotik relay 70ms…
The BTH will have more latency than the regular WIREGUARD yes, however once the BTH determines that you have a reachable public IP address the traffic will proceed directly and the latency should be the same as regular wireguard.
Yes, of course. If using solely BTH the process is very similar.
Create BTH (enable) in IP CLOUD in router 1
FIRST CLIENT called master client is your smart phone ( information for this connection is provided on the router )
From MASTER CLIENT, the smartphone, create file for subsequent secondary clients including the router etc.
( if memory serves me the secondary clients created include a private key, which you should use on Router2 to generate a known public key ( Router1 will already have this known )
the file should include ( endpoint address, endpoint port, private key (used to generate public key ) AKA first create the wireguard interface on Router1, using this private key.
The public key generated by Router1, which will be used on peers settings on router 2.
Will need to add persistent keep alive on router2
What is the purpose of the connection between the two…this determines allowed addresses on peer settings on router 2.
but if I want to use BTH (Back to Home) behind a router and in order to reduce latency (try not to use MikroTik’s servers relay) which ports and protocol do I need to open in order to pretend a public IP?
This is because the Mikrotik is connected to a pfsense router that has two WANs. One WAN gets a public IP, which I control. But the other WAN acts as a failover, and I don’t control it — it gets a CGNAT IP. When I had a WireGuard server, I would open the port on the router, and the latency was around 10ms. But with Back to Home, even when I’m using the WAN that I control, since the Mikrotik doesn’t get a public IP, it always goes through the Mikrotik Cloud relay, and I end up with a latency of 150ms…
Of course, when the CGNAT WAN becomes active, I need to go through the Mikrotik cloud relay, but I would like to avoid it whenever possible.
That is why I was searching for something to do to avoid the mikrotik relay cloud.
YOu could rent a VPS in the cloud and stick MT CHR on it and thus never use BTH and just use regular wireguard through the VPS to your router and to any remote devices.