in wireguard help page (https://help.mikrotik.com/docs/display/ROS/WireGuard) it is suggested to create an inner tunnel /30 network. In particular it mentions the following:
/ip/address
add address=10.255.255.2/30 interface=wireguard1
To me this is redundant for the following reasons:
a) forwarding is based on the interface name (wireguard1), not IP
b) the aformentioned /30 network is not mentioned in the allowed IP section. Therefore there is absolutely no connectivity between the two IP’s in the /30 network. (I also verified this in practice just to be sure)
c) I have a multi-site to site configured between mikrotik deviced with no ip addresses setup on the wireguard interfaces and seems to work great.
The reason for asking is I am trying to figure out if there is a problem with the help page or if I am missing something and might have some restrictions later. If in fact it is not necessary, I believe the admins should remove this from the help sections so as to not cause confusion.
Nothing missing. MIkrotik is very malleable and allows you to configure wireguard as well outside the ‘norms’ and by that I mean without an IP address structure.
One will have a heavy reliance on ensuring necessary routes are created.
As usual, one needs the correct settings for Allowed IPs, and firewall rules
I too started my wireguard without the wireguard address structure but have come to appreciate its use.
It does NOT get in the way and actually tends to make life easier in terms of
a. pinging other MT devices
b. autocreation of routes for connected MT devices.
Thus, my recommendation is to do so.
Its up to you however.
Thank you for your comments. I think that the help page is written that way because we are used to the old-school p2p networks. I guess it makes some sense if you wanted to run routing protocols such as ospf etc. However, I don’t know if routing protocols make much sense on wireguard interfaces where routing is purely based on cyptographic rules.
What is amazing with wireguard is that even my clients (10.0.200.X/32) are able to route traffic without even having an ip based default gateway (in the traditional sense like10.0.200.1)!
Regarding the inter-tunnel ips, what I have done is that each router has address 10.0.X.254/24 for the bridge network and I have set this IP as prefered source in routing settings for the wireguard interface. When troubleshooting, I find it easier to remember one router ip address rather than tunnel interface ip’s.
About the routing being based purely on cryptographic rules, it’s not entirely true, you still need regular routes. They work together. Some/most other clients add them automatically, but in RouterOS you need either manual routes (in /ip route) or dynamic ones created from address/mask on WG interface. It’s possible to create even non-working combinations. Dynamic routing won’t work well with single WG interface, because there it’s limited by cryptorouting. But you can have multiple WG interfaces and then it’s possible.
Thanks for your message. Overall I am very happy with wireguard’s performance and simplicity and it seems that mikrotik’s implementation works very well.
I am marking the thread as solved, although I stil strongly believe that the help page should be edited so as to remove the ip config section, or instead add this subnet to the allowed ip section. The way it is written implies that there should be connectivity within the subnet which is not the case. Also, for 99% use cases it seems it is also not necessary.
I have no ideea what those IPs are doing there if they aren’t used in any peer’s allowed-address.
Sadly I’ve found a similar “guide” here: https://wiki.securepoint.de/index.php?title=UTM/VPN/WireGuard-S2S&uselang=en
That also uses some IP addresses on the wg interfaces, IPs that are otherwise not used anywhere else.