I am beginner in wireguard. I configured 2 sites with Mikrotik routers. Firs A has global fixed IP address second B random global IP address. Site A has peer B and site B has peer A. It works no problem.
I wonder in which peer A or peer B to check Responder box?
Similar question is where to change to to 00:00:25 Persistent keep alive value in peer A or Peer B?
Sorry for the newbie questions.
Thank you!
From the documentation:
is-responder (yes | no; Default: no)
Specifies if peer is intended to be connection initiator or only responder. Should be used on WireGuard devices that are used as “servers” for other devices as clients to connect to. Otherwise router will all repeatedly try to connect “endpoint-address” or “current-endpoint-address” causing unnecessary system logs to be written.
https://help.mikrotik.com/docs/display/ROS/WireGuard
In your case it would make sense to have peer A being the responder. And therefor you should set the is-responder on the peer B device (on the peer definition of peer A).
@Erlinden Thank you very much for the clear answer! Should Persistent keep alive set to 00:00:25 on the peer B device peer (on the peer definition of A )?
Thank you
Keepalive should be set on the “client” peer (as well as the is-responder).
is-responder:
Specifies if peer is intended to be connection initiator or only responder. Should be used on WireGuard devices that are used as "> servers> " for other devices as clients to connect to. Otherwise router will all repeatedly try to connect “endpoint-address” or “current-endpoint-address” causing unnecessary system logs to be written.
The only thing you need on the SERVER handshake Router A, with fixed IP.
Mandatory:
/wg
allowed IPs = wireguard-address-of-routerb/32 interface=wireguard-name public-key=“key generated by router B to use here”
/fw rules
Input chain rule = accept incoming port on WAN
optional: allow wireguard on input chain for admin to configure router (either from routerB or a remote warrior connection - use source address list)
optional: allow wireguard on forward chain to allow routerb access to local subnets ( and possibly the reverse as well)
optional: allow wireguard on forward chain to allow routerb accesst to local WAN (internet)
If you have either
a. remote subnets of Router B needing access to subnets on RouterA, OR
b. local subnet of Router A needing access to subnets on RouterB, then add:
/wg
allowedIps=wireguard-address-of-routerb/32,subnetA,subnetB interface=wireguard-name public-key=“key generated by router B to use here”
/ip route
add dst-address=subnetA .0/24 interface=wgireguard-name routing-table=main
add dst-address=subnetA .0/24 interface=wgireguard-name routing-table=main
PLUS, required forward chain rules as applicable.
+++++++++++++++++++++++++++++++++++++
On Router B
Mandatory:
/wg
allowed IPs = wireguard-SUBNET-of-routerb 0/24 interface=wireguard-name public-key=“key generated by router A to use here” persistent-keep-alive=25s
optional: allow wireguard on input chain for admin to configure router (either from routerA or a remote warrior connection - use source address list)
optional: allow wireguard on forward chain to access local subnets
If you have either
a. remote subnets of Router A needing access to subnets on RouterB, OR
b. local subnet of Router B needing access to subnets on RouterA, then add:
/wg
allowedIps=wireguard-SUBNET-of-routerb .0/24/32,subnetC,subnetD interface=wireguard-name public-key=“key generated by router A to use here” persistent-keep-alive=25s
/ip route
add dst-address=subnetC .0/24 interface=wgireguard-name routing-table=main
add dst-address=subnetD .0/24 interface=wgireguard-name routing-table=main
PLUS, required forward chain rules as applicable.
++++++++++++++++++++++++++++++++++++++++
Note: If Router B needs internet access to via Router A, then the allowed IPs are all wiped out and replaced by 0.0.0.0/0 which allows for ALL Ip addresses.
Still need the IP routes though for subnets on the far router if they are in play…