I have a Mikrotik router as L2TP server with public static ip, and have som customers MikroTik Routers connected as clients. Then I have my computer connected over wireguard to that mikrotik server.
All PPPs are masqueraded so I have full access to the client routers when I’m connected to the wireguard.
NOW I want to migrate all my L2TP clients to WG clients. I don’t want any routed traffic, just connection so I can get to the router thru Winbox. All of thes clients are behind NAT.
Can someone here help me with an example of the WG config for this?
Are you saying you wish to connect all the clients’ routers to your MT server router via WG?
Are they all MT routers?
Not much different from roadwarrior setup.
No input chain rule (no handshake on client router)
Still need IP address
Still need allowed IPs ( not 0.0.0.0 likely but something like 192.168.10.0/24,SubnetA,SubnetB
Meaning, each client should have the wireguard subnet as an allowed IP and then any subnets that
a. local users need to visit at any of the other routers including the MT server router subnets
b. external user subnets that need to visit the local client router subnets.
AND IP routes to cover off all the subnetA, subnetB traffic pointing to the wireguard interface, table main.
Relevant forward firewall rules as well of course, for LAN traffic
Relevant input chain rule, if you the admin need to access client router for config purposes.
Its not hard as you already have a wireguard interface,
Just assign each router a wireguard IP.
On the main router
add a line for allowed IPs to each router.
ipaddressRouterClient1/32,subnetC,subnetD… ( either local users going to remote subnet, OR , remote subnets coming into the main router )
interface=wireguard public-key=xxxxxxx
Applicable Routes for any applicable subnets table main based on the above allowed addresses. (remember they are not local so you have to tell MAIN router about them)
Applicable firewall rules
to allow traffic from other routers to your subnets as picky as you need to be
to allow traffic from local subnets into the tunnel to reach other router subnets
ONE KEY RELAY RULE add chain=forward action=accept in-interface=wireguard out-interface=wireguard.
Ex. This will allow any subnet from router 1 to reach MAIN server Router and reach router 6.
Traffic from subnet A, needs to reach subnet M
You have two routes existing add dst-address=subnetA gateway=wireguard table=main
add dst-address=subnetM gateway=wireguard table=main
So the router knows where to send originating and return traffic!!
The Relay firewall allows the traffic to hit MAIN from Router 1 and then renter the tunnel headed for Router 6.
Its Peer to Peer!!
But I have to give it a try. The l2tp is very much easier. just masq. the connection 