i recently deployed a wireguard debian server (shall be knownst as WG for this post) in the cloud and then painfully setup my mikrotik onsite to tunnel to the WG server and then breakout to the internet. The reason behind me doing this is the following. I deploy cloud pbx extentions and recently setup recurrsive failover on a client site mikrotik BUT after failover occured, the voip server traffic was still routing to the extention via the failed WAN ip instead of the secondary. So my idea was to deploy the WIREGUARD server and have the gateway in the cloud rather which means either the primary or secondary WAN connection would still route the inbound calls to the desired extention after failover as occured (if anyone has a better way of doing this, the gods will shine on you for sharing).
the script i used to setup my mikrotik to tunnel to the WG cloud server is the following:
You should change "XX.XX.XX.XX" to you wireguard server
and set public-key,private-key,preshared-key,"YY.YY.YY.YY/YY" according to your config
my question now is, how do i intergrate a reccursive failover into this configuration since the routing tables have become a lot more complex. My Mikrotik is setup simple with WAN1 on ether1, WAN2 on ether 2 and ether 3,4 and 5 all bridged for the LAN and using and RB 951
Please post your complete config
/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc…)
There may be no need for wireguard for this aspect, as it sounds like a faulty failover config more than anything else.
(could be mangles, could be routing etc…)
Wireguard is not a magic solution as it still needs to travel over one of your ISP connections to the cloud.
Was your intention to use wireguard over WAN1 or WAN2 ??
dont get me wrong, the WG client MTK IS working as its tunnelling the traffic from the site via WAN1 through the cloud WG server and then to the voip server. However, i wish to add a WAN2 to the configuration and set recurrsive failover to WAN2 which will ALSO then tunnel through to the WG server and breakout to the voip server. The idea behind this is to maintain a common gateway during the failover so the voip server still passes over the voip traffic for inbound to the same desintation cloud pbx extentions regardless of which WAN connection is live at the time.
The root problem is this. cloud pbx extentions register with voip server which knows the location of each extention based on their INITIAL registration. Once failover occurs, the voip server is still looking for the cloud pbx extentions via the previous WAN connection so i though maintaining a common gateway by implementing a WG server would solve the problem. However im not skilled with incorporating a recurrsive failover now with the WG confirguration above.
The problem here is, i DONt know how to add the recursive failover to this configuration.
(1) Remove pre-shared key in wireguard settings ( at both ends )
(2) You hardly have any firewall rules?
Are you behind an upstream router with firewall rules??
Also your two rules are garbage if they are intended to handle wireguard.
Since the MT is acting as a client for handshake, there is no need for input chain rule for wg traffic to leave the router.
(3) You will never get wireguard to work without some sort of masquerade out the MT router for normal traffic??
Since you added wg0 to the WAN interface list you should have stuck with the default rule already in place…
(4) If the plan is to send all bridge traffic out wireguard, lets look at how this can be accomplished or is it only SOME bridge traffic,
aka can you identify which IPs on the LAN need to go out wireguard ( should be easy to create a firewall address list for that).
Ive made the requested changes and heres an example of the recurrsive failover i USUALLY deploy on my MTK. Yes my MTK sit behind an ISP router with its own firewalling.
/ip dns
set allow-remote-requests=yes servers=1.1.1.1