Wireguard setup for both internal and external access

RouterOS General
1

Hello,

I’ve run into a wall trying to set up my Mikrotik router so that it acts as a Wireguard server that routes traffic to my LAN.
What I want to achieve:

  • I have an android phone with Wireguard, I want to be connected to a WG tunnel at all times
  • One peer of this tunnel is an AirVPN server, through which I want to route all public traffic
  • Second peer is my Mikrotik router, through which I want to route traffic into my LAN
    I want this connection to be active whether I am accessing from outside, or from my LAN (that is, some hairpin NAT will be also required)

I have successfully set up the Wireguard so that I can initiate the tunnel (the handshake occurs OK), however I cannot even ping the wireguard interface of the router from the client, let alone route traffic through it.

The wireguard interface has 192.168.3.1/24 address.
My client config looks like this:

[Interface]
PrivateKey = InterfacePrivateKey
Address = 10.142.68.243/32

[Peer]
PublicKey = AirVPNServerPublicKey
PresharedKey = PresharedKey
AllowedIPs = 0.0.0.0/1,128.0.0.0/2,224.0.0.0/3,208.0.0.0/4,200.0.0.0/5,196.0.0.0/6,194.0.0.0/7,193.0.0.0/8,192.0.0.0/9,192.192.0.0/10,192.128.0.0/11,192.176.0.0/12,192.160.0.0/13,192.172.0.0/14,192.170.0.0/15,192.169.0.0/16,192.168.128.0/17,192.168.64.0/18,192.168.32.0/19,192.168.16.0/20,192.168.8.0/21,192.168.4.0/22
Endpoint = airvpnendpoint
PersistentKeepalive = 15

[Peer]
PublicKey = MikrotikRouterPublicKey
AllowedIPs = 192.168.0.0/22
Endpoint = 192.168.3.1:13231
PersistentKeepalive = 15

As to why I want this crazy setup: I am self-hosting stuff on my home server, and want to access some of it from my phone at optimal speeds, without exposing it to the internet.
Previously I used Tailscale, however now I want to use an actual VPN on my phone and sadly even GrapheneOS does not support running two VPNs at the same time on one user profile.

What configuration do I have wrong/am I missing in order to achieve the stated?

Thanks for any help

Config attached
mikrotik.ini (7.11 KB)

2

Draw a diagram because you seem to want opposed uses.
Wireguard to a third party server
Wireguard to home.

Which is it or both?

++++++++++++++
It sounds like you need two wireguard interfaces one for third party and one for home.
Do you have a public IP address or can you forward ports from an ISP router that has a public IP address??

3

Draw a diagram because you seem to want opposed uses.

Is it not possible to route traffic through two separate peers on one wireguard tunnel?
That is what I’m trying to achieve here: to route traffic to my LAN over a peer (my router) connected through the public IP and to route all the other traffic through an AirVPN server

My router is reachable through a static public IP, though the address on the WAN interface is different. I already have working port-forwarding for web traffic for example (as can be seen from config)
Untitled Diagram.drawio.png

4

If you can port forward then you can host wireguard which you will need to do.
AirVPN and other types of VPN are NOT for connecting to Air VPN and then to your home router.
They are of the type of VPN service that simply provides internet out a different location/country, by either users on the router or iphone out internet at Air VPN.

So you will need to use two wireguard interfaces.

  1. AIR VPN interface
    A. remote iphone out internet at AirVPN
    B. router out internet at Air VPN

  2. Home VPN interface
    a. remote phone or laptop etc, to home
    b. replace port forwarding for a more secure way to access servers.

What you need is a plan for ALL users and ALL the traffic they need, identify those and a config can be built efficiently,
Include any port forwarding etc…

Theoretically you could remote into home and then go out AirVPN for internet vice go out out own internet or connect to home and not go out any internet.