Wireguard setup

RouterOS General
1

Hi guys, currently I have wireguard tunnel that looks like:

Microtik via Starlink <=====> Remote Windows server
I'm able to access devices in microtik local network from remote server, here is how it works:

Mikrotik

[Interface]
Address = 10.0.1.1/24
PrivateKey =

[Peer]
AllowedIPs = 10.0.1.2/32
PublicKey =
Endpoint = remote_server_ip:13231
PersistentKeepalive = 25

Remote server

[Interface]
PrivateKey =
ListenPort = 13231
Address = 10.0.1.2/24

[Peer]
PublicKey =
AllowedIPs = 10.0.1.1/32, microtik_lan/24


I want to expand network a little bit to look like:
Microtik via Starlink <=====> Remote Windows server <=====> Laptop

So I would like to access Microtik lan via Laptop through Windows server
Server is needed because it has fixed IP and I can open ports needed to initiate connection.

Any advice how wireguard config should look like in this case?
Thanks!

2

Yes.
First fix the Allowed IPs on the MT client (for handshake) device:

[Peer]
AllowedIPs = 10.0.1**.0/24**
PublicKey =
Endpoint = remote_server_ip:13231
PersistentKeepalive = 25


Now for the ability for the laptop to reach the MT will depend on what is going on at the server?
You will need another client peer on the server for sure.
Since the server is a mystery can only comment on MT

at the MT you will need a firewall rule allowing wireguard to the LAN on the forward chain.

3

Here is my config so far:

Windows Server just with wireguard app, needed only to connect peer1 with peer2

[Interface]
PrivateKey =
ListenPort = 13231
Address = 10.0.1.2/32
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Microtik with lan I want to access

[Peer]
PublicKey =
AllowedIPs = 10.0.1.1/32, 192.168.88.0/24

the laptop from which I want to access MT lan

[Peer]
PublicKey =
AllowedIPs = 10.0.1.3/32

I'm able to ping server from laptop but can't reach peer1 (MT) so far.
From the server I have full access to lan on peer1 (MT).