I am trying to setup a Wireguard road warrior VPN. I do have two Mikrotik routers with a very similar setup. One gets his WAN IP (ether1) via PPoE on VLAN10 the other via DHCP on ether 1.
When a road warrior client from router 1 is connected it can not reach ip’s behind the nat of router 2 (which is possible from within router1 main network (and the other way around).
Router 2’s road warrior clients were not able to connect. After a reboot of the router this started working again. I have no idea how that’s possible?
When a road warrior client from router 1 is connected it can not reach ip’s behind the nat of router 2 (which is possible from within router1 main network (and the other way around).
Assuming there is no NAT going on. (ie. The packet from 192.168.35.1 reaches device on router 2 as being from 192.168.35.1)
On router 2 You will need a route to 192.168.35.0/24 via site to site wireguard.
You will need to add 192.168.35.0/24 to the allowed addresses on the Router 2 site to site wireguard.
In terms of learning something… more important, WHY its needed.
There is a cross check between allowed IPs and IP routes regarding wireguard.
Allowed IPs identifies potentially two things, the remote subnets that local users need to reach, OR the remote subnets that are coming into the router to reach local subnets.
In both cases the key here is remote subnets.
The local router, has no idea about these remote subnets and thus we have to tell the router how to send traffic to them, hence IP routes. add dst-address=remoteSubnet gateway=wireguard1 table=main
This covers off both cases:
a. local users put in destination of remote subnet, and the IP route we added tells the router to use the wireguard interface for that traffic.
b. remote users have reached our local server and the return traffic is headed back, and the IP route we added tells the router where to send the return traffic.