Wireguard setup

Xgraver · October 24, 2024, 11:32am

Hello

I am testing WireGuard, i got the basic site-to-site config to work. But i want to modify it litle bit. i would like to add secondary router that has its own public ip and route all internet traffic to there, but when i remove the 0.0.0.0/0 from my wireguard router then peers wount connect anymore. i tried to use mangle to send dynamic peer connections back from the port where they came from but i am missing somthing.

so far i did:

/routing table
add disabled=no fib name=WireGuard

/routing rule
add action=lookup disabled=no routing-mark=WireGuard table=WireGuard

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes in-interface=ether1 new-routing-mark=WireGuard passthrough=no

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.100.83.89 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=x.x.x.x routing-table=WireGuard suppress-hw-offload=no

Any suggestions?

anav · October 24, 2024, 7:49pm

Sorry your explanation is not helpful as we are not in your head and thus cannot make all the same assumptions…
Draw a diagram.
It would appear you have
a. a Mikrotik device ( acting as a server peer ( for handshake )
b. one or more client peer devices such as laptops, smartphones, etc to connect from remote locations to your MT device.

You want to add a second router as a client peer router.
What is true??

send all internet through this router

from the other client peer devices.
from one or more subnets on Main router?
both?
-send router to router subnet traffic?

\

you would like to introduce a second router ( as a client peer router for handshake ) and send

sent internet traffic from one or more subnets to/through the MAIN router
send subnet to subnet traffic between the two routers?
have remote devices access subnets on this router?

In addition to detailed accurate information, the configs of both routers are required.
/export file=anynameyouwish ( minus router serial number, router mac-address, any public WANIP information, keys etc. )

kleshki · October 24, 2024, 8:06pm

Hello

I am testing WireGuard, i got the basic site-to-site config to work. But i want to modify it litle bit. i would like to add secondary router that has its own public ip and route all internet traffic to there, but when i remove the 0.0.0.0/0 from my wireguard router then peers wount connect anymore. i tried to use mangle to send dynamic peer connections back from the port where they came from but i am missing somthing.

so far i did:

/routing table
add disabled=no fib name=WireGuard

/routing rule
add action=lookup disabled=no routing-mark=WireGuard table=WireGuard

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes in-interface=ether1 new-routing-mark=WireGuard passthrough=no

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.100.83.89 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=x.x.x.x routing-table=WireGuard suppress-hw-offload=no

Any suggestions?

If I got you right, you add 0.0.0.0/0 route to wireguard, then wireguard tunnel itself drops. That happens because router tries to route actual WG-encapsulated packets to WG itself because of that route. If you want to maintain tunnel, you have to add a specific route to server (i.e. dst-address=WG-server gateway=ISP or wherever it should go) alongside default route. That’s my only guess, but statement above is right, you didn’t provide enough information to help you. Best you can do is draw scheme with both routers, how they are connected and from where to where you want to direct traffic.