wireguard site to multi site setup

TarekH · October 7, 2024, 9:18pm

hello awesome people
i am trying to setup a site to multi site wireguard vpn : the main site has a public static ip(wan) and i have 10 branches(spokes) with hex routers that are meant to connect to the main router.

i have 2 small questions please :
1- on the main i need:
10 wg interfaces and 10 peers (1 for each branch)
and on each branch : 1 interface and 1 peer
correct ?

2- how to setup the branches without a static public ip(wan) ? is it necessary to use DDNS?

thank you

clankflawless · October 8, 2024, 7:34am

On the main site, you need 1 WireGuard interface and 10 peers (1 for each branch).
On each branch site, you need 1 WireGuard interface and 1 peer (the main site).
Using DDNS is not strictly necessary if the branches initiate the connection. You could use it if you prefer to have a known address for the branches, but WireGuard can handle the connection even without static IPs.

TarekH · October 8, 2024, 12:44pm

thank you !
how can i set the branches to initiate the connection ?

anav · October 8, 2024, 2:38pm

What is your comfort level programming MT routers?
The configuration is not a copy and paste exercise, you should understand what you are doing and how the different sections are related.
routing, firewall rules, wireguard protocol and processes etc…

That said, wireguard is by far the easiest VPN to setup and works well.

TarekH · October 8, 2024, 2:55pm

Anav the forum king , i was waiting for your expertise
i have MTCNA and few cisco certificates but wireguard is new to me
i had setup a site to site with it , but both sites had static public ip - no i am trying to setup hub to spoke setup ( main router to multiple branch routers ) - the branch routers has internet but not static ip
how to proceed please ?!

anav · October 8, 2024, 3:59pm

Remember, that each link is still peer to peer. There is hub and spoke network!
However we set up the routes and firewall rules such that desired connectivity can be reached.

Because each device is on the same wireguard subnet and each client peer has
either 0.0.0.0/0 in allowed IPs
OR
172.17.17.0/24,SubnetRemote1,SubnetRemote2,…,SubnetRemoteXX ( example wireguard subnet only )

Any given client peer will be reachable ( through the main router ) by all the other client peers.

The key will be the setup on the main router especially.

++++++++++++++++++
Suggest post Mikrotik config of main router and one example of router client peer and one example if any of single device remote peer ( admin laptop etc… )
Demonstrate as far as you have gotten with all three configs.

/export file=anynameyouwish ( minus device serial number, any public WANIP information, keys )