Wireguard site to multi site

Sirve · October 11, 2023, 10:26pm

Hello, need some help in wireguard site to multisite

I have 3 routers, which are connected via wireguard. LocationA, LocationB and LocationC.

LocationA ----- LocationB
LocationA------LocationC

LocationA
L=192.168.0.0/24
WG1=10.255.255.1/24
Port= 13231
WG2=10.255.254.1/24
Port= 13232
Wan= 190.229.05.220
Allowed Address: 10.255.255.1/32 192.168.2.0/24
Allowed Address: 10.255.254.1/32 192.168.4.0/24

LocationB
L=192.168.2.0/24
WG1=10.255.255.2/24
Port= 13231
Wan= 190.229.15.220
Allowed Address: 10.255.255.2/32
Endpoint 190.229.05.220
Port= 13231

LocationC
L=192.168.4.0/24
WG1=10.255.254.2/24
Port= 13232
Wan= 190.229.25.220
Allowed Address: 10.255.254.1/32
Endpoint 190.229.05.220
Port= 13232

From location A to location B it works correctly, that is, by “pinging” from location A to location B you get a response, both from the mikrotik console and from the Windows console,
From location A to location C, when you do a “ping” from the mikrotik console you get a response but not from Windows.
I attach a photo

why ¿?

Kentzo · October 12, 2023, 12:44am

Perhaps your firewall drops the packet?

Sirve · October 12, 2023, 3:14am

No!

rplant · October 12, 2023, 7:08am

Hi,
Some of the above doesn’t make sense.

It might just be typo’s

The Allowed Address item should refer to addresses at the other end of the link.
(Packets with other addresses from the remote end will be dropped)
It shouldn’t normally have any local IP addresses in it.

Eg. Location A

Allowed Address: 10.255.255.1/32 192.168.2.0/24
should probably be:
Allowed Address: 10.255.255.2/32 192.168.2.0/24

You need routes in the route table so mikrotik knows:

192.168.2.0/24 is via WG1.
192.168.4.0/24 is via WG2.

You need one or more Nat rules, so the router Nat’s traffic heading towards Location B and Location C.

My guess is one of the Nat rules is missing or incomplete.

erlinden · October 12, 2023, 9:07am

My best guess would be a missing route on Location C.
And compliments to @rplant for his other comments.

mikrotix · October 13, 2023, 9:02pm

Hello,

to me it looks like a typo. Client your client A and C seem to use same endpoint ip address as well as same port. Try using port 13230 or 13233 on location C.

LocationA
L=192.168.0.0/24
WG1=10.255.255.1/24
Port= 13231
WG2=10.255.254.1/24
Port= > 13232
Wan= > 190.229.05.220

LocationC
L=192.168.4.0/24
WG1=10.255.254.2/24
Port= 13232
Wan= 190.229.25.220
Allowed Address: 10.255.254.1/32
Endpoint > 190.229.05.220
Port= > 13232

@rplant

Allowed Address: 10.255.255.1/32 192.168.2.0/24
should probably be:
Allowed Address: 10.255.255.2/32 192.168.2.0/24

You need routes in the route table so mikrotik knows:

192.168.2.0/24 is via WG1.

192.168.4.0/24 is via WG2.

You need one or more Nat rules, so the router Nat’s traffic heading towards Location B and Location C.

From given information it is clear that there is misconfiguration if WG2 interface on client A has IP address 10.255.254.1/24 which is same subnet as client C’s wg1 definition creating actually wrong route. I wonder at all if it is correct that location A can communicate with location B with given information as it has same issue.

From my understanding:
Client A
WG Interface Address definition: 10.255.255.1/24, 10.255.254.1/24
Peer B Allowed address: 10.255.255.2/32
Peer C Allowed address: 10.255.254.2/32

Client B
WG Interface Address definition: 10.255.255.2/32
Peer A Allowed address: 10.255.255.0/24
Peer C Allowed address: can not connect, if additional interface address 10.255.253.1/24 is added, then here you could use 10.255.253.3/32

Client C
WG Interface Address definition: 10.255.254.2/32,10.255.253.3/32
Peer A Allowed address: 10.255.254.0/24
Peer B Allowed address: 10.255.253.0/24

Now if client C has also own vpn subnet, then you need to add it under interface address, same process like for client B.

Routes in Mikrotik are created properly if address definition is correct. And not many NAT and firewall rules have to be applied, input and forward using wireguard interface is enough.

Maybe it is worth a note that I do not understand why OP uses only 2 24 addresses if there are 3 clients and each of them having one 24 address as own definition makes more sense.

@sirve
I wrote quick and dirty script which you can run on any linux with installed wireguard and it should create example configs with 3 locations. When you run it, you should end up with 3 config files:

#!/bin/bash

a_id=10 
b_id=11 
c_id=12
a_endpoint=1.2.3.4
b_endpoint=1.2.3.45
c_endpoint=1.23.45.6

prep_def(){
	a_inf_def=10.255.${a_id}.1/24
	b_inf_def=10.255.${b_id}.1/24
	c_inf_def=10.255.${c_id}.1/24
	pkey_a=$(wg genkey)
	pkey_b=$(wg genkey)
	pkey_c=$(wg genkey)
	shared=$(wg genpsk)
	a_lan_def=192.168.${a_id}.0/24
	b_lan_def=192.168.${b_id}.0/24
	c_lan_def=192.168.${c_id}.0/24
	a_port=132${a_id}
	b_port=132${b_id}
	c_port=132${c_id}
}

prep_def

echo "create wg0_A.conf" && cat <<EOF_A | tee wg0_A.conf
[Interface]
# Wireguard Interface definition of client A
Address = ${a_inf_def}  # A vpn subnet 
Address = $(echo ${b_inf_def} | sed "s/1\/24/${a_id}\/32/")  # B vpn subnet's client
Address = $(echo ${c_inf_def} | sed "s/1\/24/${a_id}\/32/")  # C vpn subnet's client
ListenPort = ${a_port}
#MTU=1420
#DNS = 1.1.1.1,1.0.0.1
#DNS2606:4700:4700::64,2606:4700:4700::6400

[Peer]
# Client B
PublicKey = $(echo ${pkey_b} | wg pubkey)
PresharedKey = ${shared}
AllowedIPs = $(echo ${a_inf_def} | sed "s/1\/24/${b_id}\/32/"),$(echo ${b_inf_def} | sed "s/1\/24/0\/24/"),${b_lan_def}
#AllowedIPs = 0.0.0.0/0, ::/0
#Endpoint = ${b_endpoint}:${b_port}
#PersistentKeepalive = 0

[Peer]
# Client C
PublicKey = $(echo ${pkey_c} | wg pubkey)
PresharedKey = ${shared}
AllowedIPs = $(echo ${a_inf_def} | sed "s/1\/24/${c_id}\/32/"),$(echo ${c_inf_def} | sed "s/1\/24/0\/24/"),${c_lan_def}
#AllowedIPs = 0.0.0.0/0, ::/0
#Endpoint = ${c_endpoint}:${c_port}
#PersistentKeepalive = 0
EOF_A

echo "create wg0_B.conf" && cat <<EOF_B | tee wg0_B.conf
[Interface]
# Wireguard Interface definition of client B
Address = ${b_inf_def}  # B vpn subnet 
Address = $(echo ${a_inf_def} | sed "s/1\/24/${b_id}\/32/")  # A vpn subnet's client
Address = $(echo ${c_inf_def} | sed "s/1\/24/${b_id}\/32/")  # C vpn subnet's client
ListenPort = ${b_port}
#MTU=1420
#DNS = 1.1.1.1,1.0.0.1
#DNS2606:4700:4700::64,2606:4700:4700::6400

[Peer]
# Client A
PublicKey = $(echo ${pkey_a} | wg pubkey)
PresharedKey = ${shared}
AllowedIPs = $(echo ${b_inf_def} | sed "s/1\/24/${a_id}\/32/"),$(echo ${a_inf_def} | sed "s/1\/24/0\/24/"),${a_lan_def}
#AllowedIPs = 0.0.0.0/0, ::/0
#Endpoint = ${a_endpoint}:${a_port}
#PersistentKeepalive = 0

[Peer]
# Client C
PublicKey = $(echo ${pkey_c} | wg pubkey)
PresharedKey = ${shared}
AllowedIPs = $(echo ${b_inf_def} | sed "s/1\/24/${c_id}\/32/"),$(echo ${c_inf_def} | sed "s/1\/24/0\/24/"),${c_lan_def}
#AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ${c_endpoint}:${c_port}
#PersistentKeepalive = 0
EOF_B

echo "create wg0_C.conf" && cat <<EOF_C | tee wg0_C.conf
[Interface]
# Wireguard Interface definition of client C
Address = ${c_inf_def}  # C vpn subnet 
Address = $(echo ${a_inf_def} | sed "s/1\/24/${c_id}\/32/")  # A vpn subnet's client
Address = $(echo ${b_inf_def} | sed "s/1\/24/${c_id}\/32/")  # B vpn subnet's client
ListenPort = ${c_port}
#MTU=1420
#DNS = 1.1.1.1,1.0.0.1
#DNS2606:4700:4700::64,2606:4700:4700::6400

[Peer]
# Client A
PublicKey = $(echo ${pkey_a} | wg pubkey)
PresharedKey = ${shared}
AllowedIPs = $(echo ${c_inf_def} | sed "s/1\/24/${a_id}\/32/"),$(echo ${a_inf_def} | sed "s/1\/24/0\/24/"),${a_lan_def}
#AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ${a_endpoint}:${a_port}
#PersistentKeepalive = 0

[Peer]
# Client B
PublicKey = $(echo ${pkey_b} | wg pubkey)
PresharedKey = ${shared}
AllowedIPs = $(echo ${c_inf_def} | sed "s/1\/24/${b_id}\/32/"),$(echo ${b_inf_def} | sed "s/1\/24/0\/24/"),${b_lan_def}
#AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = ${b_endpoint}:${b_port}
#PersistentKeepalive = 0
EOF_C

wg0_A.conf

[Interface]
# Wireguard Interface definition of client A
Address = 10.255.10.1/24  # A vpn subnet 
Address = 10.255.11.10/32  # B vpn subnet's client
Address = 10.255.12.10/32  # C vpn subnet's client
ListenPort = 13210
#MTU=1420
#DNS = 1.1.1.1,1.0.0.1
#DNS2606:4700:4700::64,2606:4700:4700::6400

[Peer]
# Client B
PublicKey = KDAsUNw+f0Qqux4W96TgIWa5VKb2djXFdawXsuTr5Vw=
PresharedKey = H1DGYM/UlXc+lIyZoY07w5v0z+cy9/ZOFV0tnZQ9uiE=
AllowedIPs = 10.255.10.11/32,10.255.11.0/24,192.168.11.0/24
#AllowedIPs = 0.0.0.0/0, ::/0
#Endpoint = 1.2.3.45:13211
#PersistentKeepalive = 0

[Peer]
# Client C
PublicKey = VeOK99uaBRkP4UpG/2bv/XndMa7/i+kmqfpT1oFAC2Q=
PresharedKey = H1DGYM/UlXc+lIyZoY07w5v0z+cy9/ZOFV0tnZQ9uiE=
AllowedIPs = 10.255.10.12/32,10.255.12.0/24,192.168.12.0/24
#AllowedIPs = 0.0.0.0/0, ::/0
#Endpoint = 1.23.45.6:13212
#PersistentKeepalive = 0

wg0_B.conf

[Interface]
# Wireguard Interface definition of client B
Address = 10.255.11.1/24  # B vpn subnet 
Address = 10.255.10.11/32  # A vpn subnet's client
Address = 10.255.12.11/32  # C vpn subnet's client
ListenPort = 13211
#MTU=1420
#DNS = 1.1.1.1,1.0.0.1
#DNS2606:4700:4700::64,2606:4700:4700::6400

[Peer]
# Client A
PublicKey = qv+OJYJcMmTbzF5HqnMIrSUk0L222eje7nB2vGWtLC4=
PresharedKey = H1DGYM/UlXc+lIyZoY07w5v0z+cy9/ZOFV0tnZQ9uiE=
AllowedIPs = 10.255.11.10/32,10.255.10.0/24,192.168.10.0/24
#AllowedIPs = 0.0.0.0/0, ::/0
#Endpoint = 1.2.3.4:13210
#PersistentKeepalive = 0

[Peer]
# Client C
PublicKey = VeOK99uaBRkP4UpG/2bv/XndMa7/i+kmqfpT1oFAC2Q=
PresharedKey = H1DGYM/UlXc+lIyZoY07w5v0z+cy9/ZOFV0tnZQ9uiE=
AllowedIPs = 10.255.11.12/32,10.255.12.0/24,192.168.12.0/24
#AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 1.23.45.6:13212
#PersistentKeepalive = 0

wg0_C.conf

[Interface]
# Wireguard Interface definition of client C
Address = 10.255.12.1/24  # C vpn subnet 
Address = 10.255.10.12/32  # A vpn subnet's client
Address = 10.255.11.12/32  # B vpn subnet's client
ListenPort = 13212
#MTU=1420
#DNS = 1.1.1.1,1.0.0.1
#DNS2606:4700:4700::64,2606:4700:4700::6400

[Peer]
# Client A
PublicKey = qv+OJYJcMmTbzF5HqnMIrSUk0L222eje7nB2vGWtLC4=
PresharedKey = H1DGYM/UlXc+lIyZoY07w5v0z+cy9/ZOFV0tnZQ9uiE=
AllowedIPs = 10.255.12.10/32,10.255.10.0/24,192.168.10.0/24
#AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 1.2.3.4:13210
#PersistentKeepalive = 0

[Peer]
# Client B
PublicKey = KDAsUNw+f0Qqux4W96TgIWa5VKb2djXFdawXsuTr5Vw=
PresharedKey = H1DGYM/UlXc+lIyZoY07w5v0z+cy9/ZOFV0tnZQ9uiE=
AllowedIPs = 10.255.12.11/32,10.255.11.0/24,192.168.11.0/24
#AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 1.2.3.45:13211
#PersistentKeepalive = 0

With those configs each location should have access to other two locations as direct peers and not over client X and if you reboot any of locations it will not disrupt another two.

I wrote the script above quick and dirty, you can refactor it and shorten by for, while etc… . Having working configs requires then to simply copy and paste in Mikrotik GUI and configuring firewall by accepting forward in interface wg0 and accepting input on wireguards udp port. For 192.168.x.y addresses you need to create a route to other peers 192.168.x.y address. That should be it.

Hope that helps
site2site-3locations.zip (933 Bytes)

L4tran · November 22, 2025, 5:17pm

Hi everyone, I’m new to Mikrotik and I have a similar problem with very close configuration. AB can communicate similarly to AC. My problem is how to get BC to communicate? I’ve read from the above and may need to Nat the two WG gateway, how do I do this from winbox gui?

On site A, do I use one WG interface to connect site B and C? Or do I use two? Like in the original post? I understand this is a hub and spoke configuration and if Site A goes down, the entire network goes with it. But since I’m new and learning, I’d like to know how this can be achieve. Thanks in advance.

LocationA
L=192.168.1.0/24W
GW-A=10.255.255.1/24
Port= 13231
Wan= 190.229.05.220
Peer B: Allowed Address: 10.255.255.2/32, 192.168.2.0/24
Peer C: Allowed Address: 10.255.255.3/32, 192.168.3.0/24

LocationB
L=192.168.2.0/24
WG-B=10.255.255.2/24
Port= 13231
Wan= 190.229.15.230
Peer A: Allowed Address: 10.255.255.1/32, 192.168.1.0/24
Endpoint 190.229.05.220:13231

LocationC
L=192.168.3.0/24
WG-C=10.255.255.3/24
Port= 13231
Wan= 190.229.25.240
Peer A: Allowed Address: 10.255.255.1/32, 192.168.1.0/24
Endpoint 190.229.05.220:13231

How do site B&C communicate?

L4tran · November 24, 2025, 3:50am

Figured it out. Need to add Allow address for all sites, and add a route entry.

LocationA
L=192.168.1.0/24W
GW-A=10.255.255.1/24
Port= 13231
Wan= 190.229.05.220
Peer B: Allowed Address: 10.255.255.2/32, 192.168.2.0/24
Peer C: Allowed Address: 10.255.255.3/32, 192.168.3.0/24
route 192.168.2.0/24 -> 10.255.255.2, 192.168.3.0/24 -> 10.255.255.3

LocationB
L=192.168.2.0/24
WG-B=10.255.255.2/24
Port= 13231
Wan= 190.229.15.230
Peer A: Allowed Address: 10.255.255.1/32, 192.168.1.0/24, 192.168.3.0/24
Endpoint 190.229.05.220:13231
route 192.168.1.0/24 -> 10.255.255.1, 192.168.3.0/24 -> 10.255.255.1

LocationC
L=192.168.3.0/24
WG-C=10.255.255.3/24
Port= 13231
Wan= 190.229.25.240
Peer A: Allowed Address: 10.255.255.1/32, 192.168.1.0/24, 192.168.2.0/24
Endpoint 190.229.05.220:13231
route 192.168.1.0/24 -> 10.255.255.1, 192.168.2.0/24 -> 10.255.255.1