WireGuard Site-to-Site over WiFi

mlenhart · May 15, 2024, 2:16pm

Hello everyone,
can you please advise if there is a possiblity of setting up a WireGuard between two MikroTiks in a following way:
1st MikroTik on Site A is WireGuard server and has an full access to internet via ISP1
2nd Mikrotik on Site B will be a WireGuard client, but only for a specific subnet. It has full internet access via ISP2

What do I mean by that:
2nd MikroTik has LAN + WLAN configured with DHCP server for LAN and WLAN and DHCP client on its WAN interface.
The idea is, to tunnel all traffic from WLAN to WG tunnel to site A and then to Internet (so it will be visible to public Internet via IP address of Site A, instead of site B.
LAN traffic from Site B will go to internet via it’s default route from ISP2. Only WLAN traffic (that IP subnet) should be routed into tunnel to site A and then to internet.

Is something like this doable and if yes, what needs to be set tup on each side? (I mean just a brief concepts)

I know the easiest way is to configure wireguard client on machine connecting to WiFi, but this is not possible due to forbidden installation of any software on that machine. So I need a way to send the traffic from WiFi to WG tunnel and on Siate A to Internet.

Thanks in advance.

anav · May 15, 2024, 3:59pm

Yes, assuming one of the Routers has a publicly reachable IP, or one has an upstream ISP router that can forward the chosen wireguard port you are in business!!

Assuming R1 is the Server for handshake (has public IP).
Then basically you have to consider
a. select a wireguard port ( I never choose default )
b. Create WG network, on R1, it will create a public KEY which you will put on R2 ( allowed peers identifying R1 )
c. Create WG network, on R2, it will create a public KEY which you will put on R1 ( allowed peers identifying R2 )
d. Create Peers R1 ( allowed IPs) consisting of wg IP of R2,applicable-subnets-R2, interface name, public Key from step c.
e Create Peers R2 (allowed IPs) consisting of 0.0.0.0/0 ( all possible addresses since your users are using this for internet ), interface name, endpoint address (of R1), listening wireguard port of R1,
public key from step c. , persistent-keep-alive=35s or so.

Note1: if not for internet you would put Subnet of wireguard,applicable subnets-R1, and the rest of course.
Note2: Applicable subnets can mean two things, remote subnets coming into the router, or remote subnets local users are going to visit → key is remote end is considered.

Now for you as admin you can create additional peers on R1. Same concept, one for a desktop at home, and one for laptop for wherever when travelling.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

IP Routes are required for subnets that need to be reached or need return traffic identified.
I dont believe that applies in this case on R2, but on R1, return traffic from the internet will need to be sent back to the subnet so
dst-addres=SUBNET-R2 gateway=wireguard-interface-name routing-table=main

Firewall Rules. Depending.
Need to allow handshake R1, input chain
Need to allow admin to access R1 on input chain
Need to allow admin to access R2 on input chain
Need to allow traffic to enter tunnel in forward chain R2
Need to allow traffic coming in on wireguard to go out WAN on R1.

Have fun!

There are two ways to force specific subnet traffic on R2 to go out wireguard,
Without seeing the config the simplest solution is Routing Rules, easier than mangling.