Hi
I wanted to connect my phone to my network using wireguard but I don’t have public IP. I have another mikrotik (let’s call it MT2) at another place and got public ip there.
Is it possible to use the public IP from MT2 to route all wireguard traffic between MT1 and my phone?
Was thinking about making IPsec tunnel between MT1 (initiator) and MT2 and port forwarding WG data to MT1. But don’t know if that’s the best solution. Would I need encryption between MT1 and MT2 if it would be sending enrypted data by WG?
You could also add wireguard between MT1 and MT2 and then connect your phone via that channel to MT1.
No need for IPSEC.
Wireguard already encrypts everything which passes over the tunnel.
If your MT1 is arm/arm64 or Tile-based, you can also use the brand new BTH service.
Wireguard as base with a relay server from Mikrotik (same as any other 3th party service) in case your device is sitting behind NAT or you can’t port forward from your modem.
https://help.mikrotik.com/docs/display/ROS/Back+To+Home
I want it to be as lightweight as possible for MT2. It’s RB2011 and there are some VPN’s on it already.
And it’s not ROS7
Well, if you want it to be lightweight, definitely go for wireguard.
RB2011 doesn’t have IPSEC HW acceleration, you see … so it’s all done in SW.
Upgrade to ROS7, yes, but that shouldn’t be a problem (unless you use some strange variation of OVPN ? Then there may be some quirks).
What’s MT1 ? If ARM/ARM64 or Tile, you can use BTH service from Mikrotik.
MT1 is RB5009 ROS7
Not sure if I can upgrade MT2 (not my device will need to ask).
Just wanted to use the public IP of MT2 to pass the data to my MT1. Connection between them should be really fast they are both under the same ISP.
If MT1 is RB5009, use Mikrotik BTH service. No need to relay over MT, certainly not if that device is not under your control.
https://help.mikrotik.com/docs/display/ROS/Back+To+Home
On RB5009 (7.11, currently rc2):
IP Cloud, enable BTH service.
It will more or less configure everything on its own.
Get Android/Iphone app, scan QR code.
Presto, done, finished.
is this similiar to zerotier relay? cause it seemed slow to me thats why I wanted to route through MT2
Similar but not the same.
Wireguard is a LOT faster then zerotier.
Mikrotik is currently testing the service with limited number of relay servers but they will add more as demand grows.
It costs nothing.
Try it 
I wouldnt say necessarily zerotier is WAY slower then wireguard but its slower but is able to connect devices at layer 2, think broadcast options.
Otherwise to config router to reach IPs or to config router, wireguard is better.
Not sure of your situation but if your MT has a public IP or one can forward ports to it from the upstream router you dont really need BTH.
Its strength comes in for the case where you have a single router that is getting a private IP and you have no access to the upstream router, like CGNAT etc…
Instead of renting VPS or server etc, you can relay through wireguard cloud to reach your router.
I see you noted another router in the mix. If its under your control then both the home router and phone can connect to this other router and then all devices are connected securely through wireguard. As Holve noted, BTH is super good here because you dont need to rely on that other router or change its config.
If its your router or a relatives router and you are sure of it remaining in place/stable, then consider doing both, setup wireguard to other router AND as a backup in case for some reason its not available, use BTH directly!!
I mean I have pretty much full control over both MTs. Just don’t wanna update RB2011 cause I have 6 of them and I like having all of them on the same stable firmware.
I wanted to push all traffic through the one that’s on the same ISP as the one at my home cause I’m gonna use it mainly for cloud gaming from my home PC and I have really low latency between the MT1 and MT2 mentioned earlier.
That’s why I was thinking about setting up WG on my MT1 (home) and using MT2 to passthrough all the data to MT1, because it has a public IP.
From your phone to MT1 or MT2 you plan on using Wireguard, right ? That’s the idea anyhow. Correct ?
So adding a connection from MT1 to MT2 is NOT going to make that faster.
On the contrary, there will be added delay.
The slowest link will always dictate the pace.
Anav:
I did testing with AX Lite for Wireguard, IPSEC (HW ofloaded !) and Zerotier. All towards RB5009 using 1Gb connections.
Wireguard ran circles around zerotier …
On TCP IPSEC was a bit slower then Wireguard (but still remarkably slower).
On UDP Wireguard was at least 5 to 6 times faster (about 400Mbps, using a stupid AX Lite …).
In all cases, RB5009 was still picking its nose from sheer boredom waiting for something to do.
Thanks, I had read differently in the past but your input is very clear!
I want to connect from remote device (phone) to my home using WG. The problem is I don’t have a public IP. That’s why I wanted to use MT2 as a relay? Cause it has a public IP and shouldn’t add to much delay.
Make it easier on yourself and first try BTH.
If you notice it is not fast enough for your liking, then go for the other road with IPSEC.
But if that other end is RB2011 and you insist on using IPSEC, I will say chances are high it will be slower. A LOT slower.
You can always test already IPSEC from MT1 to MT2 and see what you get.
If it’s less then BTH, don’t bother to setup the relay yourself then.
Again, it costs nothing … except for maybe 10 minutes of your time.
It’s that easy to setup.
sure will give it a go, thank you
and I don’t insist on using IPsec just don’t know a better way to connect MT1 and MT2 in this scenario
I would probably do it both ways.
A. Setup BTH for direct to home router via MT cloud server relay
B. Setup from homeRB wireguard to Second RB and then connect device to second RB as well
In this manner if the second RB connection is not available for any reason you can go thru MT cloud.
If the mt cloud is down (does happen) then the other path is available.
No ros7 on other end, so no wireguard.
Then BTH it is…