I would like to create a Wireguard VPN with Mikrotik devices between my office and some clients. I read the anav guide with interest viewtopic.php?t=182340, but given the amount of the article i got a little lost.
The goal I want to achieve is to be able to access devices located on my customers' networks via a wireguard vpn. To do this I was thinking of using Mikrotik routers to be placed on the customers' LAN and on my LAN. Client routers including mine always have a static ip address and are accessible for port forwarding. In any case, Mikrotik routers would always be positioned behind the router that acts as the default gateway for the LAN.
Some clients also need to be able to reach servers on my local network via vpn.
I would like to know if anyone can help me to configure the wireguard vpn and the firewall on the Mikrotik and any static routes on the ISP router.
I attach the schematic of the network.
NEEDS:
- PC A must reach PBXs C and D via vpn
- TEL B must reach PBX A via vpn
- PC B must reach SERVER A via vpn
- PC A must be able to administer all Mikrotik routers B1, C1, D1. Thank you all.

POst your four configs

/export file=anynameyouwish ( minus router serial number and any public WANIP information and any keys )

@anav
Hi anav i read your post viewtopic.php?t=182340 and especially the scenario 3 configuration. One question, if the devices on side B i want to access remotely are placed behind the first router (ISP) but not behind the eth2 of the mAP as it should be changed the configuration (assuming it is possible)?
Do you think it would be possible to have the MT routers placed behind the ISP routers configured in bridge like on side B of your configuration?

I think what you are asking is do the devices that need to be connected................. have to be behind the MT router, or on the same LAN subnet as the router........ Good question!

The problem is that I have no knowledge of the ISP routers and what can be done.
How do I force traffic from users into the tunnel when I dont have control of that router.

So yes would be much simpler if the devices that need to reach other devices via Wireguard are behind the MT routers.
For sure the two PCs and the telephone have to be behind the MT ROUTER ( due to that being the one clear way to force them to enter the wg tunnel )
The PBXs do not have to move as they are not originating traffic and we can sourcenat the traffic coming out of MT devices so return traffic will go back to MT and then out the tunnel.

One Other Possibility ---> Static Routes on the ISP routers? If possible, then we may not have to move any devices around!
For example we would give telephone B a static route for dst of PBXA-IP, to ensure it goes to the IP of its local mikrotik on the LAN.

Since all routers have public IPs, wireguard should not be an issue BUT!~
However, do you have access to port forward the listening port on at least one client Router to a Mikrotik router (otherwise public IP is actually not available)??
( or can create static routes )

One Other Possibility ---> Static Routes on the ISP routers? If possible, then we may not have to move any devices around!
For example we would give telephone B a static route for dst of PBXA-IP, to ensure it goes to the IP of its local mikrotik on the LAN.

Since all routers have public IPs, wireguard should not be an issue BUT!~
However, do you have access to port forward the listening port on at least one client Router to a Mikrotik router (otherwise public IP is actually not available)??
( or can create static routes )

I have total control on ISP router. I can do static routes an port forwarding and every site is reachable by static address or ddns fqdn.
My idea was to use a MT on the lan without having to modify anything on the existing connections except the fact of being able to add static routes and port forwarding on the ISP router which, as I have already reported, I am able to control .

At the beginning, to simplify things and begin to understand something, I would start from the first two nodes configured as shown in the diagram below. I would like devices on Site A's lan to be able to connect to Site B's lan. Communications should always be initiated from Site A although I have a doubt in case TEL1 is called from a phone on Site B. You decide what should be the best setup of the two MTs based on the data I provided.
Thank you.

I will stick with the original diagram, not going to play jumping diagrams and part solutions when one has to figure in the whole for any design.
In any case you have answered most of your own questions and can start.

I will stick with the original diagram, not going to play jumping diagrams and part solutions when one has to figure in the whole for any design.
In any case you have answered most of your own questions and can start.

With this real test environment I can start experimenting with what I have designed.
I've minimized the nodes to start. Later I will make the changes that will be necessary to integrate the remaining nodes.
I don't ask you to write me the configurations but only to give me guidelines to start off on the right foot. After all, if I had been able to proceed alone I would not have opened this post.

Hi,

you can find some very complicated guide here on the forum. But the guide from MT is quite straight forward.

https://help.mikrotik.com/docs/display/ROS/WireGuard

Do you have at least 1 public IP adress? There will be the server. If not You have to ask your ISP to portforward.

ISP ROUTER
Static routes with remote destination IPs should be sent to the microtik LANIP.
ISPA forwards wireguard listening port to mikrotikA LANIP

MT ROUTERs ( less than default setup )
Plain jane setup, minimal rules required.
Only router A needs an input chain rule ( no other rules required )

ISP address for mikrotik router on ISP LAN
ISP address for wireguard Interface

Main Route
add dst-address=0.0.0.0/0 gateway=ISP LAN gateway IP table= main

Other Routes ( as many as remote incoming subnets and/or going to remote subnets )
dst-address=remotesubnet gateway=wireguard-Interface-Name table=main

Allowed Addresses ------> 10.10.10.0/24,remoteSubnet(s) that will either be visiting this router or local users will be reaching out too { setting for all routers except A! } [ ONE PEER ]
Note: the remote subnets should match the Other routes.

Allowed Addresses Router A { multiple peers }
[peerB] 10.10.10.2/32,remoteSubnets at router B (either coming to router A, and/or being visited by local users at Router A)
[peerC] 10.10.10.3/32,remoteSubnets at router C (either coming to router A, and/or being visited by local users at Router A)
[peerD] 10.10.10.4/32,remoteSubnets at router D (either coming to router A, and/or being visited by local users at Router A)
[peerE] 10.10.10.5/32 { admin remote access laptop }
[peerF] 10.10.10.6/32 { admin remote access smartphone/pad }