Wireguard Client on MT in remote studio to connect to MT Wireguard server in HQ

MikolajRozek · Wed Sep 27, 2023 2:08 pm

Hi,
I am having a problem with the final configuration of the secondary MT(192.168.88.1 / WG 192.168.3.2) as a WireGuard client which will be in the studio in Paris and will be connecting to the studio in Rome(77.77.77.177 - temporary IP address) to the WireGuard server(192.168.3.1) to have access to LAN devices(192.168.2.0/24) (file server and remote desktop with workstations). I already arrived at the point where my main MT with the WG server(192.168.3.1) working well, from outside the studio I can connect to remote desktops in both directions and share the files - I can say that the base for Rome studio works well. Secondary MT(192.168.88.1 / WG 192.168.3.2) already appears in the ARP on the main MT, but I can not ping anything or use a remote desktop. My understanding is that if my direct clients to the WG server(192.168.3.1) are correct and pass the firewall and have access to the LAN(192.168.2.0/24) that means on the side of the server is all ok because what I think is that all connections from the MT client will be visible as just MT. So, the setup of the MT client(192.168.88.1 / WG 192.168.3.2) is missing something, I have already marked the packages and connections and mangled it, and I see the packages for addresses in the main LAN(192.168.2.0/24) are cached and marked properly, but it seems like that's the end for them and are not going into WG(192.168.3.2) and then to WG server(192.168.3.1).

Network map

Config of main MT(192.168.2.1 / WG 192.168.3.1) updated with anav sugestions


# 2023-09-28 00:48:11 by RouterOS 7.10
# software id = AAD3-KLSA
/interface bridge
add admin-mac=48:A9:8A:BA:F3:5D arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.mode=ap .ssid=MikroTik-BAF361 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.mode=ap .ssid=MikroTik-BAF362 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.2.100-192.168.2.250
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
add interface=wifi1 list=LAN
add interface=wifi2 list=LAN
/interface wireguard peers
add allowed-address=192.168.3.0/24 comment="Admin - personal" endpoint-address=\
    77.77.77.177 endpoint-port=13231 interface=wireguard1 \
    persistent-keepalive=35s public-key=\
    "/*****************************************************/"
add allowed-address=192.168.3.2/32,192.168.88.0/24 comment=\
    "MT Paris" endpoint-address=77.77.77.177 endpoint-port=13231 interface=\
    wireguard1 persistent-keepalive=35s public-key=\
    "/*****************************************************/"
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=77.77.77.177/29 interface=ether1 network=77.77.77.136
add address=192.168.3.1/24 comment=WireGuard interface=wireguard1 network=\
    192.168.3.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 comment="local admin desktop/laptop wired" \
    disabled=yes list=Authorized
add address=192.168.2.0/24 comment="Remote admin desktop/laptop wired" list=\
    Authorized
add address=192.168.3.10 comment="Remote admin laptop - MR" list=Authorized
add address=192.168.3.0/24 comment="Remote admin ipad/smartphone" list=\
    Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=wireguard dst-port=13231 log=yes \
    log-prefix=WireGuard protocol=udp
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "Incoming remote traffic from WireGuard to local lan" in-interface=\
    wireguard1
add action=accept chain=forward comment="Outgoing local traffic to WireGuard" \
    out-interface=wireguard1
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
    dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
    udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
    protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
    jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
    jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
    protocol=tcp
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=77.77.77.137 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.2.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Config of MT-2 (192.168.88.1 / WG 192.168.3.2) updated with anav sugestions


# sep/28/2023 01:03:05 by RouterOS 7.6
# software id = PVSB-VYKC
#
/interface bridge
add admin-mac=48:A9:8A:51:BB:63 arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN2
set [ find default-name=ether3 ] comment=LAN3
set [ find default-name=ether4 ] comment=LAN4
set [ find default-name=ether5 ] comment=LAN5
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac comment=\
    "WiFi 5GHz" configuration.country=Italy .mode=ap .ssid=MikroTik-51BB67 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac comment=\
    "WiFi 2.4GHz" configuration.country=Italy .mode=ap .ssid=MikroTik-51BB68 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add comment=wireguard listen-port=13231 mtu=1420 name=wireguard-client
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/routing table
add comment=WireGuard disabled=no fib name=wg
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
    forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard-client list=LAN
add interface=wifi1 list=LAN
add interface=wifi2 list=LAN
/interface wireguard peers
add allowed-address=192.168.2.0/24,192.168.3.0/24 comment=\
    "wg-client to wg-server" endpoint-address=77.77.77.177 endpoint-port=13231 \
    interface=wireguard-client persistent-keepalive=35s public-key=\
    "/***************************************/"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.3.2/24 comment=wireguard-client interface=\
    wireguard-client network=192.168.3.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.254,8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.3.0/24 list=wg-dest
add address=192.168.2.0/24 list=wg-dest
add address=192.168.88.0/24 comment="local admin desktop/laptop wired" list=\
    Authorized
add address=192.168.2.0/24 comment="Remote admin desktop/laptop wired" list=\
    Authorized
add address=192.168.3.10 comment="Remote admin laptop - MR" list=Authorized
add address=192.168.3.0/24 comment="Remote admin ipad/smartphone" list=\
    Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=wireguard dst-port=13231 log=yes \
    log-prefix=WireGuard protocol=udp
add action=accept chain=input src-address-list=Authorized
add action=accept chain=forward comment=\
    "Incoming remote traffic from WireGuard to local lan" in-interface=\
    wireguard-client
add action=accept chain=forward comment="Outgoing local traffic to WireGuard" \
    out-interface=wireguard-client
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
    53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-connection chain=prerouting comment=WireGuard \
    connection-state=new dst-address-list=wg-dest in-interface=bridge \
    new-connection-mark=wg-con passthrough=yes
add action=mark-routing chain=prerouting comment=WireGuard connection-mark=\
    wg-con in-interface=bridge new-routing-mark=wg passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="WireGuard: masquarade" \
    out-interface=wireguard-client
/ip route
add disabled=no dst-address=192.168.88.0/24 gateway=wireguard-client \
    routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The target is that people in Paris connected to MT (192.168.88.1) have normal access to the Internet, just 192.168.2.0/24 and 192.168.3.0/24 are going through WireGuard to Rome Studio

In MT(192.168.88.1 / WG 192.168.3.2) where I do WG clients I disabled all firewalls to be sure that nothing is blocking my outgoing connections. Also, I removed from the config of the main MT (192.168.2.1) the country filter list because it is 120000 addresses, but for testing, I am disabling that rule for a moment to be sure that is not the problem.

That is my first post here on this forum, I have tried my best, let me know that I put all the info needed and thanks in advance for any suggestions.

anav · Wed Sep 27, 2023 4:45 pm

Assuming we are talking the client MT, the following observations apply:

(1) Wireguard does not require a pool. Remove:
add name=vpn ranges=192.168.3.100-192.168.3.200

(2) Do not create a bridge for wireguare REMOVE!:
add bridge=bridgeWG interface=LAN
add arp=proxy-arp name=bridgeWG

Clue: There is no such interface as LAN, interfaces should be typically ports/WLANS............... There is an interface list entity on the config but not the same thing.

(3) You went overboard on lan interface list, should be:

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN

Note: I didnt include the other wg interfaces as they are disabled and there is no need for one at the moment in terms of the requirements you have expressed.

(4) Why all the wireguard duplicate peers, you failed to change the wg ports too match the disabled wg interface addresses LOL.
REMOVE!! Keep the first one for example.

If you need a bunch of PCs to access Main/Server WG, then simply allow (ON THE CLIENT ) all connections outbound on single WG network.
As well at the Main/Server WG, ALLOW ALL from client MT
At the Main/Server WG - use forward chain firewall rules to determine which PC can visit which resources at the MAIN/Server Router. Easy and precise.

(5) Delete this IP address, not required.
add address=192.168.3.1/24 comment="wg bridge" interface=bridgeWG network=\
192.168.3.0

(6) I do not know what silly bugger games you are playing with ether2, but you do have it defined on the bridge, so its either part of the 192.168.2.0 subnet or its something else and the subnet is already defined to the bridge anyway: thus REMOVE THIS address:
add address=192.168.2.1/24 comment="bridge to Studio network from ether2" \
interface=ether2 network=192.168.2.0

(7) EXTREMELY BAD RULE. - permits access to your inbox from anybody on LAN and worse anybody in internet.............
add action=accept chain=input comment=WinBox dst-port=8291 protocol=tcp

Its ironic because you completely swallowed the "try to block everything else" bad advice from youtube etc, but leave router wide open. Much better to stick to basics and avoid extra complicated stuff.

(8) Suggest stick to defaults with minor changes as step1 of a totally revised firewall. Most of the noise you have is NOT needed.
Then later when everything is working we can some extra firewall rules if needed!!

(9) The firewall rules for the incoming subnet of 192.168.2.0 make no sense......
I will assume you want the entire subnet of the main router to access the entire subnet of the Client router ??????
I will assume you want the entire subnet of the client router to access the entire subnet of the server router??????
As stated, good idea to let all users enter the tunnel at the outbound device BUT
On inbound traffic then apply precision to which users are allowed access to which subnets or devices etc......
One does NOT use wireguard for local PCs, they use their normal LANIP structure and are bounded by the firewall rules set forth at the applicable end.

FIXED CLEAN EFFECTIVE FIREWALL

/ip firewall address=list { static leases or remote wg IP )
add address=192.168.88.X list=Authorized comment="local admin desktop/laptop wired" { working at client router }
add address=192.168.88.Y list=Authorized comment=local client ipad/smartphone wifi" { working at client router }
add address=192.168.2.A list=Authorized comment="Remote admin desktop/laptop wired" { working at Server router }
add address=192.168.2.B list=Authorized comment="Remote admin ipad/smartphone wifi" { working at Server router }
add address=192.168.3.XX list=Authorized comment="Remote admin laptop" { working on the road - connect to client router via Server Router trick }
add address=192.168.3.YY list=Authorized comment="Remote admin lipad/smartphone" { working on the road - connect to client router via Server Router trick }

/ip firewall filter
{ Input Chain }
(default rules to keep)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment=wireguard dst-port=13231 log=yes \
log-prefix=WireGuard protocol=udp
add action=accept chain=input comment=:"Admin access" src-address=Authorized
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"

{ Forward Chain }
(default rules to keep)
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
(admin rules)
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.88.0/24 in-interface=wireguard1 \
comment="Incoming remote traffic from WireGuard to local lan"
add action=accept chain=forward dst-address=192.168.2.0/24 out-interface=wireguard1 \
comment="Outgoing local traffic to WireGuard"
add action=drop chain=forward comment="drop all else"

(10) ROUTING RULES & MANGLING review. -- They are all wrong and not required , REMOVE ALL

(11) The main default route is fine, the other two are garbage.
When traffic has a legitimate local interface to go through you don't need routing rules aka to force traffic. It has a natural path.
Now if you were attempting to use internet at Server Router instead of local WAN, then you would have a case for routing rules or mangling.

SO this is what is should look like!!
/ip route
add dst-address=0.0.0.0/0 gateway=77.77.77.137 routing-table=main
add dst-address=192.168.2.0/24 gateway=wireguard1 routing-table=main

(12) You do not need a maqueread rule for WIREGUARD, you can remove this rule.......
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="WireGuard: masquarade" \
out-interface=wireguard-client

Typically its needed if you are using a third party provider and have been giving a single IP address for example.
In this case you simply define allowed IPs at the server router for the MT client peer settings to include 192.168.3.2,192.168.88.0/24 etc. and that works.

(13) If you are not using IPV6, go into IVP6 settings and disable IPV6.

MikolajRozek · Thu Sep 28, 2023 2:42 am

Huge thanks for such a detailed answer anav, really appreciate it.

I have updated configs of both routers in the first post.

In general, I decided to reset the router and configure it from zero according to your advice, and of course, everything works smoothly for the main MT (77.77.77.177 / WG 192.168.3.1). I can connect to the network with WG app on PC, use RDP, and manage the main MT. I have cleaned also client MT, tried to put as little as possible, based on your reply, and I have the internet at home (I am testing client MT - 192.168.3.2 at home and connecting to the studio) and client MT works for that, but still I can not access to anything in the HQ network (192.168.2.0/24) through the WG on client MT (192.168.3.2).

I have a filling that I am missing one simple thing here. I am missing only this connection when I insert for example 192.168.2.100 in RDP being at home, I would like to access through WG on client MT (192.168.3.2) to the studio network (192.168.2.0/24), and would be nice to access also the other VPN clients (192.168.3.0/24) (but is not necessary). What I should add to client MT to redirect traffic for only those two subnets through WG?

If you need a bunch of PCs to access Main/Server WG, then simply allow (ON THE CLIENT ) all connections outbound on single WG network.
As well at the Main/Server WG, ALLOW ALL from client MT
At the Main/Server WG - use forward chain firewall rules to determine which PC can visit which resources at the MAIN/Server Router. Easy and precise.

I don't want to forward other addresses than 192.168.2.0/24 and 192.168.3.0/24. I am not sure that I understand correctly.
I have found somewhere that I should mangled the destination addresses to forward through WG on the client MT but it didn't resolve the problem.

Explaining a bit myself and my solutions:

About that list of WireGuards, I was thinking that if I will not manage the client MT to connect to server I will create separated WG to listen on different port so people sitting in one office in Paris would be able to connect to main MT by the WG.

This list of rules for RAW and Filters and those lists actually I didn't take from YT or something, but from official Mikrotik Help website:
https://help.mikrotik.com/docs/display/ ... d+Firewall
https://help.mikrotik.com/docs/display/ ... t+Firewall

Again, huge thanks for help.

MikolajRozek · Mon Oct 02, 2023 11:10 am

For someone new in the Mikrotik world, the last missing setting was that the connection for WG in the other direction should be on a different port, this was the last missing part. And the rest is mostly what Anav suggested and works fine now. So, the listening port at client MT for WG can not be the same as the listening port at the WG server side.

llamajaja · Mon Oct 02, 2023 8:34 pm

All easily ascertained when the requirements were clear.
It appears you wanted to setup a different wireguard interface but the reasoning was not clear.
You can assign more than one IP address to a wireguard interface such that
server router as two different IP structure for one wireguar interface.
Users at various sites can be assigned from any of the two or more addresses assigned to the single interface.
So if I knew what you were needing, I imagine I would have come up with something slightly different and still using only one interface

Wireguard Client on MT in remote studio to connect to MT Wireguard server in HQ [SOLVED]

Wireguard Client on MT in remote studio to connect to MT Wireguard server in HQ

Re: Wireguard Client on MT in remote studio to connect to MT Wireguard server in HQ [SOLVED]

Re: Wireguard Client on MT in remote studio to connect to MT Wireguard server in HQ

Re: Wireguard Client on MT in remote studio to connect to MT Wireguard server in HQ

Re: Wireguard Client on MT in remote studio to connect to MT Wireguard server in HQ

Who is online