Hi,

This is a bit out there but i would like to know if the following is possible:

Mikrotik router with wireguard
Windows server on Mikrotik lan
Brother printer on Mikrotik lan
|
----Internet----------
|
TP-Link Router (no management access)
Windows 11 PC on TP-link lan with wireguard software installed and connected to Mikrotik using wireguard.
Lexmark printer on TP-Link lan

Windows 11 does RDP to Windows server and needs to print to lexmark from windows server without using redirected printing. Is this possible that the windows server can access the lexmark printer through the wireguard vpn that exists between windows 11 and mikrotik router?

Yeah, just set up a site-to-site VPN with Wireguard and route the two subnets to each other.

Hey Larsa,

So not possible unless i setup site to site?

So not possible unless i setup site to site?

Yes it's possible but as for "site-to-site" it really comes down to "allowed ip addresses" in both ends for the WG config and your firewall rules including NAT/Masquerade etc. Think of WireGuard as a super long virtual ethernet cable. Aside from that, you've got plenty of other options too:

- If you want, you can set up firewall rules to allow access only to the printer.
- Another option is to install TailScale or ZeroTier on your Windows Server and Win11 PC to connect the networks that way. From there, you can either open up access to the printer completely
- Or add another WireGuard tunnel from the server just for the printer (and run WireGuard as a service on the PC).
- Or, you could set up WireGuard directly on the routers themselves (Mikrotik WireGuard to TP-Link WireGuard) and then open up the ports you need for the printer to work.

Does the wireguard mt have a public IP?
Does the TP LINK have a public IP.

Trying to determine which device is capable of server for handshake.

And of course, listen to Anav, who's the real WireGuard expert here!

Yes wireguard mt has a public ip.

TP-Link no public ip. No management access.

if i had a site to site vpn then yes this would be pretty simple but not the case here.

Not a problem then to establish a wireguard tunnel. Setup the wireguard interface on the MT device ( acting as Server peer for handshake ) and any single device like windows PC behind TP link router, or any laptop or phone anywhere, as a Client peer for handshake.

However lets get the requirement straight.
The windows PC behind TP link ( with wireguard access to MT ), needs to connect to a LAN device on the MTLAN.
It would appear this done over RDP.
So far so good. Seems plausible.

The next part is more difficult. The client needs to reach the windows server and then print something back to the lexmark printer on the TP link LAN.
Im assuming that the Lexmark printer has a TP link LANIP address.

The issue here is that right now we have created a tunnel for all WINDOW PC traffic to go in and out of.
How do you propose all of a sudden to allow traffic to leak out of the windows PC to its local LAN.
Easy to control such stuff on MT side but not familiar with Window side?
Can you do some sort of split tunnelling, or any way of allowing local to local traffic on windows PC at the same time as wireguard tunnel on the PC??

Also assuming that the windows server behind the MT knows the address of the lexmark printer etc.....

Not sure why you threw in brother printer LOL, if only to confuse.

Yes you have the requirement correct.
Yes the lexmark has TP-Link LanIP
This is the part i am stuck on "How do you propose all of a sudden to allow traffic to leak out of the windows PC to its local LAN."

Yes i have admin access to the windows server to install the lexmark if i could figure out how to reach it.

Sorry about the brother printer. I should have not listed it lol.

Thus your question is more along the lines of how do I control traffic on a windows PC while using wireguard!!
If the windows client is not trying to get out the internet of the MT router, it may be easier as you are targetting specific subnets only.

My local network is broken and refuses access when connected to WireGuard®

The issue of broken local network routing appears to only happen in WireGuard® for Windows, where all traffic is forced to go through WireGuard® prior to routing. To resolve the issue that local network routing is prohibited by WireGuard® involved adding static route 9 ( edit by me: which is probably router dependent ). However, there is easier solution built into the WireGuard® Windows client.

To allow traffic within local network to bypass WireGuard® so that the route does not get killed, follow these steps:

Open the WireGuard® Windows client.
In the left pane, select the connection that you want local network routing to work, if you have more than one configuration.
Click onto the ‘Edit‘ button.
Uncheck ‘Block untunneled traffic (kill-switch)‘ option.
Click ‘Save’.
Disconnect and reconnect the VPN if its already connected

This may be a way.!!

Fire my way your Router config.
/export file=anynameyouwish (minus router serial number and any public WANIP info, keys etc.. )

here you go sir.

I am still meditating on your reply

Here is my windows client config:

I think you would be better off using a Mikrotik at both ends.

However, the following may be useful:

https://www.henrychang.ca/how-to-setup- ... n-windows/

@rplant, It also better to win a big lottery, but not always possible.

So if you are able to modify the wireguard client as I noted in a post above...........then you will still need to modify the MT config.
You need to allow wg traffic to the server and return traffic back to the client.
You also need traffic from the server to the printer .......

1. Dont need to add netmask on dhpc server-network. Remove it. ( it could be added by default but I dont think so )

2. Remove static default DNS setting;
/ip dns static
add address=192.168.29.1 comment=defconf name=router.lan

3. Remove old default firewall rule
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

and replace with the following:
add chain=forward action=accept comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept comment="WPC to server" in-interface=wg_gt dst-address=192.168.29.0/24
add chain=forward action=accept comment="Server to printer" src-address=192.168.29.0/24 out-interface=wg-gt
add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable if required or remove }
add chain=forward action=drop comment="drop all else"

Now for the routes....... But that triggers a review of the allowed IP.. MISSING is the subnet that the Windows PCs/Printer are on!!
The allowed IPs may not require it in terms of that the traffic being sent by the PC may only come from its wireguard IP address as source, BUT,
the routes will still need it for return traffic or at the minimum traffic to the printer, and so will allowed IPs...........


however you have a boatload of routes for wireguard already that make no sense to me.
Can you confirm that the printer and the windows PC are on the same subnet and if so WHICH subnet!!

In other words, clean up the mess of routes you have, remove all wg_gt routes except the following:

/ip route
add comment=MISP distance=2 dst-address=0.0.0.0/0 gateway=\
97.107.55.129 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="Wireguard & Printer" dst-address=SUBNET gateway=wg_gt routing table=main

Where SUBNET is the subnet that the windows PC and printer are located.

AND MODIFY
/interface wireguard peers
add allowed-address=10.255.255.4/32,SUBNET comment="GT Mobile" interface=\
wg_gt public-key="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"