Hello,

I have several Mikrotiks with RouterOS version 7.

I used to have an SSTP server on my main Mikrotik and now I have set up WireGuard there too, but I'm having a problem with it.

On the main Mikrotik, I set a route for the client on SSTP (dst-address=10.25.0.0/24 (client range), gateway=10.25.1.2 (client IP address in SSTP server range)). And on the client side, of course, I set route (dst-address=10.25.1.0/24 (server range), gateway=10.25.1.1 (server IP address).
In this way, I achieved that the other clients of the SSTP server could reach the range of the client 10.25.1.2 (which is 10.25.0.0/24).

I'm trying to set the same thing with WireGuard, but something doesn't work for me there... The setting is basically the same with the difference that on the client side the route was automatically created for me (dst-address=10.25.10.0/24 (WireGuard server range), gateway =wg-client (WireGuard Interface name). When I add route (dst-address=10.25.10.0/24 (server range), gateway=10.25.10.1 (IP WireGuard server address)) it ignores it, I assume that because of automatic route.

The result is that when I ping, for example, the address 10.25.0.3 (one of devices on client router), I get the following:
Reply from 10.25.10.1: Destination host unreachable.

I am attaching screenshots as well.


Please, does anyone know what to do with setting that WireGuard clients will be able to access the range of another client thanks to the route?

Thanks in advance for any replies.

So you have clients with 10.25.1.x and one of them (.2) has another 10.25.0.0/24 subnet behing it, correct? If so, then just add both 10.25.1.0/24 and 10.25.0.0/24 in allowed addresses for other clients, and standard non-RouterOS clients will automatically add routes to both. If client is RouterOS, then you need to add both routes manually. The route you're adding doesn't make sense. There's already route to 10.25.10.0/24, you don't need another. You probably meant 10.25.0.0/24. You still need to have it in allowed addresses too, otherwise it won't work. That goes for both clients and also server, which must have 10.25.0.0/24 in allowed addresses for .2 peer.

Attaching the address to the Wireguard interface is just one possible way to tell RouterOS to add a route to that subnet via that interface. But internally (inside the Wireguard stack), an allowed-address(es) list is configured for each Wireguard peer, which must contain all remote subnets that are reachable via this peer, as there may be multiple peers linked to the same Wireguard interface and the Wireguard stack must know which of them to use for which destination address. In receiving direction, this list is used for filtering - if a packet arrives from a peer whose allowed-address list does not contain a prefix matching the source address of the packet, the packet is dropped.
Like on many other places in Mikrotik configuration, order of the peers matters, and the allowed-address lists are searched from first (topmost) one to the last (bottommost) one until first match.

You haven't shown the /interface/wireguard/peer table from any of the two routers, so hard to say at which end the mistake is ("server" or "client")

Attaching the address to the Wireguard interface is just one possible way to tell RouterOS to add a route to that subnet via that interface. But internally (inside the Wireguard stack), an allowed-address(es) list is configured for each Wireguard peer, which must contain all remote subnets that are reachable via this peer, as there may be multiple peers linked to the same Wireguard interface and the Wireguard stack must know which of them to use for which destination address. In receiving direction, this list is used for filtering - if a packet arrives from a peer whose allowed-address list does not contain a prefix matching the source address of the packet, the packet is dropped.
Like on many other places in Mikrotik configuration, order of the peers matters, and the allowed-address lists are searched from first (topmost) one to the last (bottommost) one until first match.

You haven't shown the /interface/wireguard/peer table from any of the two routers, so hard to say at which end the mistake is ("server" or "client")

Thank you for the information,

at the moment, when I added 0.0.0.0/0 to the peer used by my computer, the response to ping 10.25.0.3 from my PC is as follows:
Request timed out.

I am also attaching screenshots from the peer from both sides.

Thank you in advance.

So you have clients with 10.25.1.x and one of them (.2) has another 10.25.0.0/24 subnet behing it, correct? If so, then just add both 10.25.1.0/24 and 10.25.0.0/24 in allowed addresses for other clients, and standard non-RouterOS clients will automatically add routes to both. If client is RouterOS, then you need to add both routes manually. The route you're adding doesn't make sense. There's already route to 10.25.10.0/24, you don't need another. You probably meant 10.25.0.0/24. You still need to have it in allowed addresses too, otherwise it won't work. That goes for both clients and also server, which must have 10.25.0.0/24 in allowed addresses for .2 peer.

Ah, now I see that I didn't actually set it up on the peer on the server for the client. I tried adding 10.25.0.0/24 to the allowed addresses there and everything seems to work now.

Thank you very much for all the replies.

And you shouldn't need 0.0.0.0/0 for PC either (for peer on server). Generally be careful with 0.0.0.0/0, it means any address, so only one peer on each WG interface can have that. There can be some overlaps and then it works similar to routes, most specific one will be used. But 0.0.0.0/0 (or any other exactly same subnet) for more than one peer won't work (it will, but only for one of them).

And you shouldn't need 0.0.0.0/0 for PC either (for peer on server). Generally be careful with 0.0.0.0/0, it means any address, so only one peer on each WG interface can have that. There can be some overlaps and then it works similar to routes, most specific one will be used. But 0.0.0.0/0 (or any other exactly same subnet) for more than one peer won't work (it will, but only for one of them).

You are right, I removed 0.0.0.0/0 from my PC's peer and it still works. Thank you very much for the advice.