Good morning everyone,
I tried to setup a lab environment with 2 virtual CHR in order to simulate a BO to HQ scenario and testing the wireguard feature.
I am new to wireguard so I don't have any knowlegde about this topic.
I have two Wans on BO and two Wans on HQ.
I created the first wireguard tunnel over the first wan for each site and everything works correctly.
When I tried to setup the second wireguard peer, Mikrotik didn't allow me.
The error was something like "the peer already exists". I guess it's because the peer public key it's the same as the first peer.
If I want to have active redundancy between to sites, is it possible with Wireguard?
I mean, I want to manage my routes based on wan capabilities.
I usually performed it with a GRE over IPSEC scenario.
Any idea?
Re: RouterOS 7 - Wireguard site-to-site over multiple wans
There seems to be a dispute in progress in Riga currently whether to permit the same remote public key for peers under different Wireguard interfaces on the same machine.
So for the time being, use different keys for each wireguard "link". Forever, use different Wireguard interfaces (one per each WAN) and the same approach you used with GRE over IPsec.
You could also make use of Wireguard's multi-homing and address-tracking capability in terms that you'd use a single Wireguard interface and peer at each site, and use a failover between WANs to let the Wireguard transport packets use the WAN that is currently alive, but it is probably not what you want. Plus, unless all four WANs have public addresses, it may have difficulties to work.
For an improved redundancy, use a pair of routers at each site, OSPF, and VRRP.
So for the time being, use different keys for each wireguard "link". Forever, use different Wireguard interfaces (one per each WAN) and the same approach you used with GRE over IPsec.
You could also make use of Wireguard's multi-homing and address-tracking capability in terms that you'd use a single Wireguard interface and peer at each site, and use a failover between WANs to let the Wireguard transport packets use the WAN that is currently alive, but it is probably not what you want. Plus, unless all four WANs have public addresses, it may have difficulties to work.
For an improved redundancy, use a pair of routers at each site, OSPF, and VRRP.
Re: RouterOS 7 - Wireguard site-to-site over multiple wans
For High availability the following example may prove to be useful for your needs ....
its not MikroTik centric but the same principles apply and I am certain that the same example can be converted into MikroTik Speak
High Availability WireGuard Site To Site
its not MikroTik centric but the same principles apply and I am certain that the same example can be converted into MikroTik Speak
High Availability WireGuard Site To Site
Re: RouterOS 7 - Wireguard site-to-site over multiple wans
Yes please if you were offering to create the MT equivalent!!For High availability the following example may prove to be useful for your needs ....
its not MikroTik centric but the same principles apply and I am certain that the same example can be converted into MikroTik Speak
High Availability WireGuard Site To Site
Re: RouterOS 7 - Wireguard site-to-site over multiple wans
The main problem is that every wireguard interface on one routerboard/CCR/CHR has the same public key, so I can't use the same approach for GRE over IPSEC, if I understood what you meantThere seems to be a dispute in progress in Riga currently whether to permit the same remote public key for peers under different Wireguard interfaces on the same machine.
So for the time being, use different keys for each wireguard "link". Forever, use different Wireguard interfaces (one per each WAN) and the same approach you used with GRE over IPsec.
You could also make use of Wireguard's multi-homing and address-tracking capability in terms that you'd use a single Wireguard interface and peer at each site, and use a failover between WANs to let the Wireguard transport packets use the WAN that is currently alive, but it is probably not what you want. Plus, unless all four WANs have public addresses, it may have difficulties to work.
For an improved redundancy, use a pair of routers at each site, OSPF, and VRRP.
Re: RouterOS 7 - Wireguard site-to-site over multiple wans
Different WG interfaces have different keys, unless you give same one to all.
Re: RouterOS 7 - Wireguard site-to-site over multiple wans
Unless some "older" 7.x.y version was creating the same key pair for all interfaces, the only other reason to come to my mind would be creating one interface as a copy of the other one. So add a third one and see whether the key is different from the other two; if yes, move the peer(s) from the second interface to the third one and remove the second one.The main problem is that every wireguard interface on one routerboard/CCR/CHR has the same public key, so I can't use the same approach for GRE over IPSEC, if I understood what you meant
I've just added two more interfaces on a CHR (7.2rc3), the key pairs are unique. I've just added two interfaces to an RB711, it gave it a hard time and caused a reboot each time (7.1.2, mibsbe), but again key pairs are unique.
Re: RouterOS 7 - Wireguard site-to-site over multiple wans [SOLVED]
Hello Everyone,
I come back after a very long time. I confirm that the problem is not occuring with 7.1.3
So it's solved.
Thanks.
I come back after a very long time. I confirm that the problem is not occuring with 7.1.3
So it's solved.
Thanks.
Re: RouterOS 7 - Wireguard site-to-site over multiple wans
Hello,
I have 2 ccr2004 and i want high availability. I have setup VRRP between the 2 routers and i have identical setup at addresses, dhcp, bridge VLAN fitering etc etc.
I have 10 roadwarrior VPNs using wireguard. I have setup the wireguard at router 1. When router 1 becomes passive and router 2 becames active, roadwarrior VPNs cannot connect because wireguard is running at router 1.
Can i setup the exact configuration at wireguard from router1 to router2 and when router2 is active the VPNs will work?
I have 2 ccr2004 and i want high availability. I have setup VRRP between the 2 routers and i have identical setup at addresses, dhcp, bridge VLAN fitering etc etc.
I have 10 roadwarrior VPNs using wireguard. I have setup the wireguard at router 1. When router 1 becomes passive and router 2 becames active, roadwarrior VPNs cannot connect because wireguard is running at router 1.
Can i setup the exact configuration at wireguard from router1 to router2 and when router2 is active the VPNs will work?
Re: RouterOS 7 - Wireguard site-to-site over multiple wans
If you look at mozerds link, one creates two distinct wireguard networks (different public IP and different wireguard IPs).
Who is online
Users browsing this forum: googol, phascogale and 65 guests