Community discussions

MikroTik App
 
User avatar
fengyuclub
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Mon Dec 09, 2013 8:50 am

How should I configure a site-to-site VPN tunnel based on wireguard in a multi-wan environment?

Tue Mar 07, 2023 12:17 pm

Checked the official wiki document, the configuration is successful, the mikrotik devices at both ends are v7.7, just a few days ago, the mikrotik device at one end (rb750gr3) was upgraded to the latest version of v7.8, and then it didn’t work, and the other end Also upgraded to v7.8, still can't access each other. The only difference between my network situation and the official wiki is the multi-wan environment. The Internet at both ends of the wireguard tunnel is a single wan (isp). Not interoperable. May I ask how to solve it? In order to facilitate understanding, I drew a simple network topology diagram according to my network layout.
Network diagram (2).jpg
You do not have the required permissions to view the files attached to this post.
Last edited by fengyuclub on Sat Mar 11, 2023 3:42 am, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How should I configure a site-to-site VPN tunnel based on wireguard in a multi-wan environment?

Tue Mar 07, 2023 12:39 pm

Conceptually you need to ensure the handshake on the server side coming in on ISP X, gets routed back out the same WAN.
Other than that would need to see both configs.....

The easiest way to accomplish the aim is to mangle traffic coming in on ISPX and ensure there is an identified route for that traffic later on.
 
User avatar
fengyuclub
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Mon Dec 09, 2013 8:50 am

Re: How should I configure a site-to-site VPN tunnel based on wireguard in a multi-wan environment?

Wed Mar 08, 2023 8:41 am

Can you give me some hints combined with my topology, although I have some basics of mikritok router settings, but I am not very professional.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How should I configure a site-to-site VPN tunnel based on wireguard in a multi-wan environment?

Wed Mar 08, 2023 12:10 pm

yup, need to see complete config on both routers
/export file=anynameyouwish ( minus router serial number and any public WANIP info )
 
User avatar
fengyuclub
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Mon Dec 09, 2013 8:50 am

Re: How should I configure a site-to-site VPN tunnel based on wireguard in a multi-wan environment?

Sat Mar 11, 2023 4:24 am

yup, need to see complete config on both routers
/export file=anynameyouwish ( minus router serial number and any public WANIP info )
export file
Last edited by fengyuclub on Sat Mar 11, 2023 12:54 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How should I configure a site-to-site VPN tunnel based on wireguard in a multi-wan environment?

Sat Mar 11, 2023 5:01 am

First comment is that it is not clear if which router is considered the server for the initial handshake and which one the client.
Second comment why do they both have 0.0.0.0/0 selected at peer allowed IP settings.
Typically one uses 0.0.0.0/0 at one end to signify that users local on that device are going to the other router for internet..........
Thirdly the diagram is wrong, the IP addresses for wireguard seem reversed.......
 
User avatar
fengyuclub
Member Candidate
Member Candidate
Topic Author
Posts: 100
Joined: Mon Dec 09, 2013 8:50 am

Re: How should I configure a site-to-site VPN tunnel based on wireguard in a multi-wan environment?

Mon Mar 13, 2023 9:04 am

The problem is solved, just add a routing mark on the rb750 route
chain=prerouting action=mark-routing new-routing-mark=main passthrough=no src-address-list=local-LAN
       in-interface=bridge2-LAN
But in this case, you can see that the client cannot aggregate the sum of the bandwidth of the 3 ISPs, and can only connect to the Internet with a single line. Make a common mark, and then log in to the router with the mobile phone and switch the mangle statement.
Thank you for guiding me to solve the problem.

Who is online

Users browsing this forum: esj, Google [Bot], sybadi and 90 guests