Good morning,

I purchased a MikroTik hEX-S (updated to RouterOS 7.13) I have a Starlink satellite connection at my home, so I surf under the CGNAT protocol, so I can't manage my home devices outside the network except with a paid VPS/VPN service.

As it happens, a few days ago my mother, in her home, signed a Fiber contract (FTTH EPON), they also provided her with a public and fixed IP address. Furthermore, the router provided by its manager (Iliad) has many functions including the possibility of acting as a VPN server. Specifically I used the WireGuard service.
After enabling the VPN server I ran some tests with my mobile devices (Android and Windows). Everything works fine, I enter the private network and I can reach my mother's modem also via the HTTP protocol.

I made several attempts but I was unable to set up my MikroTik as a client of my Wireguard network at my mother's house. Would anyone be kind enough to help me figure out how to do this? I have the option of using an alternative service like OpenVPN but I've heard that Wireguard performs better.

Thanks to those who reply

I use both ZeroTier and WireGuard with SL without issue. ZeroTier is the easiest to configure for remote access, but I use WireGuard to a CHR on DigitalOcean to NAT it's Public IP. Infact, I have 2 ZeroTier one going out Starlink and another out my T-Mobile Home Internet. The WireGuard goes out a T-Mobile LTE connection and fails over to Starlink.

You will need to post more details if you need help. From terminal /export file=anyfilename, you then download this file and edit with any .txt editor.

Thanks for the reply, so with ZeroTier I don't need to rely on a VPN server to access my home network? Well. I'll immediately do some research to find out more and hope to find some time to do some tests.

Thanks again, if I need help I'll try to be more accurate!

My hEX-S is MMIPS architecture and was not released ZeroTier for it.

ZeroTier doesn't have to be on your HexS. I have mine running on 2 different hAP AC3 used as access-points, but can run on NAS, RPi or any other device.

The hAP ax lite might make a good/cheap standalone ZeroTier VPN devices.

ZeroTier doesn't have to be on your HexS. I have mine running on 2 different hAP AC3 used as access-points, but can run on NAS, RPi or any other device.

The hAP ax lite might make a good/cheap standalone ZeroTier VPN devices.

Thanks for your reply, I know I can access with each device but I need to access VPN directly with the modem. My modem is MMIPS while yours is ARM, and I have checked the extra package for MMIPS and ZeroTier is not included.
Just to summarize, I need my modem to join an existing wireguard network and I am not able to understand which steps I have to follow. Any procedure I was able to find describe how to set a server but I need to set is a client.
Thanks

First of all, you should add a Wireguard interface and assign it an address (a one from the VPN network, supposedly you have one). You could this with the following commands:
Through the former command you will generate a public key, which you will use for the peer on the server side. After you have configured it, you will fetch the public key of the server, add a new peer to the MikroTik and to the allowed-addresses you will add the VPN address with a netmask of /32 and your LAN network:
Lastly, you add a static route to the LAN network of the server with gateway being the Wireguard interface (a small quirk of RouterOS) and add a firewall rule which allows the Wireguard port:

https://help.mikrotik.com/docs/display/ROS/WireGuard

The tricky part as noted is to generate the interface at both routers and then use the public KEY provided by each in the settings of the other Routers Peer Settings.
Your mothers wireguard IP should be something like 172.16.1.1/24, yours 172.16.1.2/24
Your mothers wireguard interface should be part of the LAN interface list.
Your client settings will need keep alive 35s for example, the IP address of your mothers router ( if dynamic using the mynetname cloud IP is easiest ) and selected listening port.

Two hurdles

a. allowed Ips,
-your mothers device in its peer settings for your router, should indicate 172.16.1.2/32,subnetA
(if you will be accessing your mothers router LAN side for anything where the subnetA is where your local router IP address (laptop,desktop, smartphone) is coming from.
- your device in its peer settings for your mothers router should indicate 172.168.1.0/24,subnetB
(if you need to access her subnetB for example, or subnets they need to be listed).
On the other hand if you need access to subnets and internet or just internet then allowed IPs simply becomes 0.0.0.0/0

b. IP routes. The rule of thumb is that IP routes matches allowed IPs for remote subnets.
This is because the local router does not know about remote subnets so you need to add routes pointing to the wireguard interface for those subnets.

In the peer settings for the mother's router, shouldn't the example address be 172.16.1.1/32? That way the peer could only access the server in the wireguard subnet and if there are other peers on the mother's router, they will be independent from one another. Just asking to avoid confusion

Hi Cat you have to very precise in language.......
ambiguous --> In the peer settings for the mother's router, shouldn't the example address be 172.16.1.1/32?
clear --> In the local router of the OP, the peer settings for the mothers router should be ...............

No it should be 172.16.1.0/24.
The reason being is that the server (for handshake) mothers router needs distinct one to one ( peer to peer ) connections for each wireguard client.
The mothers router could service a number of router clients and road warrior clients.

By placing 172.16.1.0/24 in the peer settings pointing to the mothers router, the OP is making his client router easily accessible to the other client devices, be they users from another router looking to access a LAN subnet on the ops router, or the op himself, wishing to see his own LAN or config router, while on his smartphone away from home.
All wireguard IPs (road warrior etc) hitting the OPs router, will be permitted to exit the tunnel due to having been covered by the more generic 172.16.1.0/24.

Note: all clients have to connect one to one with the mothers router, not the OPs router. This traffic hits the lan on the mothers router and then needs a path and rules to reach ops' router.
Thus a good idea is a relay rule on the Ops router
add chain=forward action=accept in-interface=wireguard1 out-interface=wireguard1.
If from a road warrior, no extra routes are required as the IP address of the wireguard interface already creates a dac route.

Dear Mesquite,

please excuse my imprecise language and thank you for the detailed explanation!

No worries, I easily get confused about which device someone is referring to in a any given sentence and thus need the extra help.