🔧 About Wireguard and MikroTik
Wireguard network: 10.11.18.0/30
allow to set exactly two IP addresses, if you have more routers you will need a larger range.
Site 1 (Router 1) Site 2 (Router 2) Wireguard IP 10.11.18.1/30
10.11.18.2/30
Reouter IP 192.168.8.1/24
172.17.17.1/24
Network 192.168.8.0/24
172.17.17.0/24
Router 1 (a.k.a. Server)
Addresses configuration
IP Address:
192.168.8.1/24
Network:
192.168.8.0/24
WG Address:
10.11.18.1/30
/ip address
add address=192.168.8.1/24 comment="Router 1's home network" interface=\
bridge-local network=192.168.8.0
add address=10.11.18.1/30 interface=WG01 network=10.11.18.0
WireGuard interface
/interface wireguard
add listen-port=13251 mtu=1420 name=WG01 private-key=\
"<--private-key-is-generated-while-creating-interface-->"
Wireguard peer configuration
allowed-address: put there addresses of networks/devices that should be accessed trough VPN tunnel
/interface wireguard peers
add allowed-address=10.11.18.2/30,172.17.17.0/24 interface=WG01 public-key=\
"<--put-here-public-key-from-Router-2's-WG-interface-->"
Routing
Destination address: network behind router 2
172.17.17.0/24
Gateway: WireGuard IP address from router 2
10.11.18.2
/ip route
add comment="Routing to Router 2's network" disabled=no distance=1 dst-address=172.17.17.0/24 \
gateway=10.11.18.2 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
Router 2 (a.k.a. Client)
Addresses configuration
IP Address:
172.17.17.1/24
Network:
172.17.17.0/24
WG Address:
10.11.18.2/30
/ip address
add address=172.17.17.1/24 comment="Router 2's home network" interface=br1 network=\
172.17.17.0
add address=10.11.18.2/30 interface=WG01 network=10.11.18.0
WireGuard Interface
/interface wireguard
add listen-port=13251 mtu=1420 name=WG01 private-key=\
"<--private-key-is-generated-while-creating-interface-->"
WireGuard peer configuration
persistent-keepalive : It must be set for at least 10 seconds, otherwise the router will not dial the connection.
/interface wireguard peers
add allowed-address=192.168.8.0/24,10.11.18.0/30 endpoint-address=\
mipapredajna.dyndns.org endpoint-port=13251 interface=WG01 \
persistent-keepalive=10s public-key=\
"<--put-here-public-key-from-Router-1's-WG-interface-->"
Routing
Destination address: network behind router 1
192.168.8.0/24
Gateway: WireGuard IP address from router 1
10.11.18.1
/ip route
add comment="Routing to Router 1's network"
disabled=no distance=1 dst-address=192.168.8.0/24 gateway=10.11.18.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
Summary
WG Interfaces generating their own keys while configuring interface
Put public key of Router 1’s WG interface to peer configuration on Router 2 and vice versa
On Router 1 add router to Router 2’s network and as gateway use Router 2’s WG IP address and vice versa (on Router 2, Router 1’s network and as gateway use Router 1’s WG IP address)