Administration

🔧 About Wireguard and MikroTik

Wireguard network: 10.11.18.0/30 allow to set exactly two IP addresses, if you have more routers you will need a larger range.

Site 1 (Router 1)Site 2 (Router 2)
Wireguard IP10.11.18.1/3010.11.18.2/30
Reouter IP192.168.8.1/24172.17.17.1/24
Network192.168.8.0/24172.17.17.0/24

Router 1 (a.k.a. Server)

Addresses configuration

  • IP Address: 192.168.8.1/24
  • Network: 192.168.8.0/24
  • WG Address: 10.11.18.1/30
1
2
3
4

/ip address
add address=192.168.8.1/24 comment="Router 1's home network" interface=\
    bridge-local network=192.168.8.0
add address=10.11.18.1/30 interface=WG01 network=10.11.18.0

WireGuard interface

1
2
3

/interface wireguard
add listen-port=13251 mtu=1420 name=WG01 private-key=\
    "<--private-key-is-generated-while-creating-interface-->"

Wireguard peer configuration

  • allowed-address: put there addresses of networks/devices that should be accessed trough VPN tunnel
1
2
3

/interface wireguard peers
add allowed-address=10.11.18.2/30,172.17.17.0/24 interface=WG01 public-key=\
    "<--put-here-public-key-from-Router-2's-WG-interface-->"

Routing

  • Destination address: network behind router 2 172.17.17.0/24
  • Gateway: WireGuard IP address from router 2 10.11.18.2
1
2
3
4

/ip route
add comment="Routing to Router 2's network" disabled=no distance=1 dst-address=172.17.17.0/24 \
    gateway=10.11.18.2 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10

Router 2 (a.k.a. Client)

Addresses configuration

  • IP Address: 172.17.17.1/24
  • Network: 172.17.17.0/24
  • WG Address: 10.11.18.2/30
1
2
3
4

/ip address
add address=172.17.17.1/24 comment="Router 2's home network" interface=br1 network=\
    172.17.17.0
add address=10.11.18.2/30 interface=WG01 network=10.11.18.0

WireGuard Interface

1
2
3

/interface wireguard
add listen-port=13251 mtu=1420 name=WG01 private-key=\
    "<--private-key-is-generated-while-creating-interface-->"

WireGuard peer configuration

  • persistent-keepalive : It must be set for at least 10 seconds, otherwise the router will not dial the connection.
1
2
3
4
5

/interface wireguard peers
add allowed-address=192.168.8.0/24,10.11.18.0/30 endpoint-address=\
    mipapredajna.dyndns.org endpoint-port=13251 interface=WG01 \
    persistent-keepalive=10s public-key=\
    "<--put-here-public-key-from-Router-1's-WG-interface-->"

Routing

  • Destination address: network behind router 1 192.168.8.0/24
  • Gateway: WireGuard IP address from router 1 10.11.18.1
1
2
3
4
5

/ip route
add comment="Routing to Router 1's network"
    disabled=no distance=1 dst-address=192.168.8.0/24 gateway=10.11.18.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

Summary

  • WG Interfaces generating their own keys while configuring interface
  • Put public key of Router 1’s WG interface to peer configuration on Router 2 and vice versa
  • On Router 1 add router to Router 2’s network and as gateway use Router 2’s WG IP address and vice versa (on Router 2, Router 1’s network and as gateway use Router 1’s WG IP address)