Skip to main content
🔧 About Wireguard and MikroTik
  1. Posts/

🔧 About Wireguard and MikroTik

·321 words·2 mins·
Administering Tutorial
May Meow
Author
May Meow
MayMeow is a developer and cybersecurity enthusiast with a passion for cryptography, DevSecOps, and open-source contributions. They enjoy creating tools that strengthen digital security, blending creativity and technology to innovate in fields like PHP and .NET. Always exploring new frontiers in tech, MayMeow is dedicated to safeguarding the digital landscape through their work.
Table of Contents

Wireguard network: 10.11.18.0/30 allow to set exactly two IP addresses, if you have more routers you will need a larger range.

Site 1 (Router 1)Site 2 (Router 2)
Wireguard IP10.11.18.1/3010.11.18.2/30
Reouter IP192.168.8.1/24172.17.17.1/24
Network192.168.8.0/24172.17.17.0/24

Router 1 (a.k.a. Server)
#

Addresses configuration
#

  • IP Address: 192.168.8.1/24
  • Network: 192.168.8.0/24
  • WG Address: 10.11.18.1/30
/ip address
add address=192.168.8.1/24 comment="Router 1's home network" interface=\
    bridge-local network=192.168.8.0
add address=10.11.18.1/30 interface=WG01 network=10.11.18.0

WireGuard interface
#

/interface wireguard
add listen-port=13251 mtu=1420 name=WG01 private-key=\
    "<--private-key-is-generated-while-creating-interface-->"

Wireguard peer configuration
#

  • allowed-address: put there addresses of networks/devices that should be accessed trough VPN tunnel
/interface wireguard peers
add allowed-address=10.11.18.2/30,172.17.17.0/24 interface=WG01 public-key=\
    "<--put-here-public-key-from-Router-2's-WG-interface-->"

Routing
#

  • Destination address: network behind router 2 172.17.17.0/24
  • Gateway: WireGuard IP address from router 2 10.11.18.2
/ip route
add comment="Routing to Router 2's network" disabled=no distance=1 dst-address=172.17.17.0/24 \
    gateway=10.11.18.2 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10

Router 2 (a.k.a. Client)
#

Addresses configuration
#

  • IP Address: 172.17.17.1/24
  • Network: 172.17.17.0/24
  • WG Address: 10.11.18.2/30
/ip address
add address=172.17.17.1/24 comment="Router 2's home network" interface=br1 network=\
    172.17.17.0
add address=10.11.18.2/30 interface=WG01 network=10.11.18.0

WireGuard Interface
#

/interface wireguard
add listen-port=13251 mtu=1420 name=WG01 private-key=\
    "<--private-key-is-generated-while-creating-interface-->"

WireGuard peer configuration
#

  • persistent-keepalive : It must be set for at least 10 seconds, otherwise the router will not dial the connection.
/interface wireguard peers
add allowed-address=192.168.8.0/24,10.11.18.0/30 endpoint-address=\
    mipapredajna.dyndns.org endpoint-port=13251 interface=WG01 \
    persistent-keepalive=10s public-key=\
    "<--put-here-public-key-from-Router-1's-WG-interface-->"

Routing
#

  • Destination address: network behind router 1 192.168.8.0/24
  • Gateway: WireGuard IP address from router 1 10.11.18.1
/ip route
add comment="Routing to Router 1's network"
    disabled=no distance=1 dst-address=192.168.8.0/24 gateway=10.11.18.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

Summary
#

  • WG Interfaces generating their own keys while configuring interface
  • Put public key of Router 1’s WG interface to peer configuration on Router 2 and vice versa
  • On Router 1 add router to Router 2’s network and as gateway use Router 2’s WG IP address and vice versa (on Router 2, Router 1’s network and as gateway use Router 1’s WG IP address)
Reply by Email

Related

How to Install Virtualbox on Elementary OS Odin
·131 words·1 min
Linux Virtualization Tutorial
How to Host Static Websites With Amazon S3 and Cloudflare
·726 words·4 mins
Tutorial
Xfce Terminal Color Emoji
·133 words·1 min
Tutorial Linux Xfce 100DaysToOffload