Ultimate MikroTik Wireguard Site-to-Site Guide

Hi Guys,
Just pinning this top comment with some relevant information like the setup or the whitepaper docs. Please use for reference.
Wireguard Whitepaper:
www.wireguard.com/papers/wireguard.pdf
MikroTik Wireguard Material:
help.mikrotik.com/docs/display/ROS/WireGuard
Topology Diagram:
imgur.com/yFp2o8M
Router Configurations:
pastebin.com/VP9Ef0n4

Thanks. I'm already running WG on MT and road warriors, but I'll keep this as a reference. It's clear and complete. Plus with document references as a bonus. Nice.

Amazing step-by-step tutorial. I was running EoIP and desperately wanted to simplify things. Thank you!

Loved the video!! And just addressed my use cases!! I tested the configuration myself and worked flawlessly!! Thanks so much 😎👍

Genuinely impressed with how clearly you explain things. Huge respect.
I'm learning WireGuard with PFSense, but this video is so good and easy to understand, I'm finding it invaluable. That's about as high a compliment as I can give. Thank you for making this video.

VPN made easy! Great work with a detailed guide to the end goal.

Thank's a lot for the really good one on teaching Wireguard on Mikrotik.

Thanks. I was able to create multiple connections to a number of different offices with this. Excellent tutorial.

I made it through using AWS as public CHR and looks cool. Subscribed and thanks to you man. Very clear explanation. Will do the pihole as my next project and will watch your video on this. No skipping on your ads. More power to you!

Thank you so much to provide this content 👏

Thank you very much for the tutorial!

I would love to see how you connect a mikrotik router to a Pritunl server :)
Great videos!

Great guide, easy and as always you give a good explanation on how and why one should do the following things, I just setup an similar setup using your guide, and i had problems with my road warrior routers, they would sometimes prefer to use their own internet connection instead of using "site A" internet connection, to fix this i added/changed the following to the config (corrected so it should match your guide):
/routing table add name=onlyWG fib
/ip route add dst-address=0.0.0.0/0 gwy=WG-MikroTik-C table=onlyWG
/routing rule add src-address=172.16.20.0/24 action=lookup table=onlyWG
if one should wish to only allow internet through the WG tunnel change the action to action=lookup-only-in-table
Note: my Mikrotik bokses are running standard firewall config and are doing NAT.
Note: RouterOS version is 7.14.1 (2024-MAr 08 14:50)

I wasted hours of firewall config and didn't succeed in connecting a Windows client to the mikrotik router. I shall try it again with the ultimate tutorial. Thank you very much for your Videos

Hello Johnny. Thank you for another excellent video.
Would you care to share a little about your "special startup scripts"?
The default firewall script works fairly well, but I'm just curious whether you come up with some "must have" addons?

thank you i am successful . where i had challenge on your design were 'WG-INET1 and WG_INET2' but after reading comment here . you made me understand they are acting as isp . so i nated them . thanks .

very nice guide. thanks for the guide

Hero of Network

Thank you very much. Very good Turorial. Greetings from Germany.

Finally somone who knows what is doing.....GREAT JOB!!!

very useful guide!

Thanks! works 100%!!!! Can I configure and run s2s and road warrior running at the same time? Should I add a new wireguard interface for road warrior? Thanks!!!

Thanks

Grazie.

Thanks for this, I have been pfSense user for long time, but since merger with another company, the others here are Mikrotik fanboys. I am learning Mikrotik and taking this video as a basic , was able to make a WG S2S from an old RB3011 to my 5100 Netgate pfSense. Mikrotik is a little strange compare to pfSense (and everything else really) but I do notice that changes are near instantaneous eg. firewall rules etc. where pfSense has to wait for filters to reload. Having said that, we continue to use pfSense for most new things, just want to learn Mikrotik to support some existing clients.

Great video, .. thanks

Great video. Want to try out wireguard on my 3 site setup that currently is using ipsec tunnels in a triangular topology. All miktotiks have static public IPs and different subnets behind them. In my current ipsec setup if one host goes down the other 2 are still connected. I wish to modify your presented wireguard topology. Do I setup like you have presented with Site A as master and site B &C as clients and add the extra allowed IPs for the other client to the existing client wireguard peer as you have done or should I add an extra peer on each client for the other client (like on Site A) for each client. In your setup are Site B and C still connected if Site A goes down? Thanks

Awesome video, one thing that I'd like to know is how to use "DNS" between wireguard tunnels so we don't need to remember IP every time, is that possible ?

Great video! I was able to follow this perfectly. I can ping site to site with these access points, but when I plug any device into any ethernet port, the tunnel is bypassed. I think I'd need to make a separate bridge and set up the device as a router. Is there any way I can do this so that devices that connect to these will be able to access the subnets?

Please make a video tutorial on how to connect a Mikrotik router to a pfSense firewall using WireGuard.Thanks You

Thank you very much for this great video. I had an issue with the config. There was no ping possible until I added the IPof the other WG Device (or change the allowed IPs to the subnet of the WG interface) is this a bug or did I do anything different?

Last thing last, if you don't mind. Would there be any particular problem with setting a, say, hybrid wireguard network, consisting of a S2S one (like the site a and the site b in your video above) and a few' road warrior' clients which want to connect to the server network (site a)? Thanks

Oh... Don't get me started on ISPs... If anybody is even thinking about any usable VPN connection it's recommended that at least one endpoint has public IP. It will make your life so much easier... I had multiple LTE Mikrotiks on multiple locations and until we got an internet connection with public IP it was a nightmare to get tunnels working... You speak with an ISP, they "fix" the problem... A couple of days later the same sh*t. Now the server is on public ip and no more problems with random connection dropouts.
Also, a great video as always, that is some quality content, glad to see that you manage to make videos even now when you are a father :) Maybe one day we will have The Network Berg jr. Hehe

what are the firewall/nat rules we need to use in order to connect from our phone to our router and access the internet via the tunnel?
could you export that part of the config?

BTW, Nice new look.

Thank you so much for this great tutorial. I have a question regarding my setup. I have a MikroTik router with two PPPoE connections and I'm using PCC for load balancing. I want to use WireGuard on this router to make it the main server. My goal is to achieve a site-to-site VPN where, for example, when a client server (like another MikroTik router) connects, it can utilize both PPPoE connections' upload speeds simultaneously. I've heard this might not be possible. Is that correct? Please let me know. Thank you in advance!

Is there a way to do site C but have Site A be on dynamic DNS, so you can't have that static route to A?

At time 0850, it should be made clear that yes, allowed address can be viewed As THE STUFF on the other side of the equation but it one should ensure the full picture is provided --->it is more accurate to say what one is trying to reach at the other side "to get to", but ALSO, what source addresses are incoming from the other side "coming from". (Both are indeed concerning the other side, but the nuance I am adding is that the need for traffic considerations should be viewed as BI_DIRECTIONAL. For example you have articulated the requirement for traffic from ServerA to reach Subnet 172.16.20.0/24 at the B-device LAN. This is important due to crypto key routing where you have tell Router A, which destination IPs are allowed to enter the tunnel outbound. This serves double duty in case the same subnet on B device wants to access one of the local Router A lan subnets. Since the list of incoming source IPs is ALREADY in the allowed IPs, it will be allowed to reach the Server A subnets ( with appropriate firewall rules and routes of course). In other words crypto key routing on the inbound tunnel traffic, uses the allowed IPs to permit identified incoming source addresses to exit the tunnel at Server A. To drive this home consider a different lan subnet at Site-B 10.10.10.0/24 (made up), that needs access to the subnet on Server A. Even though there is no intention for anyone on Server A to reach that subnet, the admin must include this new subnbet as allowed IPs on the Server A setup to address the incoming IPs and to ensure they are allowed to exit the tunnel at Server A.

How to troubleshoot/make Site C(roadwarrior) to talk to master Site B if there is a problem with NAT and the main modem/router at home is confused due to ips being on 192 for all mikrotiks?

how would one get site b's listening port to be random on every reconnection? i have a setup similar to the one in the video, with a central mikrotik wireguard server that has a static public IP address and all ports available to the mikrotik router, while site B is a mikrotik router that constantly moves around changing internet connections supplied through other routers (double NAT). The other devices and what ports they use are unknown to me and i do not want to create a conflict. I have been running this setup with OVPN for a while now (only complain is performance) and noticed the clients will always use random source ports, constantly changing until they get a connection. the mikrotik wireguard client will only use the source port that i specify and doesn't look like it will deal with a port conflict issue for reply traffic. am i missing something?

I have an EOIP tunnel between two of my Mikrotiks, the remote end doesn't have any local addressing just a bridge with the VLANS, and clients get a DHCP lease across the default vlan on the tunnel. Can this same setup be achieved with wireguard?

Thank you so much

Thanks for another great Video. On 17:00 the chain must set tu input - right?

I didn't understand what the WG-INET1 and WG_INET2 routers are exactly for? Wouldn't it be just fine connect SITE A and SITE B router to the "NET" item? Thanks

The UDP 13231 shall be "chain=input" right? Because we access the router itself, the router is the server...

Where do one find the public IP for the Mikrotik router? Say if you wanna just use a phone to wireguard "home" to your router?

Great tutorial.
It all worked. Almost.
I can reach site A from B and from C. Site A can reach both. But b cannot ping c. When I traceroute it goes to wg 0.1 lan and stuck. So it reaches site A and goes nowhere.
What’s interesting when I connect to site A from B network using l2tp its routes well.

It seams that the routing for the Wireguard net is automatic in 7.6.
DAc 192.168.250.0/24 wireguard_HQ 0
And a big thank you.

Thank you,
My idea I want to connected my site A To mobile "Android" like vpn site to remote.
In mobile also download the WireGuard application but the vpn connect as well to WireGuard server with "Tx,Rx" but I cant access to my local server from mobile !!?
Whats the problem

Great video.. as always!!! Question: trying to do a Site-to-Multisite (hub/spoke) with each endpoint having their own subnet. Can this be done with 1 WG interface and multiple Peers or do we need to build a WG interface on the Hub Router for each site endpoint? We also need each site to reach every other site in said topology. We set it up with 1 WG/multi peers and we can ping the far end router subnet interface but not the devices within the network. very strange..

Interesting. I was working with some routers, where WG worked, but those tunnels did not have assigned local IP addresses to WG interfaces. They used static routes to forward traffic and instead of IP address, route contains the WG interface name. How is that it works? And is that a good aproach, to not have local addresses assigned to WG interfaces?

hello, is it possible to short circuit s2s with nat?
probably not but I wanted to ask
Regards
Daniel

How can you use one site as an exit node (route all traffic)?

Hi ,I'm very rookie about MikroTik so I didi so many Tims to run wirguard between my router and iPhone unfortunately I don't have send and receive data could u please tell me how I can run it? very appreciate

Hi The Network Berg. Im trying to configure SiteToMultiSite (20+) Wireguard .. with OSPF, but with no luck .. Is it possible ?I need to route all network at all sites ... (IPSeck +L2TP work .. ) firewall will blok unnessesary comunication ... Thanks

This was extremely well put together! One question, what if my main site does not have a static IP address? I have a domain that I update with DDNS, can I point it to the domain instead of the ip address?

is it possible to make SITE A (router server) connected to SITE B (router client), and then i make another wireguard interface on the SITE A (server) with a client to site connection to windows pc (windows pc needs to reach the lan of site B ) is it possibile ? i mean i site to site with ROUTER A and ROUTER B and then a client pc connected witch router A needs to reach router b lan.

If we have internet 1000/1000 on 2 sides What is the maximum speed possible?

Really good guide. Just one thing: how do you handle things if Site A only has a dynamic ip with DynDns? The Linux version has scripts to track IP changes and restart the IF. I thing in a typical home user scenario DynDns is part of the equation and should be covered :) is there a solution for mikrotik?

In my case, I have several users who access their devices remotely. I would like to know how to configure all of them in a more practical way, similar to OPENVPN. I would send a file which the user would import into the application, and then it would be configured automatically

Hello, nice video. What is the name of the service where you draw the diagram?

my network is behind an ISP dmz. All ports are dumped to my router. Cant seem to get any vpn to connect. Would be nice if you made a video on how to do an eoip tunnel or wiregaurd through a dmz.

Hi there. Just a little confused re: a Firewall rule you set at 16:27 on Site B as well as 17:26 on Site A. In your narrative, you describe the need to set the chain parameter to input, but in the video, the Site A firewall rule chain is set to "forward". I presume "input" would be correct?

My pcs in site B simply dont ping a pc in site A. But Mikrotiks ping each other in winbox. I simply dont understand why!

wireguard mk 1 and wireguard mk 2 with android client, i have access to both local lan (0.1/24 and 4.1/24). But wireguard site to site with mk1 and mk2, cannot access local lan. Pc(0.8) mk1 dont acess pc Pc(4.5) mk2. Any help?

Hi. I didn't understand what exactly WG-INET1 and WG-INET2 routers are for. Wouldn't connecting SITE_A and SITE_B routers directly to the "NET" item be just fine? Thanks

how to troubleshoot if the NATTing problem is not letting the Site B to talk to Site A? Like, you can see that Site A is xfering data but Site B is not talking to Site A back?

This works, I found the Mikrotik documented steps dont work.

Another nice video, but I have some question. At 19:50 you enter this address 192.168.149.152, but I do not see it in your diagram. (All used IP must be on the diagram). If this is the site C outside router IP and this is a road warrior, you should specify interface instead if IP. At 20:20 you get a different listen port than 13231 and you do not change it. Is it ok with different port on each side?

I can't, for the life of me, get this to work.
I tried the configuration example from mikrotik, from the second link, before coming here, I then tried following your video, nothing again.

hello friend I have a question to which I have not found an answer I need to know if wireguard in Mikrotik does not have any method to add src.address

Does this work if I have a WireGuard Server and want to use the router as the client?

Hey, I have tried everything but still got no success using wireguard. Can you personally help a bit?

Problem with this VPN solution is that it requires to have both sides conigured with specific IPs and it will not work with dynamic IPs.

Sir if i active fasttrack wireguard not work

why mine is not working

I have bandwidth 500mb up and down on both sites. Bandwidth test give almost 500mb up and down. But in browsing speedtest gives almost 400mb down but upload is not more than 30mb. Any idea how can I troubleshoot?

What's your tools for network simulate in 192.168.149.157/lagecy ?

Have you considered making a newer video reflecting latest changes, there is quite a difference in Peer tab in addition to public key it’s also asking for a private key

Thank you so much