laptopwiki:guides:networking:mikrotik:connecttwowithwireguard

Connecting Two Mikrotiks with a Wireguard Tunnel

In this short guide I will show you how to connect two Mikrotiks running RouterOS 7 or higher with Wireguard VPN tunnel.

Disclaimer: This is my personal setup that works for my homelab purposes. If you have any questions or suggestions/improvements, feel free to contact me on LaptopWiki Discord!

Requirements

  1. Two Mikrotik Routers
  2. RouterOS 7 or newer (with Wireguard support)
  3. At least one side with a static public IP address with minimal port blocking
  4. This guide assumes both are directly connected to the internet. It might be possible to do behind NAT with port forwarding but I haven't tried that myself.
  5. Winbox connection to both Mikrotiks at the same time

The following diagram is in Packet Tracer, but it is the easiest way to draw it.

  1. Open Winbox on the left router.
  2. Click Wireguard, Add a new Wireguard interface.
  3. Give it a name and keep the listen port default (it should be 13231) and click OK.
  4. That will create your Wireguard interface. When you reopen the interface, there should be a public key and a private key. We will need both.
  5. Now do the same thing on the right Mikrotik.

Now that you have interfaces on both, we need to create their peers.
In this case, I only want access to my home network, I don’t want to route all of my traffic through there.

  1. We are on the Left Mikrotik again, the one with a public IP address
  2. Go to Wireguard – Peers and create a new Peer
  3. Interface – wireguard interface from previous step
  4. Public Key – Public key from the other Mikrotik
  5. Endpoint and Endpoint port will stay empty
  6. Allowed Address – 172.16.0.0./30 (that is our connecting network between them) and 10.0.1.0/24 (that is the network of the Mikrotik on the right)
  7. Next,
    1. IP – Addresses and add 172.16.0.1/30 to the wireguard1 interface
    2. IP – Routes – New
      1. Dst. Address 10.0.1.0/24
      2. Gateway 172.16.0.2
  1. Now repeat this on the right Mikrotik, but with a few exceptions
  2. In the peer, Endpoint will either be IP address or a domain name/FQDN for your IP address, and Endpoint Port will be 13231
  3. Allowed Address – 172.16.0.0/30 (that is our connecting network between them) and 10.0.0.0/24 (that is the network of the Mikrotik on the right)
  4. Next,
    1. IP – Routes – New
      1. Dst. Address 10.0.0.0/24
      2. Gateway 172.16.0.1

And, I think that should be it. Try pinging on device on one network with another one. Weirdly, my Mikrotiks themselves aren’t able to reach anything on the other network, not sure why here.

dustojnikhummer 31/03/2023 23:38

  • laptopwiki/guides/networking/mikrotik/connecttwowithwireguard.txt
  • Last modified: 31/03/2023 23:38
  • by dustojnikhummer