Here is how we will want our routers set up. The WireGuard PtP IP is the IP addresses used on both ends of the tunnel. The WAN IP is the IP of each Router. Local IP on Host B is setup to distribute DHCP.<\/p>\n\n\n\n
Host A<\/strong><\/p>\n\n\n\n WAN IP: 172.16.0.1 <\/p>\n\n\n\n <\/p>\n<\/div>\n\n\n\n Host B<\/strong><\/p>\n\n\n\n WAN IP: 10.0.0.2 We need Host A to be able to access Private IP’s (192.168.0.0\/24) behind Host B.<\/p>\n\n\n\n We’ll pretend that the 172.16.0.1 address is a public IP, and Host B, is behind some sort of NAT network.<\/p>\n\n\n\n To create the Point-to-point, or PtP, we will create a WireGuard VPN tunnel, and then add routes from Host A to Host B.<\/p>\n\n\n\n For each Mikrotik we need to create a WireGuard interface, and then a peer. One of the peers needs a keep alive if we are behind a NAT.<\/p>\n\n\n\n Here is an overview screenshot of what our WireGuard settings will look like. Host A is on top, and Host B on the bottom. On the left are the WireGuard interfaces, and the right contains the Peers. <\/p>\n\n\n\n We copy the Public Key from the remote WireGuard interface, to the Public Key on the local Peer. I.e. The Host_B Peer contains Host_A’s Interface Public Key and vice verse<\/p>\n\n\n\n If you want to, you can use the WinBox GUI to setup and configure the router.<\/p>\n\n\n\n Create the WireGuard interface<\/p>\n\n\n\n Add IP address 10.1.1.1\/30 to the newly created WireGuard Interface in \/IP\/Address<\/p>\n\n\n\n Create WireGuard Peer, WireGuard -> Peers<\/p>\n\n\n\n Add route for 192.168.0.0\/24 to point to 10.1.1.2<\/p>\n\n\n\n *The Allowed Address sets which addresses work on the other side of the tunnel. If we don’t specify 192.168.0.0\/24, then we won’t be able to route to those addresses. If we don’t add 10.1.1.0\/30, then our tunnel won’t work at all. Since we only need to route to the 192.168.0.0\/24 network from the Host A side, we don’t need this IP range on Host B.<\/em><\/p>\n\n\n\n Create the WireGuard interface, WireGuard -> Add<\/p>\n\n\n\n Add IP address 10.1.1.2\/30 to the newly created WireGuard Interface in \/IP\/Address<\/p>\n\n\n\n Create a WireGuard Peer, WireGuard -> Peers<\/p>\n\n\n\n <\/p>\n\n\n\n That should be it. Verify that there is a connection. From Host A, ping 192.168.0.1 or any other remote device.<\/p>\n\n\n\n <\/p>\n\n\n\n Unfortunately, there appear to be some wonky bugs with WireGuard on RouterOS. It does appear to be getting better, but here are a couple things to check if the tunnel is not connecting.<\/p>\n\n\n\n We’ll create a tunnel between two Mikrotik RouterOS routers. Once we have the tunnel connected, we can then route traffic between them. Note: You can add Preshared keys, but we don’t cover that in this post, just to keep things … Continue reading
WireGuard PtP IP: 10.1.1.1\/30<\/p>\n\n\n\n
WireGuard PtP IP: 10.1.1.2\/30
Local IP: 192.168.0.1\/24<\/p>\n<\/div>\n<\/div>\n\n\n\nWireguard Setup Overview<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2023\/08\/image-4-1024x854.png\")
<\/a><\/figure>\n\n\n\nHost A<\/h2>\n\n\n\n
\/interface\/wireguard\/add name=wireguard-Host_A disabled=no<\/pre>\n\n\n\n
\/ip\/address\/add address=10.1.1.1\/30 interface=wireguard-Host_A disabled=no<\/pre>\n\n\n\n
\n
Note that we can’t do this until we create the WireGuard Interface on Host B, so you’ll need to come back for this step<\/em>.<\/li>\n<\/ul>\n\n\n\ninterface\/wireguard\/peers\/add interface=wireguard-Host_A public-key=HOST_B_WG_PUBLIC_KEY allowed-address=10.1.1.0\/30,192.168.0.0\/24<\/pre>\n\n\n\n
\/ip\/route\/add dst-address=192.168.0.0\/24 gateway=10.1.1.2<\/pre>\n\n\n\n
Host B<\/h2>\n\n\n\n
\/interface\/wireguard\/add name=wireguard-Host_B disabled=no<\/pre>\n\n\n\n
\/ip\/address\/add address=10.1.1.2\/30 interface=wireguard-Host_B disabled=no<\/pre>\n\n\n\n
\n
\/interface\/wireguard\/peers\/add interface=wireguard-Host_A public-key=HOST_A_WG_PUBLIC_KEY endpoint-address=172.16.0.1 endpoint-port=13231 allowed-address=10.1.1.0\/30 persistent-keepalive=00:00:30<\/pre>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
Troubleshooting<\/h2>\n\n\n\n
\n