Can someone please explain (in simple terms) if there is any benefit or reason one would set up BTH is one already has a Wireguard vpn set up?
Thanks.
Well the other benefit to BTH, even with static/public IPs, the Mikrotik BTH apps (for phone/desktop) automatically create the peers from the username. BTH will ONLY use the Mikrtoik's cloud if a direct connection isn't possible.Basically a cloud server operated by Mikrotik, connects the two ends, so that they can punch out of a connection they have which is not public and reach other.
I think this is a very very big benefit.The technical benefit was well explained above, but another benefit (does not apply in your case) is that BTH is easy to set up, if you do not know how to configure Wireguard and would like to avoid learning RouterOS. BTH app does it in a few steps, all you need is the router password. No need to connect to router with Winbox or anything else. App does it all for you,
@normis...... all you need is the router password. No need to connect to router with Winbox or anything else. App does it all for you,
With WireGuard users have control over every aspect .... With BTH, users deligate control over to BTH .... I prefer that users have compl;ete control over the process.Winbox is also not open source. What is your point?
It has also a "sharing" feature that the person with router password creates another peer. These additional "BTH users" (e.g. WG peers) can be managed by admin in winbox/CLI.I prefer that users have compl;ete control over the process.
BTH is an excellent idea for the home users ....But still more config wizard to create peers & you can see the config it generates in WG so nothing is hidden as @normis points out.
This has come up a few times.... Maybe @normis/etc can comment on it somewhere. Although it's WG, not BTH specific. WG+multiwan just doesn't align with the packet flow diagram, so it's difficult to say what's right.
Create a routing rule with Source of WAN2 IP address , and force all such traffic to table pointing to WAN2.
OR, even sneakier,
Dst-NAT traffic to wireguard port to WAN2, to-address=WAN1
I'm not sure how BTH would interfere with other WG config. BTH with a "real" public IP would still use DDNS, but still does not "punch out" a ports – just a BTH peer uses snXXXX.vpn.mynetname.net instead of the WAN address directly. But "native" WG can also use DNS names too. In both case, it what's resolved as the address from DNS that matters. If /ip/cloud does NOT say "behind a NAT", a proxy will NOT be used (or at least it shouldn't) - e.g. BTH is same WG, just with DNS as peer address for clients (to preserve the ability to use a proxy WITHOUT adjusting peer configuration if later the BTH router's WAN changes to CGNAT or something).b. BTH configurations where the Peer (server for handshake) has a public IP and has no need to punch out to the proxy MT WG server.
The issue really come up ONLY in multi-WAN where both WG and BTH variant can run into SAME trouble if mangle rules are used for multiwan routing.I do Agree with you that you have discovered a BTH bug …. Traffic originating on wan2 should return to wan2 ….. surprised that MikroTik have not commented on this behavior…. RouterOS must honor WireGuard Routing Behavior….