MikroTik

Posted: **Thu May 04, 2023 5:01 am**

I have a couple LtAP Minis in Mini with an LTE Modem in my vehicle to act as a mobile router. The LtAP (and the laptop connected to it) needs to update a database on the Office network, and the Office network may periodically need to access the in-vehicle recorder on the vehicles' mobile networks.

I want to use some kind of VPN to tunnel back to the main office. I have experience using OpenVPN, but I think Wireguard would be the better solution for this.

What is involved, generally, with using Wireguard as a Site-To-Site, Split-Tunnel VPN?

The mobile routers (LtAPs) don't have static IPs, and they seem to change very often. Would I have to use a script to update Dynamic DNS?

Posted: **Thu May 04, 2023 10:02 am**

Wireguard is (performance and setup-wise) better/easier then OpenVPN (IMHO).
It is also "lighter" (less overhead) yielding better throughput.
(or if you turn it around: if you are on a limited data plan, it uses less data volume)

You only need 1 fixed externally reachable IP for the communication to work. It can be dynamic but then it may be needed to use some scripting to update those pointers sometimes. In general wireguard will figure things out on itself but sometimes (especially at startup when DNS resolution is not yet functional) it may experience a hick-up. (technically: wireguard will start, try to resolve, fail and then stop completely).
Plenty of examples available to solve that "little problem" (that was intentionally sarcastic

).

Personal experience:
I used to have a vacation house in France with SXT LTE modem. So no externally reachable IP, only CGNAT.
I used wireguard to connect back to my house (dynamic IP). No problems to get the tunnel working.
Even when driving on the highway (not me, my wife is driving then

) I can without any problems use my cell to connect via WG back home. Connection gets dropped occasionally on each cell handover or when crossing borders but each time, the connection comes back up on its own.

My view. Others my have other experiences/suggestions.

Posted: **Fri May 05, 2023 1:17 am**

Holvoe, regarding this vacation house, when is not being used.

Posted: **Fri May 05, 2023 4:48 am**

Wireguard is (performance and setup-wise) better/easier then OpenVPN (IMHO).
It is also "lighter" (less overhead) yielding better throughput.
(or if you turn it around: if you are on a limited data plan, it uses less data volume)

You only need 1 fixed externally reachable IP for the communication to work. It can be dynamic but then it may be needed to use some scripting to update those pointers sometimes. In general wireguard will figure things out on itself but sometimes (especially at startup when DNS resolution is not yet functional) it may experience a hick-up. (technically: wireguard will start, try to resolve, fail and then stop completely).
Plenty of examples available to solve that "little problem" (that was intentionally sarcastic ).

Personal experience:
I used to have a vacation house in France with SXT LTE modem. So no externally reachable IP, only CGNAT.
I used wireguard to connect back to my house (dynamic IP). No problems to get the tunnel working.
Even when driving on the highway (not me, my wife is driving then ) I can without any problems use my cell to connect via WG back home. Connection gets dropped occasionally on each cell handover or when crossing borders but each time, the connection comes back up on its own.

My view. Others my have other experiences/suggestions.

So if the Tunnel/Peers are set up on both ends, that's all there is to it? So if a device connected to the mobile router tries to access a resource on the "home" network (192.168.1.0/24), the mobile router will send that through the Wireguard tunnel without having to configure a separate interface on the mobile router?

Posted: **Fri May 05, 2023 7:50 am**

Yes, provided initial config is correct.

Posted: **Fri May 05, 2023 7:51 am**

Holvoe, regarding this vacation house, when is not being used.

We sold the place.
Too much trouble to maintain a second house 930km away.

Posted: **Fri May 05, 2023 9:29 am**

For the least amount of hassle, I highly recommend using ZeroTier or TailScale on your laptop and at your office (for example on your workstation). Then you don't have to worry about ip address changes and it's completely transparent if you connect your laptop using LtAP, WiFi at a coffee shop or whereever.

Posted: **Fri May 05, 2023 9:46 am**

While I understand your suggestion, it's easier to have the tunnel setup in the LTAP itself.
And then zerotier is out of the question.

Otherwise you need to foresee ZT clients on each and every device potentially connecting to those LTAP's.

And performance-wise I still think WG beats ZT (on the devices I tested with).

Posted: **Fri May 05, 2023 10:07 am**

TailScale = WireGuard with SD-WAN functionality which is totally free of hassle. SD-WAN is incredibly much easier than setting up WireGuard on the LTAP which btw can't cope with CG-NAT (ie double-nat) problems and also needs tailor made scripts for handling dynamic IP addresses changes.

IMO, SD-WAN is really a no brainer when traveling around compared to just using WireGuard. TailScale vs ZeroTier is purely academic in this case.

Ps..
When it comes to performance, Chacha20 (WG) is slightly more favorable on low-end devices than AES (ZT). However, at higher speeds and there is support for AES hardware offload (eg x64/ARM64), then ZT outperforms WG by a largre margin.

MikroTik

Wireguard vs OpenVPN: Site-to-Site

Wireguard vs OpenVPN: Site-to-Site

Re: Wireguard vs OpenVPN: Site-to-Site

Re: Wireguard vs OpenVPN: Site-to-Site

Re: Wireguard vs OpenVPN: Site-to-Site

Re: Wireguard vs OpenVPN: Site-to-Site

Re: Wireguard vs OpenVPN: Site-to-Site

Re: Wireguard vs OpenVPN: Site-to-Site

Re: Wireguard vs OpenVPN: Site-to-Site

Re: Wireguard vs OpenVPN: Site-to-Site