Hi,

I have the basics of Wireguard down quite well I think. Currently I have a main site which has multiple sites (mikrotik to mikrotik) conencting to it via wireguard via wireguard interface 1. Anyone connected to Main Site A directly on the LAN (e.g. 192.168.5.0/24) can connect through to the other remote sites.

On the main site, I have another wireguard interface 2, which allows connections from remote users.

I am stuck with letting remote user(s) connect to the other remote sites through a existing wireguard connection to the main site.

Hopefully this network diagram helps - excuse the rubbish diagram.. the red lines are wireguard connections:



if nayone can point me in the right direction, it'd be greatly appreciated!

hello,

stuck with letting remote user(s) connect to the other remote sites through a existing wireguard connection to the main site.

from your diagram - apart from any firewall problem,
- do you a working bidirectional route from the wg2 clients to wg remote sites?
- tools : ping and traceroute with src-addr.

if your wg2 clients traceroute to remote sites lost in the first hop (your main site), and

you don't see your wg2 clients packet arrived at any remote sites- then it could be split tunneling to the internet.

if you see the packet arrived at the remote sites - then it means remote routers don't have the route back to wg2 clients.

hope this helps.

Hi there,
You state you have a second wireguard interface on the main router for remote users.
To me its not clear why you decided to create a second interface?
Make it clear what you wish these mobile user to be able to do.

a. reach and config router A main
b. reach and config other Routers B,C,D
c. reach LAN A of router A
d. reach LANs of router B,C,D

Also providing the full config of Router A will help
/export file=anynameyouwish (minus router serial number, public WANIP info, keys etc..)

Hi there,
You state you have a second wireguard interface on the main router for remote users.
To me its not clear why you decided to create a second interface?
Make it clear what you wish these mobile user to be able to do.

a. reach and config router A main
b. reach and config other Routers B,C,D
c. reach LAN A of router A
d. reach LANs of router B,C,D

Also providing the full config of Router A will help
/export file=anynameyouwish (minus router serial number, public WANIP info, keys etc..)

Hi,

Thanks for the reply.

The reason for the separate interface is purely to differentiate a bit easier. It isn't out of the question to put everything onto the same wireguard interface.

I would like to achieve option d - to reach the LANS of routers B, C, D.

I can already reach the LAN of Router A with the existing setup. I cannot quite figure out how to get the next jump to the other remote sites thorugh router A (whilst being on mobile thorugh wireguard)

Well think of the logic,
You are conducting peer to peer connections.
That means your mobile user are dumped onto the main router A.

To reach the other routers for the purpose of being able to configure them two things need to happen,
The Router A has to know how to route to routers B,C,D, this is accomplished quite easily if all are on the same wireguard subnet.

To reach the other routers to reach their Lan, two things have to happen,
The router A has to know how to route to the LANS of B,C,D and thus we have routes for routers B,C,D Lans on Router A.
(The converse is true, each router B, C, D, to read Router A lans must have a route for the LANS.

What should be clear is that if a Subnet or IP address you need to reach is not LOCAL to the current router one has to make a router telling the router where to send the traffic.
What may not be clear but is also true, ALLOWED IPs have to include the subnets you wish to reach at the other END.
HENCE ROUTES and ALLOWED IPs for those non-local subnets have to be added to the config.

Now for the second part of each.................... We have to ensure firewall rules allow the remote users who have just landed at Router A, to basicaly RENTER the tunnel towards Routers B, C, D.
I call this one the RELAY RULE.
add action=accept chain=forward in-interface=wireguard1 out-interface=wireguard1 name

The above rule applies specifically for the case where all are on the same wireguard subnet. In your case you have a different subnet and thus the rule would look a bit different:
add action=accept chain=forward in-interface=wireguardMobileMobile out-interface=wireguard1

In this regard the router would receive a query from the mobile user for a subnet on router D. The router would check if dst address exists on the wireguard allowed IPs. It would find a match for Router D, and know which specific peer to send the traffic down, then using the IP routes, know where to send that information. The relay firewall rule allows the traffic to come in on the mobile wg interface and then go out the main wireguard interface.

By the way you have three options.
a. Put all on same wireguard interface subnet
b. Have two different wireguard interfaces as you have done.
c. Have two separate IP addresses/subnets attached to the same wireguard interface

Example c.
Router A
- address=10.10.10.1/24 interface-wireguard1 network=10.10.10.0
-address=10.20.20.1/24 interface=wireguard1 network=10.20.20.0

In this case the first wireguard rule above covers this, since both are associated with wireguard1.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now at Routers B, C, D, since you have a different wireguard interface and different subnet for mobile users, they would need to have the mobile users on their allowed IPs and you guessed it.....
an IP router for those mobile users.

The same holds true for the different wireguard address but same wireguard interface as the routers B, C, D do not know it exists, so allowed IPs and IP routes.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

In conclusion all on the same subnet is probably the most efficient and less prone to error.
I understand your concern about controlling who goes where.
This is best accomplished IMHO at the receiving router by use of the firewall rules lets say at routers B,C,D.
Here limit where the users from ROUTER A and mobile can access
The same concept at Router A, on the firewall rules limit the access of mobile users and remote lan traffic from B,C,D on the local Router A as you see fit.

@anav

Many thanks for the explanation. I have managed to sort out the issue and your post is well written.