Hi,

Before i knew about wireguard in mikrotik i used L2TP+Ipsec. With L2TP+Ipsec i could give the client an ip address that is on the same network as the lan he was connecting to. Is this possible with wireguard? If so please share how its done.

To clarify:
Lan network is 192.168.2.0/24
Windows client installs wireguard and is away from office and wants to connect and have an ip on that same network (192.168.2.0/24)

The way i do it now is like this: And for 97% of my applications the above works just great.
But I have a few instances where the device that's on the Lan will only allow an incoming connection from a device that is also on the same Lan as itself. i don't have access to this devices firewall to allow additional additional networks

edit: just saw your update. You need to set your WG address to be a /24 not /32 - with a /32 you are disabling all connectivity.
You also need to set your peer's Allowed IP to be the /32 of the WG segment - else you are routing all WG traffic to that peer. You only want that peer's IP to get its WG traffic.
Also there is a typo in your DNS setting.


No that's not how Wireguard works. The wireguard interface has its own separate subnet. Wireguard peers all have an address on that same subnet. You can then route accordingly.

If your Mikrotik has a WG ip of 10.8.0.1/24, then you might have an iPad or laptop connecting whose Wireguard ip is 10.8.0.10/24. If you have another router connecting, it could have an IP of 10.8.0.20/24. You'd then set the Allowed IPs for the router peer to include its own LAN, which would allow you to enable inter-LAN communication.

Here is a sample config for my Mikrotik router and one WG peer with a LAN behind it.
and the corresponding config from that peer:

The wireguard subnet should be different from the LAN subnets!

Please read here for more info on wireguard as to making guesses: viewtopic.php?t=182340

ok thanks for that.

Here is my updated config:
The router vpn ip is 10.255.199.1/24 and i understand that you wanted me to put that in allowed ip but upon testing i realize it makes no difference, i can access 192.168.2.0/24 network either way with or without it, Everything accept 192.168.2.100 because it does not allow access unless the incoming connection comes from 192.168.2.0/24.

Does this make sense or did i miss what you said by a mile?

Anav,
Nice write up. i did read the part about the allowed ip but i am not totally getting it yet. i will reread that and try to understand better yet.

The part that i have no idea about is how to make the device with ip 192.168.2.100 think that the incoming connection is coming from 192.168.2.0/24 instead of 10.255.199.3/24 so that it will allow the connection.

Just to be clear the vpn with the config above is works and the client has access to everything needed except the device with ip 192.168.2.100 and this is only because the device refuses it.

Think of allowed IPs on any device as a separate mini firewall.
There are two flows of traffic
- exiting the tunnel at the local device (inbound/incoming to the local LAN).
- entering the tunnel at the local device (outbound/leaving the router)

Therefore for the first case, the wireguard code looks at the SOURCE address of traffic trying to exit the tunnel towards the LAN.
Is that address on my list of allowed IPs??

The second case is a bit different because it asks a question then matches......
The wireguard code asks is the DESTINATION address on any of the peers listed, for that particular wg interface, starting from the first peers at the list.
When it finds a match, it then selects the paramters of that peer for sending the data into the tunnel.

Important Note: Thus besides the appropriate WG address for allowed IPs, one should delineate all other remote subnets involved in traffic. Either subnets your local lan will visit (destination addresses) or subnets coming to see your lan (source address) and often both. If a client peer, like a laptop also needs internet access then you only need one entry of 0.0.0.0/0 and that covers all possibilities.

The other two main components of traffic - do firewall rules allow desired traffic and do IP routes provide a path for the traffic!!!

( server should identify peers by their wg ip address X/32, peers should identify server by wg subnet address 0/24 )