A simple guide on how to create a site-to-site vpn tunnel between 2 mikrotik devices, where only one has public IP address and issues regarding unstable connection.

Site to site tunnel using Wireguard

1. Setup the wireguard tunnel on one network (so you don't have to travel far if something gets f*cked up).
2. Transfer the device and verify you can use Winbox and ssh safely.
3. Backup the configuration (actually do this more often when configuring s2s tunnel, but just as a final reminder).

Setting up the tunnel was pretty easy and mostly I followed this guide from Mikrotiks documentation.

1. Create wireguard server on both sides using following command:

   /interface/wireguard/add listen-port=13231 name=wireguard1
   

2. Extract the public keys from both servers and note them somewhere:

   /interface/wireguard print 
   

3. Configure the peers (Flat1 has public IP and acts only as a responder, Flat2 initiates the connection) - ALSO CONFIGURE PRESHARED KEY ON ONE SIDE AND COPY IT TO THE SECOND:

   # flat1
   /interface/wireguard/peers/add allowed-address=10.1.101.0/24,10.255.255.1/32 interface=flat2 name=flat2 preshared-key="auto" public-key="v/oIzPyFm1FPHrqhytZgsKjU7mUToQHLrW+Tb5e601M=" responder=yes
   # flat2
   /interface/wireguard/peers/add allowed-address=10.2.202.0/24,10.255.255.2/32 endpoint-address=[PUBLIC IP/DNS] endpoint-port=[UDP PORT FROM WG SERVER OF FLAT1] interface=flat1 name=flat1 persistent-keepalive=2s preshared-key="[COPY FROM PREVIOUS]" public-key="u7gYAg5tkioJDcm3hyS7pm79eADKPs/ZUGON6/fF3iI="
   

4. Add IP and route (I needed to do this only on Flat2 - which does not hold public IP, Flat1 - which acts as a responder got the route automatically)

   /ip/address/add address=10.255.255.1/30 interface=wireguard1
   /ip/route/add dst-address=10.1.101.0/24 gateway=wireguard1
   

Firewall considerations

If you have advanced configuration for firewall, then don't forget to adjust it. I had to add subnets from the Flat1 router configuration, since this holds most of the servers. Everything related to the firewall I only added either to interface-list or to address-list. I did not need to add any of the tunnel IPs to input/output, only allow the connection in input (wireguard udp port).

Problems

I encountered two problems during the setup, first of which was related to my ISP (probably) and the second to first doing an open configuration and then trying to do some hardening.

Loosing packets / Stability problems

At first I setup everything in one flat and then moved the Flat2 router to the second location. After moving it I tested basic connnection, and everything seemed to work. Problems started when I tried to login to Winbox - stuck on Reading the index file. Similar problems appeared when I tried to download larger files from Flat1 router using the tunnel.

TLDR: MTU was too big and wireguard did not like that.

Solution was to lower the MTU to 1280 on both sides of the wireguard tunnel.

Changing allowed addresses

This issue still persists and as mentioned I encountered it when trying to secure the tunnel / lower the number of potential IPs going through the tunnel. At first I let the whole /16 subnets from both of the routers go through, but then I realized this was pretty useless and wanted to add multiple /24 subnets (just the ones actually allowed to use the tunnel). The problem was the tunnel did not change the routes and no dynamic routing was automatically added to neither of the routers.

Solution was to restart both routers when I want to change allowed addresses to be reflected under IP routes of both routers. Did not work unless both sides have been restarted.

---

This post was written without the help of AI.

Networking mikrotik networking security vpn wireguard