We were approached by our client who required a solution in which he can carry a Mikrotik Map-Lite around the world and whenever he connects it to his PC, the whole traffic should go through his home IP in Australia.
The solution proposed by us was a Wireguard tunnel between his home Mikrotik device and the Map-Lite (which will be always/mostly behind the NAT), and added static routes so entire traffic goes through the “Wireguard Interface”.
Steps:
1.) Setting up server-side:
Copy the Public Key, this will go into the peer on the client side.
In peers, add a peer and paste the public key from CLIENT & put the allowed address to 0.0.0.0/0 to allow it from anywhere:
In addresses, put an address for the “wireguard1” interface, make sure that this network is the same both sides, and assign different addresses to different peers:
Server-side:
2.) Setting up the client side:
Two things should be noted, 1 - For any WG connection one needs to establish the Server and the Client. This is just for the initial connection only
2- After initial connection considers the tunnel a two-way street dependent upon the setups at either end.
So to answer the question, do not despair, assuming you are allowed internet traffic (from the MT device) through the ISP router you are good to go and should view this MT Device as the CLIENT for the initial setup.
Client WG Settings
add listen port but not really required I think needed to generate a public key in any case put the same port as you will set on the server Router
name=remoteWG
the public key to give to the main server (in its peer settings)
Client PEER Settings
allowed addresses - destinations for the remote users (assuming you want to access the internet and possibly subnets on the main router) use 0.0.0.0/0
endpoint address - IP of main server and associated port , could be ipcloudname:port etc…
public key (given by the main server).
keep alive set it to something like 30secs…
Now on the CLIENT side you probably have a default route already of some sort probably created dynamically so that your LAN users go out the wan port of the MT and then hit the main router etc…
and traffic gets returned.
Next, you have to make a table… via Terminal cli
/routing table add add name=useWG fib
You need to add a route for the subnet or user that is going out the tunnel, lets say its one of the subnets on the router (192.168.80.0/24)
dst-address= 0.0 . 0.0 / 0 gwy=remoteWG table=useWG
Then make the associated route rule
src-address=192.168.800.0/24
Action: Lookup-only-in-table {note if you wanted users to be able to access internet locally if WG is down then use ACTION: “Lookup” }
Table: useWG
Now, if you want to route all the traffic through Wireguard VPN & don’t want to allow any traffic to leak accidentally from your original Public IP (Kill-Switch), then add this route and put a higher distance on the default public IP route:
And then put a NAT masquerade out interface to VPN interface:
