Alex Daichendt

Site 2 Site Wireguard VPN with a Mikrotik Router and a Cloud VM

My network consists of a server located in country A. Since the largest ISP in the country B does have terrible peering with the ISP in country A, I thought of setting up a small proxy server in country A. This way, I should be able to bypass bad peering, since the cloud provider probably organizes good routing to both sides. Since I meant to try out Oracles free tier anyway, it seemed like a good opportunity to learn ansible properly and develop with IaC scripts to set up a reverse proxy in the cloud.

Architecture of the site two site wireguard setup
  1. Create Wireguard keys. If the CLI is not an option this website is cool too (keys are client-sided generated)
  2. Since I want to have dedicated monitoring for what traffic is flowing between the proxy and my server, I create a new Wireguard interface in my Mikrotik router. Remember to use the previously generated keypairs.
  3. Create a new peer as follows. Important is the entry to allow the IP address of the cloud wg endpoint, otherwise the cloud cant ping back home.
    Mikrotik router peer setup
  4. I had to adjust the firewall rules to allow communication with the tunnel network.
  5. On the proxy server we use similar settings. Interestingly enough, the Mikrotik wg endpoint grabs the network address of the 10.222.0.0/30 network. Meaning, 10.222.0.1 is unallocated.
[Interface]
PrivateKey = REDACTED
Address = 10.222.0.2/30
ListenPort = 23xxx

[Peer]
PublicKey = REDACTED
AllowedIPs = 10.10.0.0/16,10.222.0.0/32
Endpoint = alphard.abc.de:23xxx
  1. Next, we need to create a DDNS updater to keep our A record in sync with the publicly assigned IP address of the cloud provider (unless you wanna pay for a static address of course). I found this Docker container to be convenient.
  2. Finally, we need to update the IP address of the peer in the Mikrotik router. For that we use a Mikrotik script, which I stole from Uli Koehler . Remember to add a scheduler to the script.
:if ([interface wireguard peers get number=[find comment=belka] value-name=endpoint-address] != [resolve belka.abc.de]) do={
    interface wireguard peers set number=[find comment=belka] endpoint-address=[/resolve belka.abc.de]
}

Edit 22-10-2022:

After running this setup for a while, I found it a bit unstable. Since I do not get a static IP address from my ISP, my address changes every now and then. The wireguard client at the other hand does not recheck the A record but instead loses connection and requires a manual restart. I would recommend to use a more stable protocol like IPsec.