What are the correct "allowed IPs" on this site-to-site Wireguard link -- it should be obvious, but obviously not to me :_)

Question

I've almost got it working, but not quite, and I've tried nearly everything except dark forces of magic. I have thought of another idea, but I didn't think crying would help.

It's a site-to-site link (happens to be two Mikrotik CHR routers). Looks somehting like this:

- 199.181.204.128/26-R2-Public InternetIP-R1--199.181.204.0/26---R1--Internet

The Wireguard link between R2 and R1 is up and I have a private IP space (192.168.89.0/30) between them. Both sites can ping. (192.168.89.1<->192.168.89.2). However, R2 can't seem to pass traffic the Private IP space to 199.181.204.128. No firewalls are active for testing.

It seems to be related to AllowedIPs but I have no idea how or why. What I think I'm supposed to do is:

R2 AllowedIPs = 199.181.204.128/26 -- Meaning pass all of this traffic R1 AllowedIPs = 0.0.0.0/0 -- Pass everything if it gets there

What I really want is to say, just pass it, don't think about it like OpenVPN would do. Don't filter, just pass packets from one interface to another.

Can I turn this feature off and make Wireguard "dumb" or what do I put in this?

Answer 1

You must have a great sense of humor.the AllowedIPs means the destination network segment that the local end can access?For example, if R1 wants to access the address 192.168.1.1/32, it needs to add this IP address to the allowips of R1. The easiest way is to set both sides to 0.0.0.0/0

Answer 2

This is configuration to get Internet through WireGuard commercial VPN provider

/interface wireguard add listen-port=51820 name=wireguard-inet private-key="xxx" comment="Internet through WireGuard commercial VPN provider"
/interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=51820 interface=wireguard-inet persistent-keepalive=25m \
    preshared-key="xxx" public-key="xxx" comment="Internet through WireGuard commercial VPN provider"
/interface list member add interface=wireguard-inet list=WAN comment="Internet through WireGuard commercial VPN provider"
###
# Instead of xxx.xxx.xxx.xxx/32(from VPN provider) use xxx.xxx.xxx.xxx/24
/ip address add address=xxx.xxx.xxx.xxx/24 interface=wireguard-inet comment="Internet through WireGuard commercial VPN provider"
/routing table add name=wireguard-wan fib comment="Internet through WireGuard commercial VPN provider"
/ip route add dst-address=0.0.0.0/0 gateway=wireguard-inet routing-table=wireguard-wan comment="Internet through WireGuard commercial VPN provider"
# xxx.xxx.xxx.xxx/24 replace to your local network
/routing rule add action=lookup src-address=192.168.xxx.0/24 table=wireguard-wan comment="Internet through WireGuard commercial VPN provider"
# Add DNS from VPN service
/ip/dhcp-server/network/set dns-server=10.xxx.0.1 0
# Need to reconnect your device(PC, PHONE) for receive new DNS server from router