Hi gurus and newbies,

i recently deployed a wireguard debian server (shall be knownst as WG for this post) in the cloud and then painfully setup my mikrotik onsite to tunnel to the WG server and then breakout to the internet. The reason behind me doing this is the following. I deploy cloud pbx extentions and recently setup recurrsive failover on a client site mikrotik BUT after failover occured, the voip server traffic was still routing to the extention via the failed WAN ip instead of the secondary. So my idea was to deploy the WIREGUARD server and have the gateway in the cloud rather which means either the primary or secondary WAN connection would still route the inbound calls to the desired extention after failover as occured (if anyone has a better way of doing this, the gods will shine on you for sharing).

the script i used to setup my mikrotik to tunnel to the WG cloud server is the following:

# You should change "XX.XX.XX.XX" to you wireguard server
# and set public-key,private-key,preshared-key,"YY.YY.YY.YY/YY" according to your config
/interface/wireguard/add name=wg0 private-key="[PRIVATE_KEY_HERE]"

/interface/wireguard/peers/add interface=wg0 endpoint-address=XX.XX.XX.XX endpoint-port=12321 public-key="[PUBLIC_KEY_HERE]" preshared-key="[PRESHARED_KEY_HERE]" persistent-keepalive=25s allowed-address=0.0.0.0/0

/ip/address/add interface=wg0 address=YY.YY.YY.YY/YY

/ip/route/add dst-address=XX.XX.XX.XX comment=wgserver disabled=yes

/ip/route/add dst-address=0.0.0.0/0 gateway=wg0

/ip/dhcp-client/add add-default-route=no interface=ether1 script=":local route [/ip route find comment=\"wgserver\"]\r\
\n:if (\$bound=1) do={\r\
\n /ip route set \$route gateway=\$\"gateway-address\" disabled=no\r\
\n} else={\r\
\n /ip route set \$route disabled=yes\r\
\n}" use-peer-dns=no use-peer-ntp=no

/interface/list/member/add interface=wg0 list=WAN

/ip/dns/set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

my question now is, how do i intergrate a reccursive failover into this configuration since the routing tables have become a lot more complex. My Mikrotik is setup simple with WAN1 on ether1, WAN2 on ether 2 and ether 3,4 and 5 all bridged for the LAN and using and RB 951

Please post your complete config
/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc...)

There may be no need for wireguard for this aspect, as it sounds like a faulty failover config more than anything else.
(could be mangles, could be routing etc.....)

Wireguard is not a magic solution as it still needs to travel over one of your ISP connections to the cloud.
Was your intention to use wireguard over WAN1 or WAN2 ??

hi,

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireguard
add listen-port=YYYYY mtu=1420 name=wg0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.44.2-192.168.44.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add interface=wg0 list=WAN
add interface=bridge1 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=WGSERVERIP endpoint-port=\
XXXXX interface=wg0 persistent-keepalive=25s preshared-key=\
"***********************" public-key=\
"***********************"
/ip address
add address=192.168.44.1/24 interface=bridge1 network=192.168.44.0
add address=10.8.0.2/24 interface=wg0 network=10.8.0.0
/ip dhcp-client
add add-default-route=no interface=ether1 script=":local route [/ip route find\
\_comment=\"wgserver\"]\r\
\n:if (\$bound=1) do={\r\
\n /ip route set \$route gateway=\$\"gateway-address\" disabled=no\r\
\n} else={\r\
\n /ip route set \$route disabled=yes\r\
\n}" use-peer-dns=no use-peer-ntp=no
add add-default-route=no interface=ether2 script=":local route [/ip route find\
\_comment=\"wgserver\"]\r\
\n:if (\$bound=1) do={\r\
\n /ip route set \$route gateway=\$\"gateway-address\" disabled=no\r\
\n} else={\r\
\n /ip route set \$route disabled=yes\r\
\n}" use-peer-dns=no
/ip dhcp-server network
add address=192.168.44.0/24 gateway=192.168.44.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.4.4
/ip firewall filter
add action=accept chain=input protocol=udp src-port=51820,13231
add action=accept chain=forward protocol=udp src-port=51820,13231
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wg0
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping comment=wgserver disabled=no distance=1 dst-address=\
WGSERVERIP/32 gateway=192.168.3.1 pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
add dst-address=0.0.0.0/0 gateway=wg0
/system clock
set time-zone-name=Africa/Johannesburg
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes

dont get me wrong, the WG client MTK IS working as its tunnelling the traffic from the site via WAN1 through the cloud WG server and then to the voip server. However, i wish to add a WAN2 to the configuration and set recurrsive failover to WAN2 which will ALSO then tunnel through to the WG server and breakout to the voip server. The idea behind this is to maintain a common gateway during the failover so the voip server still passes over the voip traffic for inbound to the same desintation cloud pbx extentions regardless of which WAN connection is live at the time.

The root problem is this. cloud pbx extentions register with voip server which knows the location of each extention based on their INITIAL registration. Once failover occurs, the voip server is still looking for the cloud pbx extentions via the previous WAN connection so i though maintaining a common gateway by implementing a WG server would solve the problem. However im not skilled with incorporating a recurrsive failover now with the WG confirguration above.

The problem here is, i DONt know how to add the recursive failover to this configuration.


Hope this makes sense.

P.S thats a terrifying AVATAR btw

(1) Remove pre-shared key in wireguard settings ( at both ends )

(2) You hardly have any firewall rules?
Are you behind an upstream router with firewall rules??

Also your two rules are garbage if they are intended to handle wireguard.
Since the MT is acting as a client for handshake, there is no need for input chain rule for wg traffic to leave the router.

(3) You will never get wireguard to work without some sort of masquerade out the MT router for normal traffic??
Since you added wg0 to the WAN interface list you should have stuck with the default rule already in place..........

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

(4) If the plan is to send all bridge traffic out wireguard, lets look at how this can be accomplished or is it only SOME bridge traffic,
aka can you identify which IPs on the LAN need to go out wireguard ( should be easy to create a firewall address list for that).

Hi,

Ive made the requested changes and heres an example of the recurrsive failover i USUALLY deploy on my MTK. Yes my MTK sit behind an ISP router with its own firewalling.

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

/ip route
add dst-address=8.8.8.8 gateway=WAN1 scope=11
add dst-address=8.8.4.4 gateway=WAN2 scope=10

/ip route
add distance=1 gateway=8.8.8.8 check-gateway=ping
add distance=2 gateway=8.8.4.4 check-gateway=ping

How would i now intergate this with the above configuration?