Hello,
I would like to create a VPN between two Mikrotik devices. There’s no need for complex settings; I just want devices in LAN A to access devices in LAN B and vice versa. What’s the best way to achieve this in 2023? Is WireGuard a suitable option?
I’m aware that there are numerous documents available, but many of them appear to be outdated. I’m currently seeking the most up-to-date best practices.
wireguard, so easy, performance and secure
wireguard is nice and easy. you’ll have to run ROS7 though, might not be as stable as 6 but personally haven’t had any trouble with it for simple/home configs. like /u/thatcompguyza said, make sure you run different subnets at site A and B.
with wireguard, allowed-address is sort of like a firewall. make sure you add the subnets you want to give access, as well as the address used by the wireguard peer. (e.g. allowed-address=172.16.1.2/32,192.168.1.0/24)
I run a couple of S2S tunnels between some 4011s using wireguard and VXLANs, extremely solid. Just don’t attempt anything to do with IPv6, then it becomes shaky.
Thank you all for your replies. I think I’m going to try WireGuard first, and if I encounter any issues, I’ll consider using IPsec.
First make sure you have different subnets on either end, then any protocol will work.
I prefer L2TP with IPsec, but honestly haven’t used wireguard yet. May be a better option if you get it right.
Just stay away from PPTP.
site-to-site ipsec vpn
I’m testing three MikroTiks connected as hub and spoke with a couple mobile clients. It works well and is fast.
For a couple years I’ve been using using IPSEC IKEv2 with certificates. It’s been solid and works well but it’s a bit cumbersome to set up everything, and to renew and distribute certificates when they expire.
WireGuard is a bit easier to setup, but the configs can get complex with multiple sites and subnets. A diagram is almost a necessity.
Possible in multiple ways… wireguard, zerotier, or just an ip tunnel with ipsec between them.
I’m currently seeking the most up-to-date best practices.
This is where to look:
Mikrotik to Mikrotik, if I only need access to the remote Network and no performance → SSTP.
The simpliest that i preffer, with less overhead, is ipip tunnel. If you need encryption, you can add a password to secret option and mikrotik will use the ipip over encrypted ipsec tunnel - if traffic is already encryped inside (ssh, https etc) you dont need to. If you have routers with hardware encryption, you will get nice speeds.
After the tunnel is up, you will only need to add routes to each router.
This video has a good, up to date, description of the advantages / disadvantages of each VPN protocol:
I am using multiple WireGuard VPNs between Mikrotiks, other Mikrotiks and other vendors and it just works™
I’ve always struggled with IPsec config, but that works well too when done right.
For two way, wireguard is good to go, for Muti point, GO for l2tp vpn, sstp , eoip/gre/ipip tunnel (you can route ospf, ngp, RIP),
I typically create GRE/IPSEC tunnels between sites. This makes it convenient to use OSPF for dynamic routing. I also use PIM for some cameras and I couldn’t get PIM working without GRE.
We’re running 7 across several devices right on the latest stable release…
We encountered one problem with openvpn peers not rejoining a bridge that was fixed in 7.10ish.
No other problems to speak of
Thank you for the detailed response. I will look into what you mentioned.
You’ll likely get better performance with IPsec since it’s hardware accelerated vs all in cpu.
Seconded. Site-to-site IKEv2/IPSec tunnels also take advantage of hardware acceleration on many models.