Incomplete

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

https://www.wireguard.com/

https://help.mikrotik.com/docs/display/ROS/WireGuard

HowTo: https://forum.mikrotik.com/viewtopic.php?t=182340

Road Warrior HowTo: https://forum.mikrotik.com/viewtopic.php?p=899406

https://www.youtube.com/watch?v=P6f8Qc4EItc

First we configure the admin password:

Use Quick Set for basic router configuration:

Create the WireGuard VPN interface:

• The name of the interface is arbitrary and we use the default here
• The MTU matters, but we use the default here
• The UDP listen port probably doesn't matter, but we use the same port as on the server here
  • This CPE router must initiate the VPN connections because it has a dynamic IP and is behind Carrier Grade NAT (double NAT)
  • In at least one case, the default UDP port 13231 was blocked by the ISP
  • You may need to find a UDP port that is not blocked by your ISP and use it on the server

Define a WireGuard VPN peer:

• The peer is the remote WireGuard endpoint (server, router)
• The public key is the public key from the remote WireGuard endpoint
• The endpoint address is the static public IP address of the remote WireGuard endpoint (server)
• The endpoint port is the UDP listen port of the remote WireGuard endpoint
• The allowed address is a list of remote IP addresses on or behind the remote WireGuard endpoint
  • Remote WireGuard interface IP address
  • Remote IP subnet behind the remote WireGuard endpoint
• The persistent keepalive is a timer to send an empty packet accross the tunnel to keep it open
  • 25 seconds is a common recommendation for the keepalive timer

Show a connected peer:

• You should get a handshake and a few packets exchanged at this point
  • If not, troubleshoot this first
  • Check that the server firewall permits your selected UDP listen port

Add an IP address to the WireGuard interface:

• This IP address (of the remote) will be listed in a traceroute
• This VPN example uses an arbitrary subnet 172.16.2.0/24 for VPN endpoints
  • Actually 172.16.2.1/24 for the server
  • Actually 172.16.2.3/32 for the CPE
  • If you had a hub and spoke VPN, you would use other 172.16.2.0/24 addresses for other endpoints

Add a static route for remote IP subnet behind peer:

• WireGuard will automatically route to the remote WireGuard IP address
  • You can ping the remote (peer) WireGuard IP address
• WireGuard does not automatically add routes to the remote subnets
  • Pings to the remote subnet will fail without the necessary static route

At this point, you should be able to ping devices to or from the subnets behind either router.

# the interface name is arbitrary - wg0, wg1 are common - wireguard1 is the default
# the port is also arbitrary - 51820 is customary - choose UDP port not blocked by ISP
# listen port probably doesn't matter on this end
/interface wireguard add listen-port=51820 mtu=1420 name=wireguard1

# the peer is the remote side definition - server in this case
# allowed addresses are addresses at the remote side - server in this case
# the public key is the public key of the remote side - server in this case
# endpoint port must match remote listen port - server in this case
/interface wireguard peers
add allowed-address=172.16.2.1/32,192.168.50.0/24 comment="Server Site Name" \
    endpoint-address=<server-public-ip> endpoint-port=51820 interface=wireguard1 \
    persistent-keepalive=25s public-key="<server-public-key>"

# assign an address to the wireguard interface - will show in traceroute
# address choice is arbitrary - /24 used to route multiple peers of /32
/ip address add address=172.16.2.3/24 interface=wireguard1 network=172.16.2.0

# you must add a static route to the subnet(s) behind the remote peer - server in this case
/ip route add disabled=no dst-address=192.168.50.0/24 gateway=wireguard1 \
    routing-table=main suppress-hw-offload=no