Wireguard tunnel configuration
The Wireguard tunnel is one of the simplest tunnels to configure, with no ports to open, IPv4 & IPv6 connections and routing rules added automatically.
All you need to do is configure your wireguard with the parameters indicated in 1, for linux you can follow this tutorial
Subnets
It's important not to forget to assign your subnets to the tunnel. To do so, go to the subnets page.
Once your subnet has been assigned, you need to configure it on the other side of the tunnel, depending on how you want to do it. There are 2 main ways of simply assigning the subnet:
Assign in LAN
In this scenario, we simply treat the subnet as a LAN, assign an IP for the gateway (router) and assign the LAN IPs to the machines. This is the recommended method.
NAT 1:1
In this scenario, NAT rules are applied to the router to translate public IPs to private IPs, just as port forwarding would do, but with full IPs. Under Linux, for example, this could be done as follows: bash
Don't forget to enable forwarding
sysctl -w net.ipv6.conf.all.forwarding=1 sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.5 -j SNAT --to-source 203.0.113.1 iptables -t nat -A PREROUTING -i eth0 -d 203.0.113.1 -j DNAT --to-destination 192.168.0.5 iptables -A FORWARD -s 203.0.113.1 -j ACCEPT iptables -A FORWARD -d 192.168.0.5 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.10 -j SNAT --to-source 203.0.113.2 iptables -t nat -A PREROUTING -i eth0 -d 203.0.113.2 -j DNAT --to-destination 192.168.0.10 iptables -A FORWARD -s 203.0.113.2 -j ACCEPT iptables -A FORWARD -d 192.168.0.10 -j ACCEPT
/ip firewall nat add chain=srcnat src-address=192.168.0.5 action=src-nat to-addresses=203.0.113.1 add chain=srcnat src-address=192.168.0.10 action=src-nat to-addresses=203.0.113.2/ip firewall nat add chain=dstnat src-address=203.0.113.1 action=dst-nat to-addresses=192.168.0.5 add chain=dstnat src-address=203.0.113.2 action=dst-nat to-addresses=192.168.0.10 ```