{"id":1467,"date":"2024-06-21T17:56:27","date_gmt":"2024-06-21T20:56:27","guid":{"rendered":"https:\/\/www.nerdadas.com\/blog\/?p=1467"},"modified":"2025-12-15T16:48:14","modified_gmt":"2025-12-15T19:48:14","slug":"vpn-site-to-site-con-wireguard","status":"publish","type":"post","link":"https:\/\/www.nerdadas.com\/blog\/vpn-site-to-site-con-wireguard\/","title":{"rendered":"VPN Site to Site con Wireguard"},"content":{"rendered":"\n

Hoy va una gu\u00eda \u00abUltra r\u00e1pida\u00bb de como configurar una VPN Site to Site con Wireguard!. Este es un laboratorio para testear las posibilidades de esta vpn.
Wireguard presume de ser m\u00e1s r\u00e1pida, m\u00e1s segura y moderna que OpenVPN y sus predecesoras lo cu\u00e1l me pareci\u00f3 una excelente excusa para hacer un laboratorio express de como configurarla.<\/p>\n\n\n\n

Manos a la obra<\/h2>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n

Configuramos el Router 1<\/p>\n\n\n\n

[admin@MikroTik] > system\/identity\/set name=\"R1\"\n[admin@R1] > ip address\/add interface=ether2 address=192.168.10.1\/24\n[admin@R1] > ip dhcp-server\/setup\nSelect interface to run DHCP server on \n\ndhcp server interface: ether2\nSelect network for DHCP addresses \n\ndhcp address space: 192.168.10.0\/24\nSelect gateway for given network \n\ngateway for dhcp network: 192.168.10.1\nSelect pool of ip addresses given out by DHCP server \n\naddresses to give out: 192.168.10.2-192.168.10.254\nSelect DNS servers \n\ndns servers: 8.8.8.8      \nSelect lease time \n\nlease time: 1800\n[admin@R1] > ip firewall\/nat\/add chain=srcnat out-interface=ether1 action=masquerade \n[admin@R1] > ip dns\/set servers=8.8.8.8 allow-remote-requests=yes<\/code><\/pre>\n\n\n\n
Configuramos el Router 2<\/p>\n\n\n\n
[admin@MikroTik] > system\/identity\/set name=\"R2\"\n[admin@R2] > ip address\/print \nFlags: D - DYNAMIC\nColumns: ADDRESS, NETWORK, INTERFACE\n#   ADDRESS             NETWORK        INTERFACE\n0 D 192.168.122.132\/24  192.168.122.0  ether1   \n[admin@R2] > ip address\/add interface=ether2 address=192.168.20.1\/24\n[admin@R2] > ip dhcp-server\/setup \nSelect interface to run DHCP server on \n\ndhcp server interface: ether2\nSelect network for DHCP addresses \n\ndhcp address space: 192.168.20.0\/24\nSelect gateway for given network \n\ngateway for dhcp network: 192.168.20.1\nSelect pool of ip addresses given out by DHCP server \n\naddresses to give out: 192.168.20.2-192.168.20.254\nSelect DNS servers \n\ndns servers: 8.8.8.8      \nSelect lease time \n\nlease time: 1800\n[admin@R2] > ip firewall\/nat\/add chain=srcnat out-interface=ether1 action=masquerade \n[admin@R2] > ip dns\/set servers=8.8.8.8 allow-remote-requests=yes <\/code><\/pre>\n\n\n\n
Ahora vamos por la configuraci\u00f3n de Wireguard.<\/p>\n\n\n\n
Configuramos las ips de las interfaces de Wireguard.<\/p>\n\n\n\n
#R1\nip\/address add interface=wireguard1 address=10.0.0.1\/30\n#r2\nip\/address add interface=wireguard1 address=10.0.0.2\/30<\/code><\/pre>\n\n\n\n
Configuramos la interfaz de Wireguard en el R1<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Configuramos la interfaz de Wireguard en el Router2<\/p>\n\n\n\n
[admin@R2] > interface\/wireguard\/add name=\u00bbWireguard1″ mtu=1420 listen-port=13231<\/p>\n\n\n\n
Ya tenemos las dos interfaces, exportamos las claves con el bot\u00f3n WG Export y al descargarlas veremos algo como esto:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Ya que la configuraci\u00f3n de Mikrotik nosmostrar\u00e1 solo la clave p\u00fablica en la configuraci\u00f3n, es necesario exportarla y esto lo har\u00e1 en un texto plano. Desde files podemos descargarlos. (segundo bot\u00f3n sobre el archivo, descargar\/Download)<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
En cada router configuraremos, en la secci\u00f3n de Peer los datos que ya tenemos del otro.<\/p>\n\n\n\n
Les dejo este gr\u00e1fico suuuuuuper f\u00e1cil de leer (ouch)<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
En el segundo Router (R1)<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Ahora comprobamos si funciona<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Y por \u00faltimo,igualar las rutas<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Para que ambos equipos sepan por donde buscar las redes ahora vecinas.<\/p>\n\n\n\n
Lo que me pareci\u00f3 interesante de Wireguard es que podemos aplicar reglas de firewall directamente sobre la interfaz virtual donde corre o con las redes de origen y destino como si estuvieran directamente conectadas o ruteadas lo cu\u00e1l hace mucho m\u00e1s f\u00e1cil la administraci\u00f3n.<\/p>\n\n\n\n
Les dejo el lab para que lo prueben con las configs de ambos routers.<\/p>\n\n\n\n
R1.rsc\n\n\/interface wireguard\nadd listen-port=13231 mtu=1420 name=wireguard1\n\/ip pool\nadd name=dhcp_pool0 ranges=192.168.10.2-192.168.10.254\n\/ip dhcp-server\nadd address-pool=dhcp_pool0 interface=ether2 name=dhcp1\n\/port\nset 0 name=serial0\n\/interface wireguard peers\nadd allowed-address=0.0.0.0\/0 endpoint-address=192.168.122.132 endpoint-port=\\\n    13231 interface=wireguard1 private-key=\\\n    \"YMGmwgpl0Ilbdo8Nd1W0kYzBLhkOlSVmz+RMpzA05Fk=\" public-key=\\\n    \"UPXhsQ6KTsd3D4IjWxgEl20E9PszrPjLdrjWdayOZCg=\"\n\/ip address\nadd address=192.168.10.1\/24 comment=LAN interface=ether2 network=192.168.10.0\nadd address=10.0.0.1\/30 comment=Wireguard interface=wireguard1 network=\\\n    10.0.0.0\n\/ip dhcp-client\nadd interface=ether1\n\/ip dhcp-server network\nadd address=192.168.10.0\/24 dns-server=8.8.8.8 gateway=192.168.10.1\n\/ip dns\nset allow-remote-requests=yes servers=8.8.8.8\n\/ip firewall nat\nadd action=masquerade chain=srcnat out-interface=ether1\n\/ip route\nadd disabled=no dst-address=192.168.20.0\/24 gateway=10.0.0.2 routing-table=\\\n    main suppress-hw-offload=no\n\/system identity\nset name=R1\n\/system note\nset show-at-login=no<\/code><\/pre>\n\n\n\n
R2.rsc<\/p>\n\n\n\n
\/interface wireguard\nadd listen-port=13231 mtu=1420 name=wireguard1\n\n\/ip pool\n\nadd name=dhcp_pool0 ranges=192.168.20.2-192.168.20.254\n\n\/ip dhcp-server\n\nadd address-pool=dhcp_pool0 interface=ether2 name=dhcp1\n\n\/interface wireguard peers\n\nadd allowed-address=0.0.0.0\/0 endpoint-address=192.168.122.98 endpoint-port=\\\n\n13231 interface=wireguard1 private-key=\\\n\n\"OFP9S3TqsImwljhppgdJZ5+RE+Q0RKBsy\/49j+YsRUI=\" public-key=\\\n\n\"RnmWHd5QmNJSHEbme5cuOefFnU39utXpiqezUJaJfDQ=\"\n\n\/ip address\n\nadd address=192.168.20.1\/24 comment=LAN interface=ether2 network=192.168.20.0\n\nadd address=10.0.0.2\/30 comment=Wireguard interface=wireguard1 network=\\\n\n10.0.0.0\n\n\/ip dhcp-client\n\nadd interface=ether1\n\n\/ip dhcp-server network\n\nadd address=192.168.20.0\/24 dns-server=8.8.8.8 gateway=192.168.20.1\n\n\/ip dns\n\nset allow-remote-requests=yes servers=8.8.8.8\n\n\/ip firewall nat\n\nadd action=masquerade chain=srcnat out-interface=ether1\n\n\/ip route\n\nadd disabled=no dst-address=192.168.10.0\/24 gateway=10.0.0.1 routing-table=\\\n\nmain suppress-hw-offload=no\n\n\/system identity\n\nset name=R2\n\n\/system note\n\nset show-at-login=no<\/code><\/pre>\n\n\n\n
<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Hoy va una gu\u00eda \u00abUltra r\u00e1pida\u00bb de como configurar una VPN Site to Site con Wireguard!. Este es un laboratorio para testear las posibilidades de esta vpn.
\nWireguard presume de ser m\u00e1s r\u00e1pida, m\u00e1s segura y moderna que OpenVPN y sus predecesoras lo cu\u00e1l me pareci\u00f3 una excelente excusa para hacer un laboratorio express de como configurarla.<\/p>\n","protected":false},"author":1,"featured_media":1479,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1243,1223,1,17,804],"tags":[282,10,37,1230,242,1240,240,1317,239,1316],"class_list":["post-1467","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-montando-tu-red-corporativa-de-0","category-redes","category-sin-categoria","category-tecnologia","category-ti","tag-hack","tag-jeremias-palazzesi","tag-linux","tag-mikrotik","tag-network","tag-networking","tag-openvpn","tag-site-to-site","tag-vpn","tag-wireguard"],"_links":{"self":[{"href":"https:\/\/www.nerdadas.com\/blog\/wp-json\/wp\/v2\/posts\/1467","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nerdadas.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nerdadas.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nerdadas.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nerdadas.com\/blog\/wp-json\/wp\/v2\/comments?post=1467"}],"version-history":[{"count":7,"href":"https:\/\/www.nerdadas.com\/blog\/wp-json\/wp\/v2\/posts\/1467\/revisions"}],"predecessor-version":[{"id":1852,"href":"https:\/\/www.nerdadas.com\/blog\/wp-json\/wp\/v2\/posts\/1467\/revisions\/1852"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.nerdadas.com\/blog\/wp-json\/wp\/v2\/media\/1479"}],"wp:attachment":[{"href":"https:\/\/www.nerdadas.com\/blog\/wp-json\/wp\/v2\/media?parent=1467"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nerdadas.com\/blog\/wp-json\/wp\/v2\/categories?post=1467"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nerdadas.com\/blog\/wp-json\/wp\/v2\/tags?post=1467"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}