Does anyone know if it's possible to make a site to site tunnel with these requisites??
Mikrotik on site A is behind an ISP router. That ISP router has a public dynamic IP address. Thankfully, it doesn't suffer any CGNAT. I have the admin password of the ISP router, so I can open any ports I want.
Mikrotik on site B is behind an ISP-owned router. That ISP router has a public dynamic IP address, but unfortunately it's suffering a terrible CGNAT applied by the ISP. So I cannot open any ports at all.
None of the Mikrotiks can use any NAT rules, nor Firewall rules. (Nat rules and firewall rules must be completely empty in both sites)
Basically what I'm asking is: can you replicate the current VPN that is now using SSTP, but with Wireguard instead?
Current Mikrotik config on site A (port 42345 is open on ISP router)
Code: Select all
/ip address add address=192.168.100.2/24 interface=bridge network=192.168.100.0
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.100.1
/interface sstp-server server set enabled=yes port=42345
/ppp secret add local-address=172.26.1.1 name=vpnuser password=blablabla profile=default-encryption remote-address=172.26.1.2 routes="192.168.200.0/24 172.26.1.2 1" service=sstp
/ip cloud set ddns-enabled=yes ddns-update-interval=2m
Code: Select all
/ip address add address=192.168.200.2/24 interface=bridge network=192.168.200.0
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.200.1
/ip route add disabled=no dst-address=192.168.100.0/24 gateway=sstp-out1
/interface sstp-client add connect-to=blablabla.sn.mynetname.net disabled=no name=sstp-out1 port=42345 profile=default-encryption user=vpnuser password=blablabla verify-server-address-from-certificate=no