# create private key for public key crypto
> openssl rand -base64 32 > /root/wg0.key

# create pre shared key for additional symmetric crypto layer
> openssl rand -base64 32 > /root/wg0.psk

# create and bind wg interface to port 81520
> ifconfig wg0 create wgport 81520 wgkey `cat /root/wg0.key`

# show config
> ifconfig wg0

# set ip and broadcast
> ifconfig wg0 192.168.2.1 netmask 255.255.255.0

# setup interface
> edit /etc/hostname.wg0
## == server key
wgkey XXXXXXXXXXXXXXX=
## == server port
wgport 81520
## == linux-client
wgpeer XXXXXXXXXXXXXX= wgaip 192.168.2.3
## == linux-client including psk
wgpeer XXXXXXXXXXXXXX= wgpsk XXXXXXXXXXXXXX= wgaip 192.168.2.3
## == mikrotik-side "192.168.20.0/24"
wgpeer XXXXXXXXXXXXXX= wgaip 0.0.0.0/0
## == server address
inet 192.168.2.1 255.255.255.0
## == route mikrotik-side
!route add -net 192.168.20.0/24 192.168.2.200
## == interface up
up


# create psk using libressl
> openssl rand -base64 32


# firewall rules
> edit /etc/pf.conf
## == wg server port
wg_port = "{8152}"
# pass wg0 peering
pass on wg0
## == udp input
pass in quick on egress proto udp to port $wg_port


# change file permissions
> chmod go-rwx /etc/hostname.wg0

# destroy interface
> ifconfig wg0 destroy

# start interface
> sh /etc/netstart wg0


# allow ip forwarding
> edit /etc/sysctl.conf
net.inet.ip.forwarding=

# directly start forwarding
> sysctl net.inet.ip.forwarding=1

# install wireguard tools
> dnf install -y elrepo-release epel-release
> dnf install -y kmod-wireguard wireguard-tools
# create dir
> mkdir -p /etc/wireguard
# change into it
> cd /etc/wireguard
# create keys
> umask 077 \
  | wg genkey \
  | tee /etc/wireguard/private.key \
  | wg pubkey \
  | tee /etc/wireguard/public.key
# write config
> edit /etc/wireguard/wg0.conf
[Interface]
Address = 192.168.2.3/32
ListenPort = 39012
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXX=

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXX==
AllowedIPs = 192.168.2.0/24,192.168.20.0/24
Endpoint = <server-ip>:81520
PersistentKeepalive = 25

# wg quick
> wg-quick up wg0
> systemctl enable wg-quick@wg0

# if needed set static router to enter the lan behind the endpoint
> ip route add 192.168.20.0/24 via 192.168.2.1 dev wg0

# create interface
> /interface/wireguard/add \
  name=wg1 listen-port=38014

# create config
> /interface/wireguard/peers/add \
  endpoint-address=x.x.x.x \
  endpoint-port=81520 \
  interface=wg1 \
  allowed-address=192.168.2.0/24 \
  persistent-keepalive=25 \
  public-key="XXXxxx="

# accept networking
> /ip/firewall/filter
  add action=accept chain=forward dst-address=192.168.30.0/24 src-address=192.168.2.0/24
  add action=accept chain=forward dst-address=192.168.2.0/24 src-address=192.168.30.0/24

# allow incomming udp traffic
/ip/firewall/filter
add action=accept chain=input dst-port=38014 protocol=udp src-address=192.168.2.1

# set ip address
/ip/address
add address=192.168.2.202/32 interface=wg1

# add route
/ip/route
add dst-address=192.168.2.0/24 gateway=wg1

# on jump server route traffic to side
route add -priority 2 192.168.30.0/24 192.168.2.1