Is there some sort of discovery protocol in play here where the unifi controller or APs broadcast to find each other on the same subnet ??
或者你告诉的controller the IP addresses of the AP.

Zerotier is a level 2 construct that would support putting the unifi controller and two APs in the same layer 2 network.

SOLUTION METHOD ONE - EOIP OVER WIREGUARD
a. create wireguard connectivity as per normal and then
b .创建工作组内的EOIP隧道隧道(EOIP never concerns its self ever with local WANIPs at either end )
c. modify configs to avoid L2 conflicts with identical subnets.

a. Setup the WG

/MT Device One info
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2 interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home

/MT Device Two
/interface wireguard
listening port 10771 mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24 endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client

Setup EIOP tunnel over wireguard.

R1 - VLANS 10,20,30 are on the bridge vlan20 is the subnet unifi controller is on.
R2 - VLANS 5,20,40 are on the bridge, VLAN 20 is the same subnet and where the APs exist.
Both Routers provide DHCP on the subnets.

Router ONE,
eoip-to-TWO
remote address= 192.168.50.2
local address= 192.168.50.1
tunnel ID= 321

Router TWO
eoip-to-ONE
remote address= 192.168.50.1
local address= 192.168.50.2
tunnel ID= 321

Router One

/interface bridge ports
add bridge=bridge interface=eoip-to-TWO pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=eiop-to-TWO vlan-ids=20

Note: Tagged or Untagged works but if one can save the overhead of 4 bytes, one pays less carbon tax.

Router Two
/interface bridge ports
add bridge=bridge interface=eoip-to-ONE pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=eiop-to-ONE vlan-ids=20

c.PROBLEM: HOW TO DECONFLICT SAME L2 SUBNET in TWO ROUTERS.

Solution Part 1:VLAN20
R1 ip pool = 192.169.2.2-192.168.2.100
R1 ip address = 192.168.2.1 interface=vlan20 network=192.168.2.0
R2 ip pool = 192.169.2.120-192.168.2.220
R2 ip address = 192.168.2.254 interface=vlan20 network=192.168.2.0

Solution Part 2:Bridge
R1 /interface bridge --> name=bridge vlan-filtering=yesdhcp-snooping=yes
R1 /interface bridge ports ---> add bridge=bridge interface=local port/wlantrusted=yes
R1 /interface bridge ports ---> add bridge=bridge interface=eoip-to-TWOtrusted=no
R2 /interface bridge --> name=bridge vlan-filtering=yesdhcp-snooping=yes
R2 /interface bridge ports ---> add bridge=bridge interface=local port/wlantrusted=yes
R2 /interface bridge ports ---> add bridge=bridge interface=eoip-to-ONEtrusted=no

In effect, we ensure different address and gateway for the same subnet/vlan so that there is no issue with which Router is used for internet traffic.
We ensure that we keep the internet traffic of the local subnet via the local WAN.
确保没有possib桥设置ility of conflict with DHCP assignments between the two subnets connected over the EOIP tunnel.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Well what format for the option 43 value does MT accept...........

192;168;168;50
or
01;04;192;168;168;50

or something else because my attempts show popup message"couldnt add new dhcp option, wrong data type! (6)"

ahh convert to hex SHEESH

SOLUTION METHOD TWO USE DHCP OPTION 43
a. create wireguard connectivity as per normal and then
b. create the DHCP Option settings on R2 for the unifi Access Points.
c. modify configs to allow Access Points via Wireguard (L3 traffic) to route to Unific controller IP.

a. Setup WG as per usual.

/MT Device One info
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2,192.168.168.0/24 interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home

/MT Device Two
/interface wireguard
listening port 10771 mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24,10.10.10.0/24endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client

b. Now that wireguard is setup lets SETUP Dhcp options for R2

Router 1, LAN A - 10.10.10.0/24, unifi controller is 10.10.10.15
Router 2, LAN B - 192.168.168.1/24, AP1 192.168.168.5, AP2 192.168.168.20

DHCP server settings for Router 2 LANB
Create an OPTION , call it Option UNIFI
select code 43
select unifi IP address 10.10.10.15 we need to add 0104 in front of it according to searches.
so enter this for the value entry---->0x0104 '10.10.10.15'
Hit Apply and OK, The MT router will convert this to HEX and a raw value!!

Then Go to DHCP NETWORKS.
select LANB
select tab DHCP Options
select UNIFI.

Now the dhcp server will provide the AP with a local IP (offer) and tell the AP the controlling device IP address........
The APs will now send traffic to that IP and we must provide a path there.

c. Now lets ensure that path exits.

Hence in R2 allowed IPs, for peer of R1, we added10.10.10.0/24


Hence in R2 we add a route
/ip route
add dst=10.10.10/24 gwy=WG-Client table=main

Hence in R2 we add firewall rule.......
add chain=forward action=accept in-interface=LANB out-interface=WG-Client src-address-list=UBI-APs

Now when the APs attempt to reach the destination of the unif controller, the routing there will be found by the router to be the wg tunnel, firewall rules will allow it, and the wireguard rules will match the traffic to the peer of R1 and send it on its way.

At R1 we need to ensure allowed IPs for peer router2 include192.168.168.0/24
and thus will be filtered/accepted and allowed to exit the tunnel upon arrival at R1

At R1 we need corresponding firewall rule
add action=accept chain=forward in-interface=WG-Server dst-address=LANA src-address=External_APs
and thus the traffic will allowed to go to the unif controller

Finally at R1 we need to ensure a router back into the tunnel for said traffic.
add dst=address=192.168.168.0/24 gwy=WG-Server table=main

SOLUTION METHOD 3 - VXLAN OVER WIREGUARD TUNNEL
a. create wireguard connectivity as per normal and then
b. create the VXLAN tunnel within the WG tunnel ( vxlan never concerns its self with local WANIPs at either end )
c. modify configs to avoid L2 conflicts with identical subnets.

For those not familiar with VxLAN, it's an tunneling protocol which wraps layer 2 frame into a UDP packet at layer 3.

Diagram courtesy of Charles D.
......
SCENARIO, Span subnet like EOIP over two separate locations.

Facts:
VLAN B - LANB on R1 where unifB controller resides and LANB on R2 where two unifi APs reside AP1-B and AP2-B
It is thought (but not verified) that the underlying Network (in this case Wireguard) should have a higher MTU (min 1522, we will use1550)

SO in our example we are going to create one vxlan tunnel between VLAN B on R1 to VLAN B on R2.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


a. setup the wg tunnel

/MT Device One info
/interface wireguard
listening port 15551 mtu=1550 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2, interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home

/MT Device Two
/interface wireguard
listening port 10771 mtu=1550 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24, endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client

b. Now lets construct the vxlan tunnel

R1 VLAN B - 192.168.2.0/24 , unifi controller = 192.168.2.15,
R2 VLAN B - 192.168.2.0/24 , unifi APs AP1-B = 192.168.2.25 AP2-B = 192.168.2.35

VLANx Settings

Step1:Assign vxlan interface name.
R1: Interface name=ConrollerB
R2: Interface name=AP-B

Step2:Allocate VTEP to the underlying structure
R1: VTEP --> interface=ControllerB remoteIP=192.168.50.2 { since the remote IP wireguard address of R2 is 50.2 }
R2: VTEP --> interface=AP-B remoteIP=192.168.50.1 { since the remote IP wireguard address of R1 is 50.1 }

Step3:Assign vxlan parameters as required. The first iteration of this solution will be to span the same subnet.
R1 (interface ControllerB) --> vni=1001 port=9472
R2 (interface AP-B) --> vni=1001 port=9472

Add both vxlan interfaces to the single bridge on each router and connect/associate to the applicable VLAN interface.
R1
/interface bridge port
add bridge=bridge interface=ControllerB pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ControllerB vlan-ids=20

Note: Tagged or Untagged works but if one can save the overhead of 4 bytes, one pays less carbon tax.

R2
/interface bridge port
add bridge=bridge interface=AP-B pvid=20
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=AP-B vlan-ids=20

c.PROBLEM:HOW TO DECONFLICT SAME L2 SUBNET in TWO ROUTERS.

Solution Part 1:VLAN20
R1 ip pool = 192.169.2.2-192.168.2.100
R1 ip address = 192.168.2.1 interface=vlan20 network=192.168.2.0
R2 ip pool = 192.169.2.120-192.168.2.220
R2 ip address = 192.168.2.254 interface=vlan20 network=192.168.2.0

Solution Part 2:Bridge
R1 /interface bridge --> name=bridge vlan-filtering=yesdhcp-snooping=yes
R1 /interface bridge ports ---> add bridge=bridge interface=local port/wlantrusted=yes
R1 /interface bridge ports ---> add bridge=bridge interface=Controller-Btrusted=no
R2 /interface bridge --> name=bridge vlan-filtering=yesdhcp-snooping=yes
R2 /interface bridge ports ---> add bridge=bridge interface=local port/wlantrusted=yes
R2 /interface bridge ports ---> add bridge=bridge interface=AP-Btrusted=no

In effect, we ensure different address and gateway for the same subnet/vlan so that there is no issue with which Router is used for internet traffic.
We ensure that we keep the internet traffic of the local subnet via the local WAN.
确保没有possib桥设置ility of conflict with DHCP assignments between the two subnets connected over the vxlan tunnel.

AMMO, as you can see my EOIP solution is almost there, just need to figure out internet and WAN implications ( which is what I was expecting Holvoe to come in and show me the way..........
The dhcp options solutions should work for unifi....... good to go!
As for vxlan, set WG to 1550, should make it all feasible, still have work to do on this config

IPSEC has no utility in a home environment IMHO. Haters expected LOL......

You missed the point completely, the unif controller and AP are not in the same location and just to make sure you understand, not under the same local router!
How did I manage to glean that from the OP, probably his comment my HOME, and my vacation home,

甜蜜的链接 ..........

Thanks nichy I will review................... I thought the vni had to be duplicated................ like EOIP code etc.........
Confirmed think of vni as the Group code for all members on the same vxlan.

In terms of the port setting, what I was instructed is that they do not need to be identical, but can be identical, as they only define what port the router is listening on at its end of the vxlan.
The port used for sending is random I guess. In any case I changed the config to show the same port as that seems to cause less confusion.

Also to both EOIP and vxLAN solutions, I have added deconflicting components because we are spanning an L2 network on two different routers.....
This is why the DHCP option method at least for the specific case of unifi devices is superior. Dont have to worry about L2 shenanigans

Stick to (conspiracy) theories

Reading on the always 100% accurate internet........
"I've tunneled VXLAN over Wireguard on Linux. In my setup, my WAN's MTU was 1500 bytes, and my Wireguard tunnel's MTU was 1550, with the VXLAN's MTU being 1500. Surprisingly, traffic and iperf3 tests going over the VXLAN had much better throughput than traffic going directly over the Wireguard connection. IIRC, over the VXLAN, I was pulling ~800Mbps over the VXLAN/WG setup with iperf3.

Where this would fall apart is if there are firewalls in between that silently drop UDP fragments. In a case like that, it may be necessary to do VXLAN/Wireguard/Wireguard to conceal the fragmented packets with MTUs of 1500/1550/1440 respectively, assuming IPv4 and WAN MTU of 1500. I bet this would come with a significant performance hit though."

Another find -->
"Setting the MTU on the interface is very important. If you aren't familiar with VxLAN, it's basically wrapping a L2 packet inside of a UDP packet. Normally on a physical infrastructure we would increase the L2 MTU of all the infrastructure links to accomodate the larger packets, but sadly I can't change the MTU of all the links between my two sites. So...we increase the MTU of the VPN link it self. WireGuard does a very nice job with managing this, and breaks up the larger packets for us for transmission. A+ WireGuard! ip link set wg-to-b mtu1600"

I only make the configs, I have no use for them personally LOL, so have no clue when the rubber meats the road!!

3) Make alternative recommendations even if it includes somehow telling the Unifi Controller to go "look" for LAN B 0.X via client interface tunnel WG connected on 2.X

ps : I know I can re-enroll/adopt the Unifi equipment and connect them to the controller on LAN A easy enough, but I don't
have technically capable hands on-prem at LAN B that could do this, and LAN B is several thousand KMs away.

Thanks for the energy, please be kind

1. Make a DNS entry on the site you want to adopt Unifi stuff in the form unifi.example.domain IN A
2. Make sure your DHCP-server hands out example.domain to your Unifi stuff as domain suffix
3. Your Unifi stuff will automatically find your controller on the other side of your tunnel if your WG config is sound.

Thanks Marino are you tempting me with OPTION FOUR LOL..........

WINNER WINNER TURKEY DINNER - Marino!

SOLUTION METHOD FOUR -PREFERRED OptionUSE DNS ONLY
a. create wireguard connectivity as per normal and then
b. create the IP DNS SETTINGS and DHCP SERVER SETTINGS on Router 2.
c. modify configs to allow Access Points via Wireguard (L3 traffic) to route to Unific controller IP.

a. Setup WG as per usual.

/MT Device One info
/interface wireguard
listening port 15551 mtu=1420 name=wireguard-home
/interface wireguard peers
add allowed-address=192.168.50.2,192.168.168.0/24 interface=wireguard-home public-key="---" comment=Router2
add allowed address=192.168.50.3 interface=wireguard-home public0key="---" comment=remoteAdmin
/ip address
add address=192.168.50.1/24 interface=wireguard-home

/MT Device Two
/interface wireguard
listening port 10771 mtu=1420 name=wireguard-client
/interface wireguard peers
add allowed-address=192.168.50.0/24,10.10.10.0/24endpoint-address=mynetnameMTDEVICEONE endpoint-port=15551 \
interface=wireguard-client public-key="..." persistant keep-alive=35sec
/ip address
add address=192.168.50.2/24 interface=wireguard-client

b. Now that wireguard is setup lets SETUP the DHCP and DNS for R2

Router 1, LAN A - 10.10.10.0/24, unifi controller is 10.10.10.15
Router 2, LAN B - 192.168.168.1/24, AP1 192.168.168.5, AP2 192.168.168.20

/ip dhcp-server network
add address=192.168.168.0/24 dns-server=192.168.168.1 domain=ammo.homegateway=192.168.168.1

/ip dns static
add address=10.10.10.15 name=unifi.ammo.hometype=A

NOTE: The assumption is that the unifi APs are looking for two ways to connect to the unif controller.
a via DHCP option 43 contents. In this case there is no option 43 indicated ( this solution was provided by Method 2 on a previous post)
b. each device on the subnet will ask for DHCP configuration and will get, the IP address and mask, the gateway, the DNS server and the name of the"local" domain.
The AP is expecting to see a local domain. Then the AP asks DNS to return an address specifically for unifi.domain.nameand in this case will then receive10.10.10.15

c. Now lets ensure that path via WG from router to router exists as the APs will be searching for the UNIFI destination IP.

Hence in R2 allowed IPs, for peer of R1, we added10.10.10.0/24

Hence in R2 we add a route
/ip route
add dst=10.10.10/24 gwy=WG-Client table=main

Hence in R2 we add firewall rule.......
add chain=forward action=accept in-interface=LANB out-interface=WG-Client src-address-list=UBI-APs

Now when the APs attempt to reach the destination of the unif controller, the routing there will be found by the router to be the wg tunnel, firewall rules will allow it, and the wireguard rules will match the traffic to the peer of R1 and send it on its way.

At R1 we need to ensure allowed IPs for peer router2 include192.168.168.0/24
and thus will be filtered/accepted and allowed to exit the tunnel upon arrival at R1

At R1 we need corresponding firewall rule
add action=accept chain=forward in-interface=WG-Server dst-address=LANA src-address=External_APs
and thus the traffic will allowed to go to the unif controller

Finally at R1 we need to ensure a router back into the tunnel for said traffic.
add dst=address=192.168.168.0/24 gwy=WG-Server table=main

MTU clueless here so cannot help............ but here is the link to the user article based on this thread.......viewtopic.php?t=194646
Comments welcome.

1. UNIFI Controller to UNIFI APs -via Wireguard and EOIP.-viewtopic.php?p=990837#p990836
2. UNIFI Controller to UNIF APs -via Wireguard and VXLAN-viewtopic.php?p=990834#p990837
3. UNIF Controller to UNIFI APs -via Wireguard and DHCP Option-viewtopic.php?p=990834#p990838
4. UNIFI Controller to UNIF APs -via Wireguard and DNS+DHCP-viewtopic.php?p=990834#p990839
5.mDSN DiscoveryBetween Home and Office Devices -viewtopic.php?p=990834#p990840
6.Identical SubnetsUsing WG Between Two Locations -viewtopic.php?p=990834#p990947