WireGuard


WireGuard is a simple, fast, and modern VPN that utilizes state-of-the-art cryptography. Its aims to be a better choice than IPSEC or OpenVPN. MikroTik added WireGuard support starting in RouterOS version 7.1beta2. You can connect WireGuard to other MikroTik routers or pretty much any other platform out there includeing Windows and MacOS. The install clients for other platforms can be found here. Let’s take a look at a simple installation.

Step 1: In Router 1 (the one on the left) we’ll create the WireGuard Interface. All you have to do, is give it a name. It will auto generate the Public and Private Keys on it own.

Step 2: Repeat Step 1 for Router 2. In Router 2 (the one on the right) we’ll create the WireGuard Interface. All you have to do, is give it a name. It will auto generate the Public and Private Keys on it own.

Step 3: Set the Peers on Router 1

Step 4: Set the Peers on Router 2

Step 5: Add an address to the WireGuard interface on Router 1. (IP -> Address)

Step 6: Add an address to the WireGuard interface on Router 2. (IP -> Address)

Step 7: At the time of this writing, there is a bug in Winbox with the Endpoint Port. To set the Endpoint Port, you must configure it in the CLI on both sides as shown.

Finally, you will want to verify connectivity by pinging across from both sides. In this example, it will be the two 10.0.0.0/24 addresses that are assigned to the WireGuard interfaces that you will ping to.


Leave a Reply to rickfrey1000 Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

10 thoughts on “WireGuard

  • adam

    Do you have any idea how to use it to connect to other server?
    I set up WG server on Docker, I can connect with my phone and PC but not with Mikrotik…

  • roman

    Hi Rick! Thank you for your howto, but I can’t understand how without marking routing (it’s broken on beta) bring my laptop (192.168.1.2) trought my wireguard server (172.16.0.1)

  • osc

    Got it working with mullvad. All Clients on my lan now use vpn for internet browsing. For everyone interested, just follow the steps for Router 1 configuration in the article. All required information are in the generated config file on mullvad’s ‘My account’ page. Then add the following:
    1. Add Hostroute to the selected wireguard vpn server (in my case 185.209.196.70; 192.168.99.1 is my default LAN gateway)
    /ip route add comment=”MULLVAD WG SERVER” dst-address=185.209.196.70/32 gateway=192.168.99.1 type=unicast
    2. Replace default gateway, so that everything is routed via the wireguard interface by default (renamed wireguard1 interface to wg.vpn)
    /ip route set gateway=wg.vpn [find dst-address=0.0.0.0/0]
    3. Add src-nat rule so that clients behind the router can communicate with the internet (10.68.21.55 is the private vpn ip address the provider assigned to me; masq instead of src-nat should also work)
    /ip firewall nat add action=src-nat chain=srcnat out-interface=wg.vpn to-addresses=10.68.21.55
    4. Depending on your firewall setup, you may need to add something like this in forward chain to allow the traffic
    /ip firewall filter add chain=forward out-interface=wg.vpn action=accept place-before=0
    That’s it.