WireGuard VPN

To establish a WireGuard VPN on a MikroTik router for remote devices, you’ll need to configure a WireGuard interface, assign it an IP address, and set up peers for the remote devices. You’ll also need to configure firewall rules to allow connections to the WireGuard server and ensure proper routing for traffic between the remote devices and the MikroTik’s local network.

Prerequisites

  • A MikroTik router running RouterOS v7 or later, as WireGuard is not supported in earlier versions
  • Remote devices (e.g., smartphones, laptops) with WireGuard client software installed
  • A basic understanding of networking concepts like IP addresses, subnets, and routing

Configure the WireGuard Interface on the MikroTik Router

  • Navigate to /interface/wireguard in WinBox or the command-line interface
  • Create a new WireGuard interface
  • Assign a unique name to the interface (e.g. wg-ca)
  • Set the MTU (Maximum Transmission Unit), e.g. 1500
  • Set the listen port (e.g. keep default 13231) for incoming connections
  • Keep private key empty and mikrotik will generate it for you Create Wireguard Interface
  • Press Apply to create the interface

Assign an IP Address to the WireGuard Interface

  • Navigate to /ip/address
  • Create a new IP address entry
  • Enter the IP address you want to assign to the WireGuard interface (e.g., 192.168.100.1/24)
  • Select the WireGuard interface you created in the previous step wg-ca
  • Optionally, you can set a comment for the address (e.g., “WireGuard VPN”) Subnet for Wireguard

Configure Peers (Remote Devices)

  • Navigate to /interface/wireguard/peers
  • Create a new peer for each remote device
  • Give the peer a name (e.g., iPhone)
  • Optionally add a comment to identify the peer
  • Select the WireGuard interface wg-ca
  • Set private key to auto, MikroTik will generate it for you along with public key
  • Specify the allowed addresses – these are the IP addresses or subnets on the remote device’s side that the MikroTik should accept traffic from (e.g., the client’s IP address or the entire remote subnet). e.g. 192.168.100.2/32
  • Put the same value into Client Address field
  • Set Client DNS to 192.168.100.1
  • Press Apply to see Client Config snippet and Client QR for it Peer

Firewall Rules:

  • Create a firewall rule to allow incoming connections to the WireGuard listen port on the MikroTik General Action
  • You might also need to create rules to allow traffic between the WireGuard interface and the local network (if your default firewall policy is not permissive) General Action

Configure the WireGuard Client (on mobile device)

  • Install the WireGuard client software on your remote devices (available in App Store and Google Store)
  • Add a new WireGuard tunnel and then choose Create from QR code - scan QR generated by mikrotik for the peer created before
  • Give it a name e.g. same as mikrotik interface wg-ca
  • Tunnel created from QR code does not contain Endpoint (even if you add it to the Peer config). To fix it press Edit and set Endpoint IP:31231, where IP is public IP address of your mikrotik router or a DNS name.