Hello again! Emmanuel Corels here from Emmanuel Corels Creatives, and if you thought we’d covered every VPN flavor under the sun, think again—WireGuard has entered the MikroTik arena. It’s a lean, mean, secure tunneling machine that many network pros are falling in love with for its simplicity and speed. Ready to explore how it works on MikroTik? Let’s jump right in.
What’s So Great About WireGuard?
WireGuard is a relatively new VPN protocol that focuses on:
- Speed: It’s known for lean code and efficient cryptographic operations.
- Simplicity: Configuration is often more straightforward than IPsec or OpenVPN.
- Security: Uses modern cryptographic primitives (e.g., Curve25519, ChaCha20).
- Cross-Platform: Works on Linux, macOS, Windows, iOS, Android, and now—MikroTik RouterOS v7+.
Because it’s built directly into the Linux kernel (and adapted for other platforms), it’s typically faster and lighter than many older VPN protocols.
RouterOS Version Requirements
WireGuard is available only in RouterOS 7 or newer. If you’re on RouterOS 6, you won’t find the WireGuard interface. To check your version, hop into WinBox → System → Resources, or use /system resource print in the CLI. If you’re not on at least 7.1, head over to System → Packages and update.
Generating Keys
WireGuard uses public-private key pairs to authenticate peers. Each device in a WireGuard network has its own pair:
- On MikroTik, you can let the router generate the key pair automatically. In WinBox, go to Interfaces → WireGuard.
- Click the plus sign to create a new WireGuard interface, say “wg1.”
- Check “Generate Key” (or “Generate” next to Private Key in the CLI). The router then fills in both your Private Key and a Public Key.
You can also generate keys offline using another system (like the wg genkey command on Linux) if you prefer. But letting the MikroTik do it is quick and painless.
Creating a WireGuard Interface
In WinBox:
- Go to Interfaces → WireGuard and click the plus sign.
- Give it a name (e.g., “wg1”).
- Ensure “Listen Port” is something valid, typically
51820by default. - Leave MTU at a recommended size (e.g., 1420) unless you have a specific reason to change it.
- Hit OK.
In CLI form, something like:
/interface wireguard add name=wg1 listen-port=51820
/interface wireguard set wg1 private-key="yourPrivateKeyHere"
The system might auto-generate the private key if you skip specifying one.
Assigning an IP to the WireGuard Interface
WireGuard is simpler than IPsec tunnels—it behaves like a virtual interface. Just give it an IP address in IP → Addresses. Let’s say you want a small /24 just for WireGuard peers:
/ip address add address=10.10.10.1/24 interface=wg1
Do this on your MikroTik so it has an internal IP for the WireGuard tunnel. Remote devices connecting to it will use addresses in that same subnet but must have unique IPs (like 10.10.10.2/24, 10.10.10.3/24, etc.).
Adding WireGuard Peers
A “peer” is basically a remote WireGuard device (another router, a PC, a phone). Each peer has its own public key that you’ll add to the MikroTik, and you’ll share the MikroTik’s public key with the peer. This mutual key exchange is how they authenticate each other.
In WinBox, open Interfaces → WireGuard → Peers:
- Click the plus sign.
- Interface:
wg1. - Public Key: paste the remote device’s public key (for example, from a client device).
- Allowed Address: the IP or subnet the peer will have (like
10.10.10.2/32). - If the remote device will initiate the connection, put
0.0.0.0/0under Endpoint to let the router accept from any IP. Or specify the remote’s IP if it’s static. - Endpoint Port if you know the remote’s WireGuard listening port (often 51820).
The corresponding CLI approach:
/interface wireguard peers add interface=wg1 public-key="RemotePeerPublicKey" \
allowed-address=10.10.10.2/32 endpoint-address=1.2.3.4 endpoint-port=51820
If the remote device has a dynamic IP, you can omit endpoint-address so the MikroTik simply listens for any incoming handshake from that public key.
Configuring the Remote Peer (e.g., Windows Client)
On the other side (a Windows PC with the official WireGuard client), you’d create a new tunnel:
- Generate or import your private key. The client automatically shows you a public key—that goes into the MikroTik’s peer config.
- Set an Interface section with an IP in the same subnet (like
Address = 10.10.10.2/24). - In the Peer section, specify the MikroTik’s public key, the endpoint (MikroTik’s public IP or hostname and port 51820), and
AllowedIPs = 10.10.10.0/24(for the tunnel network).
When you activate the tunnel on your client, you should see a handshake in your MikroTik “WireGuard → Peers” page. If everything’s correct, each side logs the connection.
Routing Traffic Through the Tunnel
If you only want to ping between the local router (10.10.10.1) and the remote peer (10.10.10.2), that’s enough. But if your remote peer needs access to other subnets behind the MikroTik, add the relevant routes.
For example, if you want the peer to see your LAN at 192.168.88.0/24, then:
- In the peer’s AllowedIPs, add
192.168.88.0/24so the client routes that traffic over WireGuard. - On the MikroTik, either rely on a default route or specify
Allowed Addressfor the peer to be10.10.10.2/32, 192.168.88.0/24if you want that to be known as behind the peer. Or simply add a route on the router telling it that 10.10.10.2 can route traffic to 192.168.88.0 (depending on your scenario).
You might also need a NAT rule if your remote client must exit to the internet using the MikroTik’s WAN:
/ip firewall nat add chain=srcnat out-interface=ether1-wan src-address=10.10.10.0/24 action=masquerade
This masquerades tunnel traffic going out to the internet.
Firewall Considerations
WireGuard uses UDP on the specified port (usually 51820). Ensure your firewall isn’t blocking it:
- In IP → Firewall → Filter Rules, you might add a rule allowing
udp dst-port=51820in the input chain if you have a default drop policy. - If your MikroTik is behind another NAT device (like an ISP router), forward UDP 51820 from that device to the MikroTik’s IP.
Because WireGuard is stateless on the handshake side, you just need that single port open to accept inbound sessions. After a handshake, traffic flows according to your routing rules.
Useful Commands and Monitoring
/interface wireguard print
/interface wireguard peers print
You’ll see if a handshake has occurred (rx/tx bytes will increment). WinBox has a “Latest Handshake” column to show you the last successful session.
Logs might not be as verbose for WireGuard as with IPsec or L2TP, so rely on these counters to confirm traffic is flowing.
Why People Love It
- Simplicity: Minimal overhead in config.
- Performance: Speedy, especially on lower-power hardware.
- Cross-Platform Ease: Works nearly identically across OSes.
- Security: Stays current with best-practice cryptography.
Common Gotchas
- Wrong Keys: If you accidentally swap public/private keys or mismatch them between devices, no handshake.
- No Route: If you want to reach subnets behind the router, ensure routes and AllowedIPs match. If something’s missing, traffic never makes it over the tunnel.
- UDP Blocked: Some networks block inbound UDP. If you suspect this, see if a different port or a port-forward from your ISP router is needed.
- Firewall Overlooked: If your default input chain policy is drop, you must explicitly allow
udp 51820.
Wrapping Up This WireGuard Primer
With WireGuard in RouterOS 7, MikroTik took a big step toward modernizing its VPN offerings. You can set up site-to-site tunnels or client-to-site connections in a matter of minutes. Just remember to handle key exchange carefully and tune your routes or NAT as needed.
If you’ve only ever dealt with older VPN methods, expect a breath of fresh air with WireGuard. It’s a great fit for remote workers, quick site-to-site links, or even just secure remote management. As always, keep exploring, keep learning, and let me know how your WireGuard adventures turn out—there’s always more to discover in the MikroTik universe!
Enthusiastically authored by
Emmanuel Corels – Admin, Emmanuel Corels Creatives
