Configuring MikroTik WireGuard: step-by-step guide

WireGuard is a modern VPN protocol that provides high speed, easy implementation and minimal resource requirements. In this article, we will walk through the process of setting it up on MikroTik routers, including configuring the device to communicate with other network points. The protocol is ideal for connecting remote segments or connecting to external hosts.

Main advantages of configuring MikroTik WireGuard

The benefits of WireGuard will help you appreciate why this VPN has become so popular:

1. High performance: compact code provides speeds faster than most analogs.
2. Easy to set up: the interface is intuitive even for novice users.
3. Compatibility: Supports Linux, Windows, MikroTik and other platforms.
4. Security: the protocol uses state-of-the-art cryptographic algorithms.

To use WireGuard on MikroTik, RouterOS must be updated to version 7.0 or higher.

MikroTik WireGuard Wiring Diagrams

The protocol supports two main scenarios:

1. Peer-to-Peer: Both parties can initiate the connection. Static IP addresses on both routers are required for operation.
2. Client-Server: The client initiates the connection, the server responds. A static IP address is only required for the server.

These wiring diagrams allow you to select the appropriate integration method.

Configuring the server on MikroTik

Step 1: Creating the interface

1. Go to WireGuard → Interfaces.
2. Create a new interface:

• Listen Port – the port to connect to (e.g. 13231).
• Private Key – the key is generated automatically.

/interface wireguard

add listen-port=13231 mtu=1420 name=wireguard-server

Step 2: Assign an IP address

1. Go to IP → Address.
2. Assign an IP address to the interface:

/ip address

add address=192.168.1.1/24 interface=wireguard-server network=192.168.1.0

Step 3: Configuring Peer

1. Go to WireGuard → Peers.
2. Add a new pir:

• Public Key – the client’s public key.
• Allowed Address – IP addresses allowed for access.
• Persistent Keepalive – connection check interval (e.g. 10 seconds).

/interface wireguard peers

add allowed-address=192.168.2.0.0/24 interface=wireguard-server public-key=\

“<CLIENT_PUBLIC_KEY>” persistent-keepalive=10s

Step 4: Configuring routing

1. Go to IP → Routes.
2. Create a static route:

• Dst. Address – client subnet.
• Gateway – IP address of the client.

/ip route

add dst-address=192.168.2.0.0/24 gateway=192.168.1.2

Configuring the client on MikroTik

Step 1: Creating the interface

1. Go to WireGuard → Interfaces.
2. Create a new interface:

• Listen Port – an arbitrary port (e.g. 13232).
• Private Key – the key is generated automatically.

/interface wireguard

add listen-port=13232 mtu=1420 name=wireguard-client

Step 2: Assign an IP address

1. Go to IP → Address.
2. Write the IP address for the interface:

/ip address

add address=192.168.2.1/24 interface=wireguard-client network=192.168.2.0

Step 3: Configuring Peer

1. Go to WireGuard → Peers.
2. Add the server as a pir:

• Public Key – the public key of the server.
• Endpoint is the external IP of the server.
• Endpoint Port – the server port (for example, 13231).
• Allowed Address – server subnets.

/interface wireguard peers

add allowed-address=192.168.1.0.0/24 endpoint-address=<SERVER_IP> \

endpoint-port=13231 interface=wireguard-client public-key=\.

“<SERVER_PUBLIC_KEY>”

Step 4: Configuring routing

1. Go to IP → Routes.
2. Create a route:

• Dst. Address – server subnet.
• Gateway – IP address of the server.

/ip route

add dst-address=192.168.1.0.0/24 gateway=192.168.2.1

Configuring the Firewall 

To secure the connection, add rules for the Firewall:

1. Go to IP → Firewall → Filter Rules.
2. Add a rule to allow traffic through the WireGuard interface:

/ip firewall filter

add chain=input action=accept protocol=udp dst-port=13231

add chain=forward action=accept in-interface=wireguard-server

add chain=forward action=accept out-interface=wireguard-server

Checking WireGuard operation

Follow these steps to verify that WireGuard is working correctly:

1. Verify that the WireGuard interfaces are in the running status.
2. Check the connection by sending a ping between devices:

ping 192.168.1.1

ping 192.168.2.1

If the connection is successful, then the configuration is complete.

Configuring WireGuard on MikroTik is an easy way to ensure a reliable and fast VPN connection. The protocol is great for connecting remote networks, connecting to cloud servers, and more. By following these instructions, you can configure the server and client, route traffic, and secure the connection.

If you still have questions or need help with MikroTik configuration, please contact us. We work daily from 09:00 to 20:00 and are ready to help you!