WireGuard is a modern VPN protocol that provides high speed, easy implementation and minimal resource requirements. In this article, we will walk through the process of setting it up on MikroTik routers, including configuring the device to communicate with other network points. The protocol is ideal for connecting remote segments or connecting to external hosts.
Main advantages of configuring MikroTik WireGuard
The benefits of WireGuard will help you appreciate why this VPN has become so popular:
- High performance: compact code provides speeds faster than most analogs.
- Easy to set up: the interface is intuitive even for novice users.
- Compatibility: Supports Linux, Windows, MikroTik and other platforms.
- Security: the protocol uses state-of-the-art cryptographic algorithms.
To use WireGuard on MikroTik, RouterOS must be updated to version 7.0 or higher.
MikroTik WireGuard Wiring Diagrams
The protocol supports two main scenarios:
- Peer-to-Peer: Both parties can initiate the connection. Static IP addresses on both routers are required for operation.
- Client-Server: The client initiates the connection, the server responds. A static IP address is only required for the server.
These wiring diagrams allow you to select the appropriate integration method.
Configuring the server on MikroTik
Step 1: Creating the interface
- Go to WireGuard → Interfaces.
- Create a new interface:
- Listen Port – the port to connect to (e.g. 13231).
- Private Key – the key is generated automatically.
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard-server
Step 2: Assign an IP address
- Go to IP → Address.
- Assign an IP address to the interface:
/ip address
add address=192.168.1.1/24 interface=wireguard-server network=192.168.1.0
Step 3: Configuring Peer
- Go to WireGuard → Peers.
- Add a new pir:
- Public Key – the client’s public key.
- Allowed Address – IP addresses allowed for access.
- Persistent Keepalive – connection check interval (e.g. 10 seconds).
/interface wireguard peers
add allowed-address=192.168.2.0.0/24 interface=wireguard-server public-key=\
“<CLIENT_PUBLIC_KEY>” persistent-keepalive=10s
Step 4: Configuring routing
- Go to IP → Routes.
- Create a static route:
- Dst. Address – client subnet.
- Gateway – IP address of the client.
/ip route
add dst-address=192.168.2.0.0/24 gateway=192.168.1.2
Configuring the client on MikroTik
Step 1: Creating the interface
- Go to WireGuard → Interfaces.
- Create a new interface:
- Listen Port – an arbitrary port (e.g. 13232).
- Private Key – the key is generated automatically.
/interface wireguard
add listen-port=13232 mtu=1420 name=wireguard-client
Step 2: Assign an IP address
- Go to IP → Address.
- Write the IP address for the interface:
/ip address
add address=192.168.2.1/24 interface=wireguard-client network=192.168.2.0
Step 3: Configuring Peer
- Go to WireGuard → Peers.
- Add the server as a pir:
- Public Key – the public key of the server.
- Endpoint is the external IP of the server.
- Endpoint Port – the server port (for example, 13231).
- Allowed Address – server subnets.
/interface wireguard peers
add allowed-address=192.168.1.0.0/24 endpoint-address=<SERVER_IP> \
endpoint-port=13231 interface=wireguard-client public-key=\.
“<SERVER_PUBLIC_KEY>”
Step 4: Configuring routing
- Go to IP → Routes.
- Create a route:
- Dst. Address – server subnet.
- Gateway – IP address of the server.
/ip route
add dst-address=192.168.1.0.0/24 gateway=192.168.2.1
Configuring the Firewall
To secure the connection, add rules for the Firewall:
- Go to IP → Firewall → Filter Rules.
- Add a rule to allow traffic through the WireGuard interface:
/ip firewall filter
add chain=input action=accept protocol=udp dst-port=13231
add chain=forward action=accept in-interface=wireguard-server
add chain=forward action=accept out-interface=wireguard-server
Checking WireGuard operation
Follow these steps to verify that WireGuard is working correctly:
- Verify that the WireGuard interfaces are in the running status.
- Check the connection by sending a ping between devices:
ping 192.168.1.1
ping 192.168.2.1
If the connection is successful, then the configuration is complete.
Configuring WireGuard on MikroTik is an easy way to ensure a reliable and fast VPN connection. The protocol is great for connecting remote networks, connecting to cloud servers, and more. By following these instructions, you can configure the server and client, route traffic, and secure the connection.
If you still have questions or need help with MikroTik configuration, please contact us. We work daily from 09:00 to 20:00 and are ready to help you!
Configuring MIkrotik, Ubiquiti, Cisco, Aruba of any complexity!