Setting Up a WireGuard VPN on Your MikroTik Router
This guide will walk you through the steps to set up a WireGuard VPN on your MikroTik router, allowing devices to connect remotely and access local network resources as if they were connected directly.
Fortunately, RouterOS has built-in support for WireGuard, making the process relatively straightforward. This tutorial uses WebFig for configuration.
Step 1: Create a WireGuard Interface
To start, navigate to WireGuard in the side menu and click on Add New to create a new interface. Give it a meaningful name and add a comment to describe its purpose.
Alternatively, use the MikroTik command:
/interface wireguard add name=wg0 comment="WireGuard VPN Interface"
Step 2: Assign IP Addresses
To enable communication between devices connected through WireGuard, you’ll need to assign an IP address from a designated address space. Go to IP > Addresses, click on Add New, and fill in the address space using the CIDR notation (e.g., 192.168.100.1/24). Set the interface to the newly created WireGuard interface.
Alternatively, use the MikroTik command:
/ip address add address=192.168.100.1/24 interface=wg0
Step 3: Allow Incoming Traffic
To ensure devices can connect to your router, create a firewall rule that allows incoming traffic on the specified port for the WireGuard interface. Go to IP > Firewall, click on Add New, and set up a rule for chain input that accepts connections of protocol udp with destination port matching what was used for the WireGuard interface.
Alternatively, use the MikroTik command:
/ip firewall filter add chain=input action=accept protocol=udp dst-port=13231 comment="Allow WireGuard VPN traffic"
Note: Place this rule above any existing rules that may drop incoming traffic (e.g., the default configuration rule that drops all traffic not coming from LAN).
Step 4: Add the WireGuard Interface to the LAN List
Finally, go to Interfaces > Interface List, click on Add New, and add the new WireGuard interface to the LAN list. This allows VPN-connected devices to act as if they were directly connected to your LAN.
Alternatively, use the MikroTik command:
/interface list member add list=LAN interface=wg0
Step 5: Set up WireGuard Peers
Go to WireGuard > Peers, click on Add New, and set up a peer for each device that needs to connect. For each peer, specify the newly created WireGuard interface, name, and relevant comment. You can either provide a Private Key or choose auto to generate one. Set the Endpoint to your public IP or any domain with a DNS record pointing to your public IP.
For Allowed Address, you can specify 0.0.0.0/0 (and ::/0 for IPv6) to route all client traffic through the VPN or specify the CIDR representing the LAN network (e.g., 192.168.88.0/24 and 192.168.100.0/24) to only route traffic when trying to access another device on the LAN network.
For Client Address, specify an address from the previously allocated address space (e.g., 192.168.100.2). Optionally, specify a DNS server by giving Client DNS a value (e.g., 192.168.88.1).
Alternatively, use the MikroTik command:
/interface wireguard peers add interface=wg0 public-key="PEER_PUBLIC_KEY" endpoint-address="YOUR_PUBLIC_IP" allowed-address=192.168.100.2/32 comment="Peer Device"
Once you’ve completed these steps, clients should be able to connect to your LAN network through the WireGuard VPN connection as if they were directly connected.