MikroTik WireGuard VPN: A Fast and Secure Setup Guide
WireGuard is a fast and modern VPN protocol that is now supported in MikroTik RouterOS version 7 and above. It provides high-speed tunneling using a simple configuration and strong encryption. This guide explains how to set up a WireGuard VPN on MikroTik routers using clear steps and real examples.
Table of Contents
- 1. Why Use WireGuard on MikroTik?
- 2. Prerequisites
- 3. How WireGuard Works
- 4. MikroTik WireGuard VPN Setup
- 5. Connect Remote Clients (Windows/macOS/Linux)
- 6. MikroTik Site-to-Site WireGuard VPN
- 7. Security Best Practices
- 8. WireGuard Performance Benchmarks
- 9. Common Issues and Fixes
- 10. Conclusion
- 11. Configuration Templates
- 12. FAQs
1. Why Use WireGuard on MikroTik?
- Faster performance compared to IPsec and OpenVPN
- Simple configuration with fewer parameters
- Lightweight design with a smaller codebase
- Secure encryption using modern cryptography (ChaCha20, Curve25519)
- Now available on MikroTik RouterOS 7.x and newer
WireGuard is ideal for:
- Remote access VPNs
- Site-to-site tunnels between MikroTik routers
- Mobile device VPN access
2. Prerequisites
Before starting, ensure you have:
- A MikroTik router running RouterOS v7.1 or higher
- Winbox, WebFig, or Terminal access
- Public IP on at least one side of the VPN
- Optional: Dynamic DNS if using dynamic IPs
3. How WireGuard Works
- Public/Private key pairs for authentication
- Peers (remote devices) defined manually
- Allowed IPs to control which traffic is routed over the VPN
Key concepts:
- Each peer must have a unique key pair
- VPN traffic is sent over UDP, typically port 13231 or custom
- WireGuard does not use certificates or complex negotiation
4. MikroTik WireGuard VPN Setup
4.1. Generate WireGuard Keys
/interface/wireguard/key
add name=wg-key
Then:
echo [interface/wireguard/key/print where name=wg-key]
Or:
/interface/wireguard/key/export
4.2. Create WireGuard Interface
/interface wireguard
add name=wg0 listen-port=13231 private-key="<your-private-key>"
/ip address
add address=10.10.10.1/24 interface=wg0
4.3. Configure Peer (Remote Client)
/interface wireguard peers
add interface=wg0 public-key="<peer-public-key>" allowed-address=10.10.10.2/32 endpoint-address=203.0.113.10 endpoint-port=13231
4.4. Firewall and NAT Rules
/ip firewall filter
add chain=input action=accept protocol=udp dst-port=13231 comment="Allow WireGuard"
add chain=input action=accept in-interface=wg0 comment="Allow WG Input"
add chain=forward action=accept in-interface=wg0 out-interface=ether1 comment="Allow WG Forward"
/ip firewall nat
add chain=srcnat src-address=10.10.10.0/24 out-interface=ether1 action=masquerade
4.5. Verifying Connection
/interface wireguard/print
/interface wireguard/peers/print stats
ping 10.10.10.2
5. Connect Remote Clients (Windows/macOS/Linux)
Install WireGuard from https://www.wireguard.com/install
[Interface]
PrivateKey = <client-private-key>
Address = 10.10.10.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = <router-public-key>
Endpoint = 198.51.100.1:13231
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
6. MikroTik Site-to-Site WireGuard VPN
Router A (HQ):
- WAN IP: 203.0.113.1
- LAN: 192.168.10.0/24
- WG IP: 10.0.0.1/24
Router B (Branch):
- WAN IP: 198.51.100.2
- LAN: 192.168.20.0/24
- WG IP: 10.0.0.2/24
On Router A:
/interface wireguard add name=wg0 listen-port=13231 private-key="<A-private-key>"
/ip address add address=10.0.0.1/24 interface=wg0
/interface wireguard peers add public-key="<B-public-key>" allowed-address=10.0.0.2/32,192.168.20.0/24 endpoint-address=198.51.100.2 endpoint-port=13231
/ip route add dst-address=192.168.20.0/24 gateway=10.0.0.2
On Router B:
/interface wireguard add name=wg0 listen-port=13231 private-key="<B-private-key>"
/ip address add address=10.0.0.2/24 interface=wg0
/interface wireguard peers add public-key="<A-public-key>" allowed-address=10.0.0.1/32,192.168.10.0/24 endpoint-address=203.0.113.1 endpoint-port=13231
/ip route add dst-address=192.168.10.0/24 gateway=10.0.0.1
7. Security Best Practices
- Use unique key pairs for each peer
- Restrict allowed-address to only required ranges
- Block unused ports
- Regularly rotate keys
- Use keepalive for mobile clients
- Monitor logs for unknown IPs
8. WireGuard Performance Benchmarks
- WireGuard: ~800 Mbps – 1 Gbps
- IPsec: ~300 Mbps
- OpenVPN: ~50–100 Mbps
Tips:
- Use fast CPU routers
- Disable FastTrack if needed
- Use proper MTU (e.g., 1420)
9. Common Issues and Fixes
| Issue | Fix |
|---|---|
| No handshake | Check public keys, port open, endpoint reachable |
| Cannot ping peer | Check allowed-address, route exists, firewall rules |
| Peers show \”latest handshake: never\” | One side may be misconfigured or offline |
| Slow speeds | Use faster router, check MTU, remove FastTrack |
| Intermittent disconnects | Add PersistentKeepalive=25 on clients |
10. Conclusion
WireGuard offers fast and secure VPN tunneling for MikroTik routers. With RouterOS 7.x, the setup is simple and efficient. Whether you’re building remote access or site-to-site VPNs, WireGuard is now a reliable and scalable choice.
11. Configuration Templates
Remote Client Peer
/interface wireguard peers add public-key="<client-public-key>" allowed-address=10.10.10.2/32
Site-to-Site Sample
/interface wireguard add name=wg0 listen-port=13231 private-key="<private>"
/ip address add address=10.0.0.1/24 interface=wg0
/interface wireguard peers add public-key="<remote>" allowed-address=10.0.0.2/32,192.168.2.0/24 endpoint-address=x.x.x.x endpoint-port=13231
/ip route add dst-address=192.168.2.0/24 gateway=10.0.0.2
12. FAQs
- Can MikroTik use WireGuard and IPsec together? Yes.
- Does WireGuard support dynamic IPs? Yes.
- Is there a GUI option? Yes. Winbox and WebFig support it from RouterOS 7.1+
- Maximum peers? Limited by hardware performance.
- Use with mobile? Yes. Use the WireGuard app.
