Introduction

WireGuard has emerged as a modern, high-performance VPN protocol that combines a minimal codebase with strong cryptography and exceptional throughput. MikroTik added WireGuard support to RouterOS to bring these benefits to SOHO and enterprise edge devices. This guide provides a detailed, practical, step-by-step approach to deploying WireGuard on MikroTik routers, aimed at site administrators, developers, and IT teams who need a fast, secure VPN on their existing RouterOS infrastructure.

Why choose WireGuard on MikroTik?

Before diving into configuration, it helps to understand the benefits and limitations:

  • Performance: WireGuard uses modern crypto (Noise protocol) and is implemented in kernel-space on many platforms, offering lower latency and higher throughput than older VPNs.
  • Simplicity: A small, auditable codebase reduces potential attack surface and configuration complexity.
  • Compatibility: Cross-platform clients exist for Linux, Windows, macOS, iOS and Android.
  • RouterOS considerations: MikroTik’s WireGuard implementation is production-ready but has RouterOS-specific configuration syntax and some feature differences compared to other platforms (for example, the management of peers and address assignment).

Prerequisites and environment checklist

Prepare the following before setting up WireGuard:

  • MikroTik router running a RouterOS version that supports WireGuard (RouterOS v7.x and later recommendable).
  • Administrative access to the router (Winbox, WebFig, or SSH).
  • Public IP or reachable NAT mapping on the router if clients will connect from the Internet.
  • Understanding of your internal network subnets and IP addressing plan for the VPN (e.g., 10.10.10.0/24 for WireGuard peers).
  • WireGuard client software for endpoint devices.

Step 1 — Generate key pairs

WireGuard uses public-key cryptography. Each endpoint needs a key pair (private and public). On RouterOS you can generate keys from the terminal or use external tools. Example RouterOS terminal commands:

Open a terminal (SSH/Winbox) and run:

Generate private key and derive public key using the built-in WireGuard key generation (RouterOS: /interface/wireguard/peers expects public keys for peers):

Alternatively, generate keys on a Linux/macOS client and copy them to the router. Using wg on Linux:

1) privatekey: wg genkey

2) publickey: echo <privatekey> | wg pubkey

Important: never expose the private key. Store it securely on the device where the interface will run.

Step 2 — Create the WireGuard interface on MikroTik

Create a WireGuard interface and assign the generated private key to it. Example RouterOS terminal commands:

/interface/wireguard add name=wg0 listen-port=51820 private-key=<private-key-string>

Notes:

  • listen-port is the UDP port WireGuard listens on. The default is often 51820, but you can change it to avoid conflicts or security through obscurity.
  • The interface exists as a logical layer; you must assign IP addresses and add peers separately.

Step 3 — Assign IP addresses and routing

Assign an IP address to the WireGuard interface. Use an RFC1918 subnet that does not clash with your LAN.

/ip address add address=10.10.10.1/24 interface=wg0

This IP will act as the network gateway for connected peers. Add routes if you expect to route traffic between VLANs or other internal subnets via WireGuard.

Step 4 — Configure WireGuard peers

Each remote client requires a peer entry on the MikroTik router. You will add the client’s public key, allowed IPs, and endpoint (if the peer is static) or leave endpoint blank for roaming clients.

/interface/wireguard peers add interface=wg0 public-key=<client-public-key> allowed-address=10.10.10.2/32 persistent-keepalive=25

Key fields explained:

  • public-key: The client’s public key.
  • allowed-address: The IP(s) the peer is allowed to use. For clients typically a /32 in the VPN subnet; for a remote network include the remote LAN subnet (e.g., 192.168.100.0/24).
  • persistent-keepalive: Useful for clients behind NAT; value in seconds (e.g., 25). A value of 0 disables it.

Peer endpoint behavior

If peers are on static IPs, configure the endpoint parameter (public IP:port). If peers roam (mobile clients), omit the endpoint and rely on RouterOS learning the endpoint on first connection.

Step 5 — Client configuration

On client devices configure the WireGuard peer with:

  • Client private key
  • MikroTik public key as the peer public key
  • Allowed IPs: Usually 0.0.0.0/0 for full-tunnel or specific subnets for split-tunnel
  • Endpoint: the router public IP:listen-port (only if static or for initial handshake)
  • Persistent keepalive if behind NAT

Example AllowedIPs semantics:

  • To route all client traffic through the VPN: AllowedIPs = 0.0.0.0/0, ::/0
  • To only reach internal subnets: AllowedIPs = 10.10.10.1/32, 192.168.10.0/24

Step 6 — Firewall and NAT rules

WireGuard uses UDP. Ensure UDP traffic to the listen port is allowed in the router’s firewall and forwarded if behind another NAT layer.

Example firewall rules:

/ip firewall filter add chain=input action=accept protocol=udp dst-port=51820 comment=”Allow WireGuard”

If you need NAT for Internet access from VPN clients, add a masquerade rule on the outbound interface:

/ip firewall nat add chain=srcnat out-interface= src-address=10.10.10.0/24 action=masquerade

Security best practice: restrict access where possible. Only accept WireGuard packets on the designated port and interface, and use firewall rules to limit management access to trusted hosts.

Step 7 — DNS and split-tunneling

Decide whether VPN clients should use internal DNS. For enterprise environments, push an internal DNS server IP via client configuration or DHCP on the client side. For full-tunnel clients, set DNS to an internal resolver to access private hostnames.

If you prefer split-tunnel, only route internal subnets through WireGuard and keep public DNS settings on the client unchanged, or configure conditional forwarding on the client.

Performance tuning and considerations

WireGuard is lightweight, but RouterOS devices have varying CPU and hardware capabilities. Consider these optimizations:

  • MTU and MSS clamping: Default MTU may cause fragmentation. Typical WireGuard MTU: 1420–1424 for IPv4 over Ethernet. Adjust on the interface or client if you see fragmentation.
  • Crypto hardware: Higher throughput requires more CPU. For heavy usage, choose MikroTik hardware with a capable CPU or hardware acceleration features.
  • Concurrent peers: RouterOS handles many peers but memory and CPU scale matters. Monitor connection counts and CPU load under expected peak traffic.
  • Keepalive tuning: Use persistent-keepalive for NAT traversal but set it to a sensible interval (20–25s) to balance traffic and connection responsiveness.

Troubleshooting common issues

Here are debugging steps for frequent problems:

  • No handshake: Check that UDP port is open on the router and any upstream NAT. Verify endpoints and ports match on client and server.
  • Routing problems: Ensure the server has routes for client subnets, and the client has correct AllowedIPs. Verify NAT rules if the server should masquerade client traffic to the Internet.
  • DNS resolution: If clients can ping internal IPs but not resolve names, check DNS settings pushed to clients and firewall rules blocking DNS.
  • Performance drops: Monitor CPU with /system resource print and packet flow using /tool torch. Reduce encryption burden or move to more powerful hardware if necessary.

Advanced topics

Once the basic setup works, you can explore advanced options:

  • Site-to-site VPNs: Use multiple peer entries to connect remote networks, setting AllowedIPs to entire remote subnets.
  • Dynamic DNS integration: If the router doesn’t have a static public IP, use a dynamic DNS service and configure clients to point to the hostname.
  • Per-peer routing and policy-based routing: Combine routing rules to steer traffic from specific clients to different uplinks or through additional security devices.
  • Monitoring and logging: Integrate RouterOS logs and SNMP for long-term monitoring of peer connectivity and bandwidth usage.

Security best practices

WireGuard is secure by design, but operational security still matters:

  • Keep RouterOS updated to a stable release with WireGuard security fixes.
  • Rotate keys periodically and revoke old keys by removing peer entries.
  • Restrict management access to the router and use secure channels (SSH with keys, Winbox over VPN, or HTTPS management with firewall restrictions).
  • Audit firewall and NAT rules to ensure least-privilege access for VPN clients to internal resources.

Example minimal configuration summary

For quick reference, a minimal set of RouterOS commands (replace placeholders):

  • /interface/wireguard add name=wg0 listen-port=51820 private-key=<server-private>
  • /ip address add address=10.10.10.1/24 interface=wg0
  • /interface/wireguard peers add interface=wg0 public-key=<client-pub> allowed-address=10.10.10.2/32 persistent-keepalive=25
  • /ip firewall filter add chain=input action=accept protocol=udp dst-port=51820
  • /ip firewall nat add chain=srcnat out-interface=<WAN> src-address=10.10.10.0/24 action=masquerade

Conclusion

WireGuard on MikroTik delivers a fast, robust VPN solution with a relatively simple configuration model. By following the steps above—key generation, interface creation, peer setup, firewall/NAT adjustments, and careful routing—you can deploy secure site-to-site and remote-access VPNs suitable for both small businesses and enterprise use cases. Always test configurations in a controlled environment before deploying to production and maintain regular audits of keys and firewall rules.

For additional resources, configuration examples, and managed VPN services, visit Dedicated-IP-VPN.