Configuring WireGuard on a MikroTik router

Configuring WireGuard on a MikroTik router involves several steps. MikroTik introduced WireGuard support in RouterOS v7, so ensure your router is running this version or later. Here’s a step-by-step guide to set up WireGuard VPN on a MikroTik device:

Prerequisites

  1. MikroTik Router with RouterOS v7 or later.
  2. WinBox or web-based admin access to the MikroTik router.
  3. WireGuard client installed on your device (Windows, macOS, Linux, iOS, Android).

WireGuard Configuration on MikroTik

Step 1: Generate Keys

You will need to generate a public/private key pair for both the server (MikroTik) and each client.

On a Linux machine (or use a WireGuard client on any OS): 

wg genkey | tee server_private.key | wg pubkey > server_public.key


wg genkey | tee client_private.key | wg pubkey > client_public.key

Save these keys securely. You'll need to configure the MikroTik router with the server keys and provide the client keys to the device you want to connect.

Step 2: Configure WireGuard Interface on MikroTik

  1. Log in to your MikroTik router using WinBox or via the web interface.

  2. Add a WireGuard interface:

    • Go to Interfaces -> WireGuard.
    • Click on + to add a new WireGuard interface.
    • Set the Name (e.g., wg0).
    • Paste the server's private key (from server_private.key) into the Private Key field.
    • Assign an IP address to the WireGuard interface (e.g., 10.0.0.1/24).

  3. Set up IP address:

    • Go to IP -> Addresses.
    • Add a new address: 10.0.0.1/24 on the wg0 interface.

Step 3: Configure WireGuard Peers

  1. Add a Peer:

    • Go to Interfaces -> WireGuard Peers.
    • Click on + to add a new peer.
    • Enter the Public Key of the client device (from client_public.key).
    • Set the Allowed Address to the client's IP address in the VPN (e.g., 10.0.0.2/32).
    • Optionally, set the Persistent Keepalive to 25 seconds for mobile clients.

Step 4: Configure Firewall and NAT

  1. Allow WireGuard traffic:

    • Go to IP -> Firewall -> Filter Rules.
    • Add a rule to accept traffic on the WireGuard port (51820 by default).
    • Set Chain to inputProtocol to udpDst. Port to 51820, and Action to accept.

  2. Set up NAT:

    • Go to IP -> Firewall -> NAT.
    • Add a rule to masquerade outbound traffic:
      • Set Chain to srcnat.
      • Set Out. Interface to your WAN interface.
      • Set Action to masquerade.

Step 5: Client Configuration

On the client device, configure WireGuard with the following settings:

  1. Install WireGuard on your client device if not already installed.

  2. Client configuration file:

    Create a configuration file (e.g., client.conf) with the following content: 

    
      
    [Interface]
    
      
    PrivateKey = <client_private_key>
    
      
    Address = 10.0.0.2/32
    
      
    DNS = 8.8.8.8
    
      

    
      
    [Peer]
    
      
    PublicKey = <server_public_key>
    
      
    Endpoint = <mikrotik_public_ip>:51820
    
      
    AllowedIPs = 0.0.0.0/0
    
      
    PersistentKeepalive = 25

    Replace <client_private_key> and <server_public_key> with the appropriate keys, and <mikrotik_public_ip> with your router’s public IP address or domain name.

    1. Connect to the VPN:

      • Import the configuration file into the WireGuard client and connect.

    Testing the Configuration

    1. Check the connection from the client device to ensure the VPN is working.

    2. Verify the peer status on MikroTik:

      • In WinBox, go to Interfaces -> WireGuard.
      • Select the interface and check the Latest Handshake and Rx/Tx data to verify connectivity.

    Conclusion

    WireGuard is a powerful and efficient VPN solution that’s now supported by MikroTik routers. By following these steps, you can configure a secure and fast VPN connection for your home or office network. Remember to regularly update your RouterOS to benefit from the latest features and security patches.

Comments

Post a Comment

Popular posts from this blog

A secure and cost-effective SOHO (home office) network design.

Image
Setting up a MikroTik router in a Small Office/Home Office (SOHO) environment can be quite beneficial due to MikroTik's feature-rich capabilities and flexibility. Here's a general guide to setting up a MikroTik router in a SOHO environment: In this project I would like to share a comprehensive guide to setting up a home network. You can build this secure network easily and on a budget. Here is a network diagram that I will follow, I think every small home office usually has these requirements. There is a lot of information in this diagram, but don't worry, I will walk you through it all step by step. If you want to save yourself the headache and time, you can contact me to help you build this network, otherwise you can follow me and hope it will be useful to you. Initial example Setup : Connect your MikroTik router to your modem using an Ethernet cable. Connect your computer to one of the LAN ports on the MikroTik router. Access the MikroTik router's web interface using
Read more

Maximizing Network Performance: The Power of Quality of Service (QoS)

In the world of network engineering, ensuring optimal performance is key. Quality of Service (QoS) is a powerful tool that allows network administrators to prioritize traffic and allocate resources efficiently, thereby enhancing the overall user experience. QoS enables us to manage bandwidth effectively by giving critical applications priority over less time-sensitive traffic. This ensures that essential services like VoIP calls or video conferencing receive the necessary bandwidth and are not affected by lower-priority traffic such as file downloads or background updates. By implementing QoS policies, we can minimize latency, reduce packet loss, and improve the overall reliability of our network. Whether it's ensuring seamless communication for remote teams or delivering a smooth streaming experience for customers, QoS plays a vital role in optimizing network performance. In our upcoming posts, we'll delve deeper into the various QoS mechanisms and how to implement them effect
Read more

Convenient cloud network for startups to develop and test their environment

Image
Recognizing the importance of a flexible and low-cost development and testing environment, here is a solution that specifically addresses the needs of small software development startups. Scenario: Your software development startup needs an agile and cost-effective environment for development and testing activities. The ability to scale resources as needed and optimize costs is critical to ensure efficient software development processes. This solution is based on creating a dynamic and low-cost development and testing environment: Isolated AWS VPC for Development and Testing: Establish an isolated AWS Virtual Private Cloud (VPC) dedicated to development and testing activities. Ensure a secure and segmented environment conducive to iterative development and rigorous testing. Scalable AWS EC2 Environment: Utilize AWS EC2 instances to set up a scalable environment tailored for various development stages. Scale resources up or down as needed to accommodate development needs without incurri
Read more