Wireguard on Mikrotik


RouterOS7 added alot of new features to Mikrotik routers. One of my favorite is Wireguard implementation. Wireguard is modern VPN solution, which can replace good know OpenVPN. Everyone who configured OpenVPN or IPSec know how difficult it could be. Wireguard is much easier, it shouldn’t be a problem even to home user. In this tutoral we will configure Road Warrior VPN. Mikrotik hAP AC3 as Wireguard VPN Server and Windows 10 as client.


Remember to upgrade Winbox to the latest version. From right side menu click on Wireguard then ADD:

  • Name: type anything
  • MTU: leave 1420, but if you have connections problem, change it to 1412
  • Listen Port: Wireguard port, leave default
  • Public Key: generate automatically when applied
Mikrotik Wireguard Windows 10

In the next step we add IP Address to our new interface. Choose IP->Addresses and add new topic. No matter what subnet you choose, i prefer, so my ip interface is, don’t forget to add /24 at end and set Interface to wireguard1

One of the last things on Mikrotik is open Listen Port. We use default 13231 UDP port. Switch to IP->Firewall and add new rule.

  • Chain: input
  • Protocol: udp
  • Dst. Port: 13231
  •  Action: accept
Mikrotik Wireguard

Windows 10 Config

Go to Wireguard official site and download the latest client version. Installation proces is ver easy, just few click on Next. After successfully install, you should see Wireguard icon on system tray. Right click on it and add empty tunel. 

Wireguard Empty Tunnel
Wireguard Empty Tunnel

Wireguard tunnel configuration is text-based, we can setup all settings in one window. According official documnation Name field should contains wg0, wg1, wg2, as interface name. Of course we can use any vaule, but better keep one standard. The pair of keys will generate automaticlly. Copy Public Key and switch back to Mikrotik->Wireguard and click on Peer.

Mikrotik Wireguard Peer

Interface set to wireguard1, paste public key from windows 10 client machine. Our Mikrotik Router works as VPN Server, so leave Endpoint and Enpoint Port blank(we will used it in Site-to-Site VPN). Earlier we set as IP Address to wireguard interfeace, Allowed Address means what client’s IP is, choose IP from same subnet with /32 mask.

Switch back to Windows 10 and Wireguard tunnel configuration.

Wireguard Tunnel configuration

PrivateKey = 4JWGrbFpriosW5q09hioNC1H/Qxl2i1tpeAclmeI5Vw=
Address =

PublicKey = MjlNUhE0u2X+ecX5rJOcrsTsr2xwbM9VYTsiJHXsfB4=
AllowedIPs =
Endpoint =
PersistentKeepalive = 10
  • Address: same as Mikrotik Peers configuration
  • DNS: public or Mikroitk IP Address
  • Public Key: WireGuard public key
  • Allowed IPs = if you want tunneling all traffic throught Mikrotik set
  • Endpoint: Public IP and Port Mikrotik router
  • PersistentKeepalive: if you’re behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent, this option will keep the “connection” open in the eyes of NAT.

Add a Comment

Your email address will not be published. Required fields are marked *