Post Notes: as of RouterOS 7.18 – ip – added support for /31 address
Contents:
Mikrotik WireGuard Interface Setup
In this guide, I’ll show you how to easily set up a VPN tunnel using WireGuard between a Windows PC and a MikroTik router. Whether you need to manage your router remotely or access hosts on your network from anywhere, this tutorial will covers each aspect and aims to simplify the steps to make it easy for anyone at any skill level.
Mikrotik WireGuard Interface Setup:
On your Mikrotik router navigate to the WireGuard menu, and click on “New” to create a new Wiregurad interface.
Name: The name of the WireGuard interface. Usually you can leave this default, unless you have multiple WireGuard interfaces, and need to organise better.
Listen Port: Most of the time leaving this on the default port which is 13231 is fine.
Everything can be left default, but feel free to customise to this to your needs. Once done, press “OK”.
Once the WireGuard interface is setup, we need to assign an IP subnet to it, which will be used for the VPN tunnel. I’m only planning to add 1 device, so I will use a /30 ptp subnet. However, if your plan is to have multiple devices connected to the VPN at once, using a larger subnet would be required, as each connecting device (peer) needs a unique IP address. You can also add a single ptp subnet for each connecting peer.
To add an IP subnet to the WireGuard interface, Navigate to IP > Addresses, then click on “New”.
Address: This defines the IP address assigned to the WireGuard interface. I’m going to assign 172.16.0.1/30 to the interface, which means 172.16.0.2/30 can be used for my connecting device (peer).
Network: If you leave this blank, RouterOS will fill in the network address automatically, otherwise specific it manually. in pre v7.18 releases, this would have been the other endpoint in a /31 subnet.
Interface: Select the WireGuard interface that we created earlier from the drop down menu.
After assigning an IP address and subnet to the WireGuard interface, we can move on and create the peers. A peer is any device connecting to the Mikrotik’s WireGuard interface. We have to define these explicitly so that our client devices (e.g. Windows computer) are allowed to connect.
Navigate to WireGuard > Peers > and click on “New” to add a new peer. One of the required fields here are the peers private key, which we get from the WireGuard Windows client, so before we can start filling out the fields, we have to install WireGuard on our Windows computer and generate a public key for this peer.
On your Windows system, download and install WireGuard. The downlink can be found 👉 here.
Once done, open the WireGuard application, and click on the downward facing arrow next to “Add Tunnel” and select “Add empty tunnel…”
A new window will pop up called “Create a new tunnel”. In this window you’ll see your newly generated public key near the top of the window. This is your peers public key, and is what we must copy and paste into the Public Key field on the Mikrotik peer setup.
The rest of the peer settings on the Mikrotik are as follows:
Interface: Select the WireGuard interface we created earlier.
Private Key: Leave blank.
Endpoint: This is the IP address of the peer. If you define this, it will only allow the peer to connect if its src address is whatever is defined. I suggest leaving this blank so that the router allows the peer to connect from any IP address.
Endpoint Port: This is the src port of the connecting peer. Leave this blank to allow any port, or define if you want to lock it down further. Note that if you define the port here, you have to also define the same port on the Windows client explicitly.
Private Key: Leave this blank.
Allowed Address: This is the address that your peer is going to be connecting to the tunnel with, and also the address that return traffic to the peer is sent over. Remember, I set 172.16.0.1/30 to the WireGuard interface, and therefore my peer will be using 172.16.0.2, which is what I will be putting in here. I didn’t define a cidr notation here, but since I left it blank the RouterOS will add it as a /32.
Preshared Key: Can be used to setup additional security for decryption. In simple terms, its a password of sorts that gets added onto the encryption keys that would be required to decrypt the data if the keys were ever cracked. Leave this blank to not require one.
Persistent Keep Alive: Defines an amount of seconds, between 1 and 65535 of how often to send an authenticated empty packet to the peer in order to keep a stateful firewall or NAT mapping valid persistently. For our use case this can be left blank. Once this has been setup, we can press “OK” and move on to the WireGuard windows client setup.
WireGuard Windows Client Setup:
As a base template, you can copy paste the below code snippet into your WireGuard tunnel. Just change the values according to your requirements. The Public Key under the “Peer” settings on your windows client must be the Mikrotiks WireGuard interface public key, e.g., the inverse of what we configured on the peers page on the Mikrotik The rest of the lines are quite self explanatory, but take special note of the “AllowedIPs” section:
Adding entries to the “AllowedIPs” field in the configuration file will do two things:
- Adds a route: It will add routes to the specified subnets (e.g., 172.16.0.0/30) on the Windows computer. This means that any traffic destined for these subnets will be routed through the WireGuard tunnel.
- Allows return traffic: It will allow traffic from these subnets to be received back through the WireGuard tunnel. Essentially, “AllowedIPs” defines which IP addresses are allowed to be routed through the tunnel and also specifies which incoming traffic is accepted.
By specifying AllowedIPs = 172.16.0.0/30, x.x.x.x/x, you are configuring the client to route traffic to these subnets through the WireGuard interface and to accept return traffic from these subnets.
If you want to send all traffic to the Mikrotik, and use it as your Windows computers default route, you can add in the address “0.0.0.0/0” to your tunnel, which will force all traffic out the VPN tunnel. Just make sure that you are natting the tunnel subnet, otherwise your Windows computer will not have internet breakout.
[Interface]
PrivateKey = your private key
Address = 172.16.0.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = your routers wireguard interface public key
PresharedKey = if any else remove from line
AllowedIPs = 172.16.0.0/30, 0.0.0.0/0, x.x.x.x.x/x (remove what you don't need. "0.0.0.0/" if you want to use as default route)
Endpoint = 192.168.88.219:13231 (can also use IP cloud address if public)
Once done, click on “Save” and then “Activate” to bring the WireGuard tunnel up. You once up, the two ends of the tunnel will shake hands, and data can begin to flow over it. You should be able to reach the opposite end point IP, and other subnets specified in your “allowed address” field.
*Important: We’ve not yet discussed firewall requirements. If your tunnel is setup correctly, but you cannot establish a handshake to your router, its likely a firewall issue, which is discussed under this section.
Firewall Config:
There are a number of ways to configure the firewall to allow WireGuard to work correctly, and the exact route you take will depend on your setup. Just keep in mind that at the very least, for the tunnel to establish you have to allow the listen port on the Mikrotiks WireGuard interface in via the WAN interface, using UDP.
To start, navigate to IP > Firewall.
In the firewall filters menu, click on “New” and add a new firewall filter. This is the filter to allow the WireGuard tunnel to form:
Chain: input
Protocol: UDP
Dst.Port: 13231 (or whatever port you set)
Navigate to the Action tab, and set it to “Accept”, then click on “OK” to add this filter in. Make sure to drag this filter into the correct place in your firewall to prevent filters above it overriding it.
Next, lets assume we want to be able to login to the Mikrotik from our Windows computer to manage it. We have to allow that in too. The previous rule we added only allows the tunnel to form. Assuming there are standard catch all rules we have to allow input from the WireGuard interface too so that we can reach the router via the tunnel.
To do this, add another filter:
Chain: input
In.Interface: wireguard1 (your WireGuard interface)
Like before, navigate to the Action tab and set it to “Accept”, then press the “OK” button. Make sure to drag this rule into the right place, like with the rule above it.
This next filter may or may not be required, but it depends on what rules you have for the forward chain. If you have locked your forward chain down, and you have to explicitly define the rules for it, then you’ll need to allow forwards from the WireGuard interface in order to reach other hosts and networks from your Windows computer.
To do this, create a new filter:
Chain: Forward
In.Interface: wireguard1 (your WireGuard interface)
Navigate to the Action tab and set it to “Accept”, then press the “OK” button. Make sure to drag this rule into the right place, like with the rule above it.
With all of this now in place, on my Windows PC, I can once again activate the WireGuard tunnel and now have full routing and access to the Mikrotik router. Any other networks behind the Mikrotik can also be accessed by simply adding the subnet to the WireGuard peers allowed addresses on the Mikrotik.
