A Comprehensive Guide to WireGuard Routing on MikroTik Routers (as Client)

Routing traffic through a WireGuard VPN using a MikroTik router requires careful configuration of interfaces, peers, IP addresses, and routes.

What is WireGuard?

WireGuard is a modern VPN protocol known for its simplicity, speed, and security. MikroTik routers support WireGuard from RouterOS v7.x, making it easier to set up secure tunnels for routing network traffic.

Let’s jump in.

Prerequisites

1. A WireGuard config file (from any WireGuard-enabled server or MikroTik).
2. A working internet connection in your MikroTik router.
3. RouterOS 7.x or later.

Your Config Should Look Like This:

[Interface]
PrivateKey = oMZz05ZTTxFawluDF6VK86AKpG2WwcZiQKBc4vUbNFU=
Address = 10.7.0.2/24
DNS = 9.9.9.9, 1.1.1.1

[Peer]
PublicKey = L+ZDsJCz9RZ4tYty2gZawz36bIaIgEz2SCT9ohLowgI=
PresharedKey = 355/3KsgpAY6f3frZ2vdbEKMEZUdGqS0hOwxggtbFgzQ=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 203.171.53.52:51820
PersistentKeepalive = 25

Configuration Steps

1. Enable WireGuard Interface

1. Log in to your MikroTik router via WinBox or WebFig.
2. Go to Interfaces > WireGuard.
3. Click Add (+) and set the following:
   • Name: Assign a name to the WireGuard interface (e.g., wg1).
   • MTU: Default is 1420.
   • Private Key: Your WireGuard server’s private key.
   • Public Key: This will be auto-generated.
   • Listen Port: Set if required (default: 51820).
4. Click Apply and OK.

2. Configure WireGuard Peer

1. Go to WireGuard > Peers.
2. Add a new Peer:
   • Public Key: WireGuard server’s public key.
   • Allowed Addresses: Specify traffic routing (e.g., 0.0.0.0/0 for all traffic).
   • Endpoint: Enter the server IP and port (e.g., 198.51.100.10:51820).
   • Preshared Key: Enter the preshared key (if applicable).
   • Persistent Keepalive: Set to 25 seconds for NAT stability.
3. Click Apply and OK.

3. Assign IP Address to the WireGuard Interface

1. Go to IP > Addresses.
2. Add a new IP address:
   • Address: Assign the IP provided by the WireGuard server (e.g., 10.7.0.2/24).
   • Interface: Select the WireGuard interface (e.g., wg1).
3. Click Apply and OK.

4. Add Routes

To route all traffic through the WireGuard interface:

1. Go to IP > Routes > Add.
2. Configure:
   • Destination: 0.0.0.0/0 (to route all traffic).
   • Gateway: Enter the WireGuard server’s IP or local gateway (e.g., 10.7.0.1).
   • Interface: Select wg1.
   • Routing Table: Choose a different routing table (recommended). If not created, create one from Routing > Tables > New (+).
3. Click Apply and OK.

5. Configure NAT (Optional)

If the router handles LAN traffic:

1. Go to IP > Firewall > NAT.
2. Add a new rule:
   • Chain: srcnat.
   • Out. Interface: wg1.
   • Action: masquerade.

Check the Last Handshake timestamp under the WireGuard interface; if it’s not updating, the connection to the WireGuard server isn’t established.

How to Check It’s Working

1. Go to Routing Rule, then add your PC’s IP (or a specific IP) to the local address.
2. Set 0.0.0.0/0 as the destination.
3. Use the created WireGuard routing table. Traffic should now pass through the VPN.

Alternatively, you can:

• Add address ranges (e.g., 192.168.50.192/26) to route specific IPs through the VPN.
• Increase the distance of your primary interface (e.g., pppoe or ether1) and lower the distance for the WireGuard interface to prioritize VPN routing.

Routing Exceptions

To avoid certain local subnets or IPs being routed through the VPN (split-tunneling):

1. Add separate routes for those subnets:
   • Destination: Your LAN subnet (e.g., 192.168.1.0/24).
   • Gateway: Your router’s LAN gateway (e.g., 192.168.1.1).
   • Interface: Leave blank or set to your main internet interface (e.g., ether1 or pppoe).
2. Ensure these routes have a higher priority (lower distance value).

By following these steps, you can configure your MikroTik router to securely route traffic through WireGuard while maintaining flexibility for exceptions. Enjoy the enhanced speed and simplicity of WireGuard VPN!