Skip to content

Instantly share code, notes, and snippets.

@saper-2

saper-2/mikrotik-wireguard-quick-setup.md

Created April 30, 2026 22:17
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save saper-2/c4cb9e03811c1833770973e6f73f7a5b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save saper-2/c4cb9e03811c1833770973e6f73f7a5b to your computer and use it in GitHub Desktop.
Download ZIP
Mikrotik + Wireguard quick setup
Raw
mikrotik-wireguard-quick-setup.md

Configure a Wireguard server on Mikrotik and a client device (RoadWarrior setup)

Create wireguard server (WG) - pick port that you like 😃 Recommended between: 10000..65000

/interface wireguard add listen-port=22885 mtu=1420 name=wireguard1

Assign WG IP address and define network for WG (use private pool)

/ip address add address=172.24.254.1/26 comment=Wireguard1 interface=wireguard1 network=172.24.254.0

ℹ️ I'm using mask /26 -> 255.255.255.192 (62 hosts in network max) [ # IP subnet calculator: https://jodies.de/ipcalc ]

firewall setup

Allow routing to LAN. This rule should be placed before the final drop rule (e.g. action=drop chain=input comment="Drop anything else"). Use interface names from the configuration below:

/ip firewall filter add action=accept chain=forward comment="Wireguard - route for access LAN services" in-interface=wireguard1 out-interface=LAN

/ip firewall filter add action=accept chain=forward dst-address=<LAN_NETWORK/24> src-address=172.24.254.0/26

‼️ Add the WireGuard subnet to your firewall safe_list / allowed_ips address list (or any list you use for trusted/allowed IPs).

Open port and accept traffic to WG server port (add rule to services chain (if you have services chain) /or/ before last drop rule)

/ip firewall filter add action=accept chain=services comment="Wireguard Server" dst-port=22885 protocol=udp

Setup wireguard client - generate everything on Mikrotik and import it to client via QR or text file

Add a peer to the WireGuard server and generate the configuration on Mikrotik. Use the next available IP address from the WireGuard subnet and assign it to both allowed-address and client-address .

/interface wireguard peers add comment=<peer-name> name=peer-<peer-name> allowed-address=<next-free-ip>/32 interface=wireguard1 preshared-key=auto private-key=auto responder=yes client-address=<next-free-ip>/32 client-dns=8.8.8.8,8.8.4.4 client-endpoint=<router-wan-address> client-keepalive=20

Explanation:

  • responder=yes tells WireGuard not to initiate connections to the peer. Otherwise it may try to reach the peer’s last known IP.
  • client-address and allowed-address should match. If only allowed-address is set, Mikrotik may auto-fill an unexpected IP in the generated config (RouterOS behavior/bug?).
  • /32 means a single IP address is assigned to the peer. Used for strict 1:1 mapping and clarity.

To print the configuration and QR code in the console, first check the index:

/interface wireguard peers print

Once you know the peer index, you can display the generated WireGuard client configuration and QR code:

/interface wireguard peers show-client-config number=<index>

ℹ️ 👉 Alternatively, you can open the peer in WinBox, where the configuration file and QR code are also available.

Setup WireGuard client manually

Android:

  1. Open the app and create a new tunnel from scratch.
  2. Enter a tunnel name and generate public/private keys (you will need to add the public key to the peer configuration on Mikrotik).
  3. Set the Address field to an IP from the WireGuard subnet (next available IP).
  4. Add a peer and enter the WireGuard server configuration.
  5. add peer to WG server with public-key generated from client:
/interface wireguard peers add allowed-address=172.24.254.2/32 comment=<peer-name> interface=wireguard1 name=peer-<peer-name> preshared-key=auto responder=yes public-key="<public-key-from-client-app>"
  1. get generated preshared key:
/interface/wireguard/peers print where name=peer-<peer-name>
  1. copy the preshared key into the client config to preshared key field.
  2. save config in app.

CONFIG FILE EXPLAINED:

  • [Interface] - required; configuration for the local device

    • PrivateKey - required; device private key (generated when creating a new tunnel on the device). Never share it.
    • Address - IP address assigned to this device in WireGuard (always a single IP with /32 mask)
    • DNS - comma-separated list of DNS servers

  • [Peer] - WireGuard server configuration

    • PublicKey - WireGuard server public key
    • PresharedKey - optional additional key (set to auto on Mikrotik, then apply to generate it). Can be omitted, but adds an extra layer of encryption for traffic inside the tunnel.
    • Endpoint - wg_address:port - public IP or hostname of the WireGuard server with port
    • AllowedIPs - defines which traffic is routed through the tunnel. Use 0.0.0.0/0, ::/0 to route all traffic via VPN
    • PersistentKeepalive - optional; keeps the connection alive (recommended for mobile devices). 20-25 seconds is a common value.

  • You will need the public key generated in the WireGuard client app. It must be added to the peer configuration on the Mikrotik server.

Example config wireguard client file:

[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.11.12.2/32 
DNS = 8.8.8.8, 1.1.1.1

[Peer]
PublicKey = <MIKROTIK_WG_PUB_KEY>
PresharedKey = <MIKROTIK_WG_PEER_PRESHARED_KEY>
Endpoint = aaaaaaaa.cloud.mikrotik.com:22222
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment