Configure WireGuard on MikroTik Router

[Mr.CivsteR 5]

Recently got an RB5009 series router, my first ever Mikrotik device. The following steps will configure WireGuard on the router for certain devices in the local network.

Generate and download a WireGuard configuration file. Values enclosed in <> are derived from the configuration file, [] are manually added. All commands are sent through the terminal, open WinBox then click on New Terminal, or start an ssh session to the router.

1. Set up interface for WireGuard

/interface wireguard add listen-port=[any unused port value] mtu=<MTU> name=[any value] private-key=<PrivateKey enclosed in double quotes (")>

2. Create interface list and add wg interface. Using interface list to better manage firewall rules when multiple wg interfaces are added in the future.

/interface list member add list=[any value] interface=[interface name from step 1]

3. Add wg peer

/interface wireguard peers add name=[any value] allowed-address=<AllowedIPs> endpoint-address=<Endpoint without port value> endpoint-port=<Endpoint port value> interface=[interface name from step 1] persistent-keepalive=<PersistentKeepalive> preshared-key=<PresharedKey enclosed in double quotes (")> public-key=<PublicKey enclosed in double quotes (")> client-dns=<DNS>

4. Set up IP address

/ip address add address=<Address> interface=[interface name from step 1] network=<Address without /32>

5. Create routing table

/routing table add name=[any value] disabled=no fib

6. Create route

/ip route add dst-address=0.0.0.0/0 gateway=[interface name from step 1] routing-table=[routing table name from step 5]

7. Create masquerade for wg interface list

/ip firewall nat add action=masquerade out-interface-list=[list name from step 2]

8. Add local/LAN devices to routing rule

/routing rule
add src-address=[device 1 ip] dst-address=0.0.0.0/0 action=lookup-only-in-table table=[routing table name from step 5]
add src-address=[device 2 ip] dst-address=0.0.0.0/0 action=lookup-only-in-table table=[routing table name from step 5]
add src-address=[device 3 ip] dst-address=0.0.0.0/0 action=lookup-only-in-table table=[routing table name from step 5]
...

7. Fix MTU issues

/ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=[list name from step 2] protocol=tcp tcp-flags=syn

Since this is my first MikroTik device, I'm sure there are ways to improve the above setup. Any comments and suggestions are welcome!

To mods: could not make a post in How-To, feel free to move this post.

[Tech Jedi Alex 1489]

7 hours ago, Mr.CivsteR said:

To mods: could not make a post in How-To, feel free to move this post.

It's for tested guides.  It will probably be moved there in the near future, though. There were quite a number of requests for Mikrotik guides, so I'm sure you'll be swimming in (hypothetical) lucre shortly. Prepare yourself.

Anyway, thank you for investing your time into this. Much appreciated.

[Mr.CivsteR 5]

No problem! It's been working very well for me, I even setup different wg tunnels for some devices. This involves creating another vpn device from the client area page, and generating a config file using that device profile.