Skip to Content

How to configure a WireGuard server in MikroTik OS

Introduction

Nowadays, secure access to internal networks is essential both for remote work and for infrastructure management. WireGuard is a modern VPN protocol that is already part of MikroTik’s RouterOS 7. It is fast, lightweight, and provides strong cryptography.

In this article, we will go through the steps to set up a WireGuard server on a MikroTik router, using the network 192.168.54.8/30.

What is WireGuard?

WireGuard uses a public and private key system for authentication

Some key characteristics:

  • Works entirely over the UDP protocol.
  • Does not automatically assign IP addresses – they must be set manually.
  • Known for high speed and low latency.

Network Planning

We will use the subnet 192.168.54.8/30.

  • Network address: 192.168.54.8
  • Server: 192.168.54.9
  • Client: 192.168.54.10
  • Broadcast: 192.168.54.11

The /30 mask provides exactly 2 valid IP addresses, which is suitable for a point-to-point connection (one server and one client).
If you have more clients, you can use a larger subnet, e.g. /29 or /24.​

Server Configuration (MikroTik)

  1. Create a WireGuard interface 
/interface wireguard
add listen-port=51821 mtu=1280 name=wg-home comment="wg-home"
  1. Добавяме IP адрес към интерфейса 
/ip address
add address=192.168.54.9/30 comment="wg-home" interface=wg-home network=192.168.54.8
  1. Конфигурираме peer (клиент) 
/interface wireguard peers
add allowed-address=::/0,0.0.0.0/0 client-address=192.168.54.10/30 client-dns=192.168.78.254 \
endpoint-address=<публичен_IP> endpoint-port=51821 interface=wg-home private-key="auto" \
persistent-keepalive=25s comment="wg-home"
  1. Добавяме firewall правило за достъп 
/ip firewall filter
add action=accept chain=input dst-port=51821 in-interface=ether1 protocol=udp place-before=1 comment="wg-home"

Client Configuration

The client must also be configured with a WireGuard interface using the following parameters:

  • IP address: 192.168.54.10/30
  • Private Key (generated on the client)
  • Public Key of the server
  • Endpoint: the public IP of the MikroTik server
  • Allowed IPs: 0.0.0.0/0, ::/0

Примерен конфигурационен файл за клиент (Windows/Linux):

[Interface]
PrivateKey = <ClientPrivateKey>
Address = 192.168.54.10/30
DNS = 192.168.78.254

[Peer]
PublicKey = <ServerPublicKey>
Endpoint = <публичен_IP>:51821
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Testing the Connection

  • From the client, test with:
  • On the MikroTik, use:  /interface wireguard peers print, to check the connection status..

Conclusion

With just a few commands, we successfully created a WireGuard VPN tunnel on MikroTik.

  • We used the 192.168.54.8/30 network.
  • Configured both server and client.
  • Opened the required port in the firewall.

This solution provides a fast and secure connection to your internal network.