Add new comment

WireGuard on MikroTik

Michal Novotný's picture
Submitted by Michal Novotný on February 12, 2023 - 1:14pm
Groups audience
Teaser image
Average: 4.1 (7 votes)
Category
Obsah

The article describes the self setup of VPN on WireGuard on MikroTik devices with version RouterOS 7 and higher. (Not available in lower RouterOS versions, you must upgrade RouterOS). This phenomenal VPN is very fast, secure and easily configurable in a home environment.

If you are a home user and thinking about how to access your home network from the internet, WireGuard is currently one of the easiest choices. It is ideal for secure access to your home NAS or smart home when you are not at home.

 

What do we need?

 

Hardware

Any MikroTik router (Router OS 7 version, if you have an older one, upgrade the firmware)

Any Android, iOS phone

Any PC, Laptop with any OS

Software

WireGuard VPN

Internet connection and public IPv4 address (if you don't have it, ask your internet provider)

 

 

Log in to your MikroTik router. We recommend not using the web interface and using WinBox. However, the procedure is identical. Go to the WireGuard tab and the + icon to add a new WireGuard connection. Name the setting, e.g. wireguard and copy the Public Key somewhere:

Mikrotik WireGuard vytvoření

Next, we must add a new address for the WireGuard interface in the IP → Addresses by clicking on the + icon. We will choose a unique range and start with a one, for example:

MIkroTik WireGuard Address

 

In the final step, we will add the other side, called "Peer". Switch to the Peers tab. Here, you need to know the Public Key of the client device (for example, phone, computer, tablet - look in your client's app, see instructions in the left menu). Copy the Public Key and assign it an address allowed for the WireGuard network, which should have a unique range:

WireGuard MikroTik Add Peer

 

If you have a default firewall -> you are using predefined firewall from Quick Setup in your MikroTik, you need to allow the UDP port for WireGuard. In our case, the port is 33333. Go to IP → Firewalland add a new rule again using the + icon, see the example below:

MikroTik WireGuard Firewall

And if you want to access local network from your WireGuard (probably yes), you should add wireguard interface in interface list.This can be done under Interfaces -> Interface List.  Click + and add wireguard to local network, named "LAN" in this case. See below:

WireGuard Interface List

 

That's it!

Now set up the client according to the type of phone or computer. See instructions in the left menu

PS: Part of the household may have their MikroTik router behind another router provided by the internet provider. In this case, it is necessary to forward the "Port Forward" from the external provider router to your MikroTik. This setting depends on the type of router and if you don't know how to do, asks your internet provider technical support for help. You need to redirect the selected UDP port (in our case 33333) on the MikroTik internal router to same port 33333.