Hey everyone! Today, we're diving into setting up a WireGuard client-to-site VPN on a Mikrotik router. If you're looking to securely access your home network while you're on the go, or just want a more modern and efficient VPN solution, you're in the right place. WireGuard is known for its speed and simplicity, and Mikrotik routers are super versatile, making them a perfect match. Let’s get started!

Why WireGuard on Mikrotik?

Before we jump into the how-to, let’s quickly cover why you might want to use WireGuard on your Mikrotik router.

• Speed: WireGuard is designed to be lightweight and fast, offering better performance than older VPN protocols like OpenVPN or IPsec.
• Security: It uses state-of-the-art cryptography, ensuring your data stays safe and secure.
• Simplicity: The configuration is more straightforward compared to other VPN solutions, making it easier to set up and manage.
• Modern Protocol: As a modern VPN protocol, WireGuard benefits from continuous improvements and security audits.
• Cost-Effective: Mikrotik routers offer great value for money, providing advanced features without breaking the bank.

Using WireGuard on a Mikrotik device for a client-to-site VPN offers numerous advantages. The combination of WireGuard’s modern, efficient protocol with Mikrotik’s versatile and robust router operating system results in a secure, fast, and reliable VPN connection. For remote workers, this setup allows secure access to the office network, ensuring that sensitive data remains protected while working from home or other remote locations. Similarly, for individuals traveling abroad, a WireGuard VPN can bypass geo-restrictions and provide access to home-country content and services, enhancing their online experience and maintaining a sense of normalcy. The enhanced security features of WireGuard, such as state-of-the-art cryptography, protect against potential cyber threats, making it a safer option for accessing public Wi-Fi networks in cafes, airports, or hotels. Furthermore, the improved performance and reduced latency compared to older VPN protocols like OpenVPN or IPsec ensure a smoother and more responsive browsing experience, which is particularly beneficial for activities like video conferencing, online gaming, or streaming high-definition content. Overall, setting up WireGuard on a Mikrotik router provides a comprehensive solution for secure and efficient remote access, catering to both personal and professional needs.

Prerequisites

Before we start, make sure you have the following:

• A Mikrotik router with RouterOS version 7 or higher (WireGuard support was introduced in RouterOS v7).
• A computer or device to configure the Mikrotik router (Winbox is highly recommended).
• Basic networking knowledge (IP addresses, subnets, etc.).
• A dynamic DNS service or a static IP address for your home network (if you want to access it remotely).

Having these prerequisites in place ensures a smooth and successful configuration process. A Mikrotik router with RouterOS version 7 or higher is essential because WireGuard support was introduced in this version, providing the necessary functionalities and modules to establish a WireGuard VPN. A computer or device to configure the Mikrotik router, with Winbox being highly recommended, simplifies the configuration process with its user-friendly graphical interface, allowing for easy navigation and setup of various parameters. Basic networking knowledge, including understanding IP addresses and subnets, is crucial for properly configuring the network settings and ensuring seamless communication between the client and the server. Additionally, a dynamic DNS service or a static IP address for your home network is needed if you plan to access it remotely. This ensures that you can always locate your home network, even if your ISP assigns a dynamic IP address that changes periodically. Without these prerequisites, you may encounter difficulties in setting up and maintaining the WireGuard VPN, potentially leading to a frustrating experience. Therefore, taking the time to ensure that you meet these requirements will contribute significantly to a successful and efficient setup.

Step-by-Step Configuration

Step 1: Add WireGuard Interface

First, we need to add a WireGuard interface on your Mikrotik router.

1. Open Winbox and connect to your Mikrotik router.
2. Go to Interfaces in the left menu.
3. Click the + button and select WireGuard.
4. Give the interface a name (e.g., wireguard1).
5. Generate a private key by clicking the Generate Key button. The public key will be automatically generated.
6. Set the Listen Port to a port of your choice (e.g., 13231). Make sure this port is not already in use. We’ll need to forward this port on your firewall later.
7. Click Apply and OK.

Step 2: Configure the IP Address

Next, assign an IP address to the WireGuard interface.

1. Go to IP > Addresses.
2. Click the + button to add a new address.
3. Enter an IP address and subnet for the WireGuard interface (e.g., 10.6.0.1/24). This IP will be the gateway for your VPN clients.
4. Select the WireGuard interface you created in the Interface dropdown.
5. Click Apply and OK.

Configuring the WireGuard interface and IP address involves several critical steps to ensure proper functionality of the VPN. First, adding a WireGuard interface through Winbox allows the Mikrotik router to recognize and utilize the WireGuard protocol. Naming the interface (e.g., wireguard1) helps in easy identification and management of the VPN connection. Generating a private key is crucial as it forms the basis of the encryption, while the corresponding public key is automatically generated for secure communication. Setting the Listen Port to a specific, unused port (e.g., 13231) enables the router to listen for incoming WireGuard connections. This port must be later forwarded in the firewall to allow external connections to reach the WireGuard interface. Next, assigning an IP address to the WireGuard interface (e.g., 10.6.0.1/24) is essential for establishing a network for the VPN clients. This IP address acts as the gateway for the clients connecting to the VPN, allowing them to access the resources within the network. Selecting the WireGuard interface in the IP address configuration ensures that the IP address is bound to the correct VPN tunnel. By completing these steps, the Mikrotik router is properly configured to act as a WireGuard server, ready to accept and route traffic from authorized clients, providing a secure and efficient VPN connection for remote access.

Step 3: Configure the Firewall

Now, let’s configure the firewall to allow WireGuard traffic.

1. Go to IP > Firewall.
2. Click on the NAT tab.
3. Click the + button to add a new NAT rule.
4. Set the Chain to dstnat.
5. Set the Dst. Port to the Listen Port you chose in Step 1 (e.g., 13231).
6. Set the Protocol to udp.
7. Go to the Action tab.
8. Set the Action to dst-nat.
9. Set the To Addresses to the Mikrotik’s local IP address.
10. Set the To Ports to the Listen Port (e.g., 13231).
11. Click Apply and OK.
12. Go to the Filter Rules tab.
13. Add a new rule with chain=input protocol=udp dst-port=13231 action=accept
14. Click Apply and OK.

Step 4: Create a Peer for the Client

For each client that will connect to the VPN, you need to create a peer.

1. Go back to Interfaces and double-click on the WireGuard interface.
2. Click the Peers tab.
3. Click the + button to add a new peer.
4. Enter the Public Key of the client. You’ll need to generate this on the client device (we’ll cover that later).
5. Enter the Allowed Address for the client (e.g., 10.6.0.2/32). This is the IP address that will be assigned to the client.
6. (Optional) Add the client's public IP address in Endpoint field, if the client has a static IP. Otherwise, leave it blank.
7. Click Apply and OK.

Configuring the firewall and creating a peer for the client are essential steps in setting up a WireGuard VPN on a Mikrotik router. Configuring the firewall involves creating NAT rules and filter rules to allow WireGuard traffic to pass through the router. The NAT rule with dstnat chain redirects incoming UDP traffic on the specified Listen Port (e.g., 13231) to the Mikrotik’s local IP address and the same Listen Port. This ensures that external VPN requests are properly directed to the WireGuard interface. The corresponding filter rule with chain=input protocol=udp dst-port=13231 action=accept allows this UDP traffic to be accepted by the router, preventing it from being blocked by the firewall’s default policies. Creating a peer for each client involves defining the client’s parameters within the WireGuard interface settings. The client’s Public Key, generated on the client device, is entered into the peer configuration to establish a secure, authenticated connection. The Allowed Address specifies the IP address that will be assigned to the client (e.g., 10.6.0.2/32), ensuring that the client receives a unique and valid IP address within the VPN’s network. Optionally, adding the client's public IP address in the Endpoint field can optimize the connection if the client has a static IP, but this field can be left blank if the client’s IP address is dynamic. By completing these steps, the Mikrotik router is configured to securely accept connections from authorized clients, routing their traffic through the VPN tunnel and providing them with access to the network resources.

Step 5: Configure the Client

Now, let’s move on to the client-side configuration. I'll use the WireGuard app on a smartphone as an example, but the steps are similar for other devices.

1. Install the WireGuard app on your device.
2. Open the app and create a new tunnel.
3. Enter the following information:
   • Name: A name for your connection (e.g., HomeVPN)
   • Private Key: Generate a new private key.
   • Public Key: The app will automatically generate the public key.
   • Addresses: The IP address you assigned to the client in Step 4 (e.g., 10.6.0.2/32)
   • DNS Servers: Your preferred DNS servers (e.g., 1.1.1.1, 8.8.8.8)
   • Peer Public Key: The public key of your Mikrotik WireGuard interface (from Step 1).
   • Allowed IPs: 0.0.0.0/0 to route all traffic through the VPN, or specific IPs/subnets if you only want to route certain traffic.
   • Endpoint: Your Mikrotik’s public IP address or dynamic DNS hostname, followed by the Listen Port (e.g., yourdomain.com:13231)
4. Save the configuration.
5. Enable the tunnel.

Configuring the client involves setting up the WireGuard application on the device that will connect to the VPN. The first step is to install the WireGuard app on the client device, which is available for various platforms like smartphones, tablets, and computers. Once installed, creating a new tunnel within the app allows the configuration of the VPN connection parameters. The Name field is simply a descriptive label for the connection (e.g., HomeVPN), making it easier to identify. Generating a new private key within the app is essential for establishing the client’s identity and encrypting its traffic. The corresponding public key is automatically generated and will be needed for the server configuration. The Addresses field should be set to the IP address assigned to the client in Step 4 (e.g., 10.6.0.2/32), ensuring the client uses the correct IP within the VPN network. Specifying DNS Servers, such as 1.1.1.1 and 8.8.8.8, ensures that the client can resolve domain names correctly while connected to the VPN. The Peer Public Key field requires the public key of the Mikrotik WireGuard interface, obtained from Step 1, allowing the client to authenticate the server. The Allowed IPs field determines which traffic should be routed through the VPN. Setting it to 0.0.0.0/0 routes all traffic through the VPN, providing comprehensive protection and access to resources. Alternatively, specific IPs or subnets can be specified to route only certain traffic through the VPN, optimizing bandwidth usage. The Endpoint field requires the Mikrotik’s public IP address or dynamic DNS hostname, followed by the Listen Port (e.g., yourdomain.com:13231), allowing the client to locate and connect to the VPN server. After saving the configuration and enabling the tunnel, the client device should be able to establish a secure connection to the Mikrotik WireGuard server, routing its traffic through the VPN tunnel and accessing network resources securely.

Step 6: Test the Connection

Finally, test the connection to make sure everything is working correctly.

1. On your client device, enable the WireGuard tunnel.
2. Check your IP address. It should be the IP address you assigned to the client (e.g., 10.6.0.2).
3. Try to access resources on your home network (e.g., ping a device on your local network).
4. If you routed all traffic through the VPN, try browsing the internet. Your IP address should appear to be the public IP address of your home network.

Testing the WireGuard connection is a crucial step to ensure that the VPN is functioning correctly and providing the expected level of security and access. The first action involves enabling the WireGuard tunnel on the client device, which initiates the VPN connection to the Mikrotik server. After the tunnel is enabled, checking the client’s IP address is essential to verify that the device has successfully obtained the IP address assigned to it within the VPN network (e.g., 10.6.0.2). This confirms that the client is properly integrated into the VPN’s subnet. Next, attempting to access resources on the home network, such as pinging a device on the local network, validates that the client can communicate with other devices behind the Mikrotik router. This step ensures that the VPN is correctly routing traffic between the client and the internal network. Additionally, if the VPN is configured to route all traffic through the tunnel (i.e., Allowed IPs is set to 0.0.0.0/0), browsing the internet will reveal whether the client’s public IP address has changed to the public IP address of the home network. This confirms that all internet traffic is being routed through the VPN, providing the client with the security and privacy benefits of the VPN connection. If any of these tests fail, it may indicate misconfigurations in the client or server settings, firewall rules, or routing policies, requiring a review of the configuration steps to identify and resolve the issues. Successfully completing these tests ensures that the WireGuard VPN is functioning as intended, providing secure remote access to the home network and protecting the client’s internet traffic.

Troubleshooting

If you encounter any issues, here are a few things to check:

• Firewall: Make sure the WireGuard port is open on your Mikrotik firewall.
• IP Addresses: Double-check that the IP addresses and subnets are configured correctly on both the client and the server.
• Public Keys: Ensure that the public keys are entered correctly on both the client and the server.
• Routing: If you’re not able to access the internet through the VPN, make sure the Allowed IPs setting on the client is set to 0.0.0.0/0.
• Logs: Check the Mikrotik logs for any error messages related to WireGuard.

Conclusion

And that's it! You've successfully set up a WireGuard client-to-site VPN on your Mikrotik router. This setup allows you to securely access your home network from anywhere in the world, with the speed and security of WireGuard. Enjoy your secure and fast VPN connection!