WireGuard is a modern, fast, and secure VPN protocol supported natively in MikroTik RouterOS 7 and above. In this step-by-step guide, you will learn how to configure a WireGuard server on your MikroTik router and connect a Windows computer as a client.
Requirements
- MikroTik router with RouterOS 7+
- Winbox or SSH access
- Public IP address or working DDNS
- WireGuard client for Windows
Step 1: Create WireGuard Interface on MikroTik
Open Winbox or SSH and run the following command:
/interface/wireguard add name=wg0 listen-port=51820This creates a WireGuard interface that will act as the VPN server.
Step 2: Generate Server Key Pair
WireGuard uses public and private keys. Generate them on MikroTik:
/interface/wireguard generate-key-pairYou will receive output like:
private-key="YOUR_SERVER_PRIVATE_KEY"
public-key="YOUR_SERVER_PUBLIC_KEY"
Apply the private key to the interface:
/interface/wireguard set wg0 private-key="YOUR_SERVER_PRIVATE_KEY"Step 3: Assign VPN IP Address to WireGuard Interface
Assign an internal VPN address to the WireGuard interface:
/ip address add address=10.10.10.1/24 interface=wg0This will be the router’s WireGuard VPN gateway.
Step 4: Allow WireGuard Traffic in the Firewall
WireGuard uses UDP. Add an allow rule:
/ip firewall filter add chain=input protocol=udp dst-port=51820 action=accept comment="Allow WireGuard"Step 5: Configure NAT for VPN Clients (If They Need Internet)
If you want your Windows client to access the internet through MikroTik, add NAT:
/ip firewall nat add chain=srcnat src-address=10.10.10.0/24 out-interface-list=WAN action=masqueradeAdd your actual WAN interface name to WAN Interface List.
Step 6: Create Windows Client Peer on MikroTik
The Windows computer will generate its own key pair. You must add its public key to MikroTik:
/interface/wireguard/peers add \
interface=wg0 \
public-key="CLIENT_PUBLIC_KEY" \
allowed-address=10.10.10.2/32
You are now ready to configure the Windows client.
Step 7: Configure WireGuard Client on Windows
1. Install WireGuard
Download the official client from the WireGuard website and install it.
2. Create a new tunnel
Open WireGuard → Add Tunnel → Add empty tunnel. The software will automatically generate:
- PrivateKey
- PublicKey
Copy the public key and paste it into the MikroTik peer configuration as shown above.
3. Configure the Windows client
Use the following template in WireGuard:
[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.10.10.2/32
DNS = 1.1.1.1
[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
Endpoint = YOUR_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
Click Activate to start the connection.
Step 8: Test the VPN
On Windows, open Command Prompt and run:
curl ifconfig.meIf everything is configured correctly, your IP address will match the MikroTik router’s WAN IP, meaning all traffic is routed through the VPN.
Troubleshooting Tips
- Ensure UDP port 51820 is open on the MikroTik firewall.
- Verify that NAT is configured if you expect internet traffic through the VPN.
- Check last-handshake on MikroTik:
/interface/wireguard/peers/printIf you see a recent handshake, the client is connected.
Conclusion
WireGuard is a powerful and simple VPN technology that works exceptionally well with MikroTik RouterOS 7. By following this guide, you can configure a secure VPN server on MikroTik and connect Windows clients in just a few minutes. Enjoy high-speed encrypted connectivity wherever you are!