🚀 Launching your own ISP? Create a free account and get 1 router slot for life!
Back to all articles
Tutorial By MikroRadius Team

How to Set Up WireGuard VPN on MikroTik Router (Fast & Secure)

WireGuard is the fastest, most secure VPN protocol for MikroTik RouterOS v7. This step‑by‑step guide shows how to create a server, client configs, and connect from Windows, macOS, Linux, Android, and iOS.

WireGuard is the best VPN choice for MikroTik in 2026. Faster than OpenVPN, simpler than L2TP, and infinitely safer than PPTP. This guide covers a full server setup on RouterOS v7+ and connecting your first client.

Why WireGuard?

  • Speed: Modern cryptography efficient even on low‑end routers.
  • Security: Only ~4,000 lines of code – tiny attack surface.
  • Simplicity: Public/private keys, no certificates.
  • Cross‑platform: Native apps for all major OS.

Prerequisites

  • MikroTik router with RouterOS v7.1+ (WireGuard is not in v6).
  • WinBox, WebFig, or SSH access.
  • A public IP or forwarded UDP port.
  • Client device with WireGuard app installed.

Step 1: Create WireGuard Interface

/interface wireguard add name=wg1 listen-port=51820

Step 2: Assign IP Address

/ip address add address=10.0.0.1/24 interface=wg1

Step 3: Add Peer for Client

/interface wireguard peers add interface=wg1 public-key="placeholder" allowed-address=10.0.0.2/32

Step 4: Firewall Rules

4.1 Allow WireGuard traffic to router

/ip firewall filter add chain=input protocol=udp dst-port=51820 action=accept comment="Allow WireGuard"

4.2 Masquerade VPN traffic

/ip firewall nat add chain=srcnat src-address=10.0.0.0/24 action=masquerade comment="WireGuard masquerade"

4.3 (Optional) Access LAN from VPN

/ip firewall filter add chain=forward src-address=10.0.0.0/24 dst-address=192.168.88.0/24 action=accept comment="WireGuard to LAN"
/ip firewall filter add chain=forward connection-state=established,related action=accept

Step 5: Client Configuration

Install WireGuard app, generate keypair. Update the peer on the router with the client’s public key, then create a client config:

[Interface]
PrivateKey = <client-private-key>
Address = 10.0.0.2/32
DNS = 8.8.8.8

[Peer]
PublicKey = <router-public-key>
Endpoint = <router-public-ip>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Step 6: Test

  1. On the client, visit whatismyip.com – you should see the router’s public IP.
  2. On the router, check active peers:
/interface wireguard peers print where interface=wg1

Adding More Clients

Repeat Step 5 with unique IPs (10.0.0.3/32, etc.) and new peer entries.

Troubleshooting

  • No handshake: Check firewall UDP 51820 and correct Endpoint.
  • No internet after connection: Verify masquerade rule and that the router itself has internet.
  • Can’t reach LAN: Add forward rule and ensure LAN devices have a route back.

Comparison

ProtocolSecuritySpeedEaseClient Support
WireGuard✅ Excellent🚀 Very fast😊 EasyAll modern OS
IPSec (L2TP)✅ Good🐢 Moderate😐 ModerateBuilt‑in
OpenVPN✅ Good🐌 Slower😩 ComplexThird‑party app
PPTP❌ BrokenFastEasyLegacy only

If you’re combining VPN with a hotspot, see our MikroTik Hotspot guide. For centralised user management, MikroRadius RADIUS integrates perfectly with WireGuard via PPPoE or hotspot.

You might also like

How to Set Up a MikroTik Router from Scratch: A Complete Beginner's Guide (2026)

How to Set Up a PPTP Server on MikroTik Router (And Why You Should Think Twice)

How to Set Up a Hotspot on MikroTik Router (Guest WiFi with Login Page)

Was this article helpful?

Share Share