WireGuard + OSPF on MikroTik: Dynamic Routing for Scalable VPN Networks

Static routes work fine for two or three sites. But when you have multiple branch offices, cloud networks, and backup links, static routing becomes a maintenance nightmare. OSPF (Open Shortest Path First) dynamically learns routes, detects link failures, and reroutes traffic automatically. This guide shows you how to run OSPF over WireGuard tunnels on MikroTik RouterOS – combining the speed of WireGuard with the intelligence of dynamic routing.

Why Add OSPF to WireGuard?

• Automatic route distribution – Add a new subnet at one site; all other sites learn it instantly.
• Failover support – If a tunnel or internet link fails, OSPF reroutes through backup paths.
• Load balancing – Use multiple parallel WireGuard tunnels with equal‑cost multi‑path (ECMP).
• Simplified management – No manual route entries when adding new branches or subnets.

Prerequisites

• Two or more MikroTik routers running RouterOS v7.1+ (OSPF is mature in v7).
• Working WireGuard site‑to‑site tunnels (point‑to‑point or hub‑and‑spoke).
• Unique router IDs for OSPF (can be any IPv4 address, usually a loopback or LAN IP).
• Understanding of basic OSPF concepts (areas, costs, hello intervals).

Topology Example

• Site A (HQ): LAN 192.168.1.0/24, additional VLAN 10.10.10.0/24. WireGuard tunnel IP 10.99.0.1/30.
• Site B (Branch): LAN 192.168.2.0/24, WireGuard tunnel IP 10.99.0.2/30.
• WireGuard tunnel already established (see our site‑to‑site WireGuard guide). We will now run OSPF over this tunnel.

Step 1: Verify WireGuard Tunnel is Working

Ensure the WireGuard interface (wg-site2site) has a tunnel IP and the peers show a handshake.

/interface wireguard peers print
/ip address print where interface~"wg"

Test connectivity across the tunnel:

/ping 10.99.0.2

Step 2: Enable OSPF Instance on Both Routers

On Site A:

/routing ospf instance add name=ospf-vpn version=2 router-id=1.1.1.1

On Site B:

/routing ospf instance add name=ospf-vpn version=2 router-id=2.2.2.2

The router-id must be unique across all OSPF routers. Use an IP address from a loopback or any unused IP.

Step 3: Create OSPF Area (Backbone)

On both routers, add the backbone area (area 0.0.0.0).

/routing ospf area add instance=ospf-vpn name=backbone area-id=0.0.0.0

Step 4: Add WireGuard Interface to OSPF

On Site A:

/routing ospf interface-template add network=10.99.0.0/30 area=backbone interfaces=wg-site2site type=point-to-point

On Site B:

/routing ospf interface-template add network=10.99.0.0/30 area=backbone interfaces=wg-site2site type=point-to-point

Setting type=point-to-point disables DR/BDR election (faster convergence for point‑to‑point links).

Step 5: Advertise LAN Subnets into OSPF

On Site A, advertise its LAN subnets:

/routing ospf network add area=backbone network=192.168.1.0/24
/routing ospf network add area=backbone network=10.10.10.0/24

On Site B, advertise its LAN:

/routing ospf network add area=backbone network=192.168.2.0/24

OSPF will now automatically exchange these routes. You can also use interface‑templates with network wildcard – the above is simplest.

Step 6: Verify OSPF Neighbors and Routes

Check OSPF neighbor state (should be Full):

/routing ospf neighbor print

View learned routes:

/ip route print where routing-mark="" and dst-address~"192.168.2"

You should see the remote LAN route with distance=110 (OSPF default) and gateway pointing to the WireGuard tunnel IP.

Step 7: Adjust OSPF Costs for Path Preference

If you have multiple links between sites (e.g., primary WireGuard, backup LTE), set lower cost on the preferred path. Cost is the inverse of bandwidth – lower cost = more preferred.

On the interface template, set cost:

/routing ospf interface-template set [find interface=wg-site2site] cost=10

For a slower backup link, set cost=1000. OSPF will always use the lowest cost path.

Step 8: Adding a Third Site (Hub‑and‑Spoke with OSPF)

In a hub‑and‑spoke topology, the hub runs OSPF with each spoke over separate WireGuard tunnels. OSPF will automatically route spoke‑to‑spoke traffic via the hub.

On the hub, create separate OSPF interface templates for each tunnel (e.g., 10.99.0.0/30 for Spoke A, 10.99.1.0/30 for Spoke B). All belong to the same backbone area. The hub will redistribute routes between spokes.

No static routes needed – OSPF handles everything.

Step 9: Redistributing Connected Routes and Default Route

You can also redistribute the default route (0.0.0.0/0) from the site that has internet access, so all sites learn the default gateway dynamically.

On the site with internet (e.g., HQ), add a default route distribution:

/routing ospf instance set ospf-vpn redistribute-default=if-installed-as-type-2

Or redistribute all connected routes:

/routing ospf instance set ospf-vpn redistribute-connected=as-type-1

Step 10: Firewall Considerations for OSPF over WireGuard

OSPF uses multicast (224.0.0.5 and 224.0.0.6) and protocol 89. When running over a WireGuard tunnel (which is unicast point‑to‑point), OSPF works in unicast mode automatically. Ensure the WireGuard interface allows OSPF traffic (no firewall blocking on the tunnel interface).

On the router's forward chain, allow OSPF between tunnel IPs:

/ip firewall filter add chain=forward protocol=ospf action=accept comment="Allow OSPF over WireGuard"

Advanced: Multi‑Area OSPF for Large Networks

If you have dozens of sites, split into multiple OSPF areas to reduce routing table size and convergence time. The hub can act as Area Border Router (ABR) connecting backbone (area 0) to other areas.

Example: Create a non‑backbone area for a remote branch:

/routing ospf area add instance=ospf-vpn name=area10 area-id=0.0.0.10
/routing ospf interface-template add network=10.99.2.0/30 area=area10 interfaces=wg-spoke-c type=point-to-point

The hub will automatically inject routes between areas.

Troubleshooting OSPF over WireGuard

• Neighbor state stuck in ExStart or Loading: Check MTU issues. Reduce WireGuard MTU to 1420 and ensure OSPF interface MTU matches. Set mtu-ignore=yes on the OSPF interface template if needed.
• No neighbor adjacency: Verify that the WireGuard tunnel passes multicast or unicast OSPF packets. Run /tool sniffer quick ip-protocol=89 to see if OSPF packets are being sent and received.
• Routes not appearing: Ensure the network statements cover the LAN subnets. Check OSPF instance redistribution settings. Verify that the subnet is not already present with a lower distance static route.
• High CPU from OSPF: In large networks, limit LSA flooding by using stub areas or summarisation. Reduce hello intervals from default 10s to 30s on slow links.

Real‑World Use Cases

Use Case 1: Multi‑Site Corporate Network

Five branch offices, each with a MikroTik router. All connect via WireGuard to HQ. OSPF advertises each branch's LANs and a management VLAN. When a new VLAN is added at any branch, OSPF propagates it within seconds.

Use Case 2: Redundant Internet Links

Site A has two WAN connections (fibre and LTE). Two separate WireGuard tunnels to Site B over each WAN. OSPF runs over both tunnels with different costs (fibre cost 10, LTE cost 500). If fibre fails, OSPF automatically switches to LTE within 30 seconds.

Use Case 3: Cloud Integration

Your MikroTik CHR in AWS/Azure runs WireGuard and OSPF. On‑premises routers learn cloud subnets dynamically, and cloud routers learn on‑premises subnets. No static routes needed.

Comparison: Static Routes vs. OSPF over WireGuard

Conclusion

Combining WireGuard with OSPF gives you the best of both worlds: WireGuard's speed, security, and simplicity, plus OSPF's dynamic routing intelligence. This stack is perfect for growing businesses, service providers, and any network where change is constant.

Start with a simple two‑site OSPF over WireGuard, then expand to hub‑and‑spoke with multiple areas. Once comfortable, explore BGP over WireGuard for even larger scale or multi‑provider environments. For monitoring, use The Dude or PRTG to watch OSPF neighbour states.