Wireguard

Following instructions are partially copied from: https://systemzone.net/wireguard-vpn-setup-in-mikrotik-routeros7-with-windows-os/


WireGuard VPN Configuration in MikroTik RouterOS 7


Go to Wireguard.

Click on PLUS SIGN(+) to create a new WireGuard interface. New Interface window will appear.

Put an interface name in Name input field or you can keep the default name wireguard1.

In Listen Port input field, put 443. 

For Allowed Addresses use a special network. For this instance let's say: 10.242.1.3/32

(NB! WireGuard works on UDP protocol because UDP is faster!)

Click Apply button. Public Key and Private Key will be generated as soon as you click the Apply button. The Public Key will be required when WireGuard client will be configured.

Click OK button.


WireGuard VPN service is now enables. Now assign an IP address for newly created WireGuard interface. 


Go to IP > Addresses.

Click PLUS SIGN (+). New Address window will appear.

In Address input field, put an IP address which you want. In this case: 10.242.1.1/24. WireGuard clients will get IP address from this IP block.

From Interface dropdown menu, choose the created WireGuard interface (wireguard1).

Click Apply and OK button.


WireGuard VPN Server configuration in RouterOS7 has been completed. We will now download and install WireGuard Client in Windows 10/11.


Downloading and Installing WireGuard in Windows Operating System


As we are going to connect Windows OS to WireGuard VPN Server, we need to download and install WireGuard’s Windows application from WireGuard’s website.  So, go to WireGuard installation page and download the installer for Windows Operating System.


After installing WireGuard, start WireGuard to open a new WireGuard window.


Click on Add Tunnel and choose Add empty tunnel…

In Create new tunnel window, put a name (example: wg1) for the tunnel in Name input field and then click Save button. Public and Private Keys will be generated. The Public Key will be required to configure peer between the server and client.

Click Edit to finish creating the config file, which should read something like this:


[Interface]

PrivateKey = *****

Address = 10.242.1.5/32      #This is different for each client

DNS = 9.9.9.9


[Peer]

PublicKey = [Public Key of Server]

AllowedIPs = 0.0.0.0/0

Endpoint = [Public IP of Server]:443

 

Creating Peer Between WireGuard Server and Client


To create a VPN tunnel between Windows client and the Mikrotik Server, we need to configure a WireGuard Peer on the Mikrotik. 

From WireGuard window, click on Peers tab and then click on PLUS SIGN (+). 

In New WireGuard Peer window, choose WireGuard interface (wiregurad1) from Interface dropdown menu.

In Public Key input field, put the public key generated by the Windows client (with whom it will make peer).

In Allowed Address field, put the IP address (10.242.1.5/32) that will be assigned to the WireGuard Client. <<Not the IP changes for each client!

Click Apply and OK button.

Peer configuration in MikroTik RouterOS has been completed. 


Permitting WireGuard Traffic


ip firewall filter

add action=accept chain=input dst-port=443 protocol=udp


And be sure to put this prior to any drops