Wireguard
Server
Go to Wireguard.
Click on ADD NEW to create a new WireGuard interface.
Enter an interface name in Name field or you can keep the default name wireguard1.
In Listen Port input field, put 443.
For Allowed Addresses use a special network. For this instance let's say: 10.242.1.3/32
(NB! WireGuard works on UDP protocol because UDP is faster!)
Click Apply button. Public Key and Private Key will be generated as soon as you click the Apply button.
Copy the Public Key for the WireGuard client configuration.
Click OK button.
WireGuard VPN service is now enables. Now assign an IP address for newly created WireGuard interface.
Go to IP > Addresses.
Click ADD NEW. New Address window will appear.
In Address input field, put an IP address which you want. In this case: 10.242.1.1/24. WireGuard clients will get IP address from this IP block.
From Interface dropdown menu, choose the created WireGuard interface (wireguard1).
Click Apply and OK button.
Finally, create a firewall entry for Wireguard.
Go to IP > Firewall.
In the filter rules add a new one and enter:
Chain: input
Protocal: udp
Dst-port: 443
Action: accept
Then the next rule:
Chain: forward
In-interface: wireguard1
Action: accept
Move these rules to the top of the list.
And one more thing! To allow internet access for a client, go to the NAT section and add:
Chain: srcnat
Src-address: 10.242.1.0/24
Out-interface: ether1
action: masquerade
LINUX CLIENT
On a command line type:
WG_PRIVATE_KEY=`wg genkey`
WG_PUBLIC_KEY=`echo $WG_PRIVATE_KEY | wg pubkey`
echo $WG_PUBLIC_KEY
echo $WG_PRIVATE_KEY
We now have the client’s public and private keys.
Copy the your Private Key and the server’s Public Key into your client config. It should look something like this:
[Interface] ;this is client config section
PrivateKey = (the client’s Private Key)
Address = 10.242.1.3/32
#DNS = 10.0.1.254
[Peer] ;this is the server config section
PublicKey = (the server’s Public Key)
AllowedIPs = 0.0.0.0/0
Endpoint = (the server’s IP or DNS):443
SERVER
Now go back to the sever and create a peer for the device.
Copy the Public Key into the appropriate block.
In the Allow IP enter the IP address to be assigned to the device. For example in this case something like: 10.242.1.13/32
Following instructions are partially copied from: https://systemzone.net/wireguard-vpn-setup-in-mikrotik-routeros7-with-windows-os/
WireGuard VPN Configuration in MikroTik RouterOS 7
Go to Wireguard.
Click on PLUS SIGN(+) to create a new WireGuard interface. New Interface window will appear.
Put an interface name in Name input field or you can keep the default name wireguard1.
In Listen Port input field, put 443.
For Allowed Addresses use a special network. For this instance let's say: 10.242.1.3/32
(NB! WireGuard works on UDP protocol because UDP is faster!)
Click Apply button. Public Key and Private Key will be generated as soon as you click the Apply button. The Public Key will be required when WireGuard client will be configured.
Click OK button.
WireGuard VPN service is now enables. Now assign an IP address for newly created WireGuard interface.
Go to IP > Addresses.
Click PLUS SIGN (+). New Address window will appear.
In Address input field, put an IP address which you want. In this case: 10.242.1.1/24. WireGuard clients will get IP address from this IP block.
From Interface dropdown menu, choose the created WireGuard interface (wireguard1).
Click Apply and OK button.
WireGuard VPN Server configuration in RouterOS7 has been completed. We will now download and install WireGuard Client in Windows 10/11.
Downloading and Installing WireGuard in Windows Operating System
As we are going to connect Windows OS to WireGuard VPN Server, we need to download and install WireGuard’s Windows application from WireGuard’s website. So, go to WireGuard installation page and download the installer for Windows Operating System.
After installing WireGuard, start WireGuard to open a new WireGuard window.
Click on Add Tunnel and choose Add empty tunnel…
In Create new tunnel window, put a name (example: wg1) for the tunnel in Name input field and then click Save button. Public and Private Keys will be generated. The Public Key will be required to configure peer between the server and client.
Click Edit to finish creating the config file, which should read something like this:
[Interface]
PrivateKey = *****
Address = 10.242.1.5/32 #This is different for each client
DNS = 9.9.9.9
[Peer]
PublicKey = [Public Key of Server]
AllowedIPs = 0.0.0.0/0
Endpoint = [Public IP of Server]:443
Creating Peer Between WireGuard Server and Client
To create a VPN tunnel between Windows client and the Mikrotik Server, we need to configure a WireGuard Peer on the Mikrotik.
From WireGuard window, click on Peers tab and then click on PLUS SIGN (+).
In New WireGuard Peer window, choose WireGuard interface (wiregurad1) from Interface dropdown menu.
In Public Key input field, put the public key generated by the Windows client (with whom it will make peer).
In Allowed Address field, put the IP address (10.242.1.5/32) that will be assigned to the WireGuard Client. <<Not the IP changes for each client!
Click Apply and OK button.
Peer configuration in MikroTik RouterOS has been completed.
Permitting WireGuard Traffic
ip firewall filter
add action=accept chain=input dst-port=443 protocol=udp
And be sure to put this prior to any drops