Enabling WireGuard in MikroTik RouterOS

WireGuard package is installed by default in MikroTik RouterOS 7. So, you will get a WireGuard menu
item in Winbox by default. To enable WireGuard in R1 Router, do the following steps.

Login to R1 Router of Office 1 with Winbox using full access user credentials.

Click on WireGuard menu item from Winbox menu bar. WireGuard window will appear.

Click on PLUS SIGN (+) to create a new WireGuard interface. New Interface window will appear.

Put an interface name in Name input field or you can keep the default name wireguard1.

Click Apply button. Public Key and Private Key will be generated as soon as you click the Apply
button. The Public Key will be required when WireGuard Peer will be created in R2 Router (Office 2
Router).

Click OK button.

Similarly, enable WireGuard in R2 Router of Office 2 Router and create a new WireGuard interface.
Your configurations will look like the following image.

Enabling WireGuard in RouterOS 7

Assigning IP Address on WireGuard Virtual Interface

After enabling WireGuard in RouterOS 7, a new virtual interface will be created in each Router. We
will now assign IP address in each WireGuard interface so that both interfaces can communicate
with each other after establishing WireGuard tunnel.

To assign IP address on WireGuard virtual interface in R1 Router, issue the following steps.

From Winbox, go to IP > Addresses menu item. Address List window will appear.

Click on PLUS SIGN (+) to add new address. New Address window will appear.

Put an IP address (in this article: 10.10.10.1/30) that you to assign for WireGuard VPN tunnel
in Address input field.
Choose WireGuard interface (in this article: wireguard1) from Interface dropdown menu.

Click Apply and OK button.

Similarly, add the second IP address on the WireGuard virtual interface of R2 Router at office 2.
According to the above diagram, the second router’s IP will be 10.10.10.2/30.

Creating WireGuard Peers Between Two RouterOS

After assigning IP addresses on WireGuard virtual interface, we will now configure peers in both
Routers. To create peers in R1 Router of office1, issue the following steps.

From Winbox, click on WireGuard menu item and then click on Peers tab.

Click on PLUS SIGN (+). New WireGuard Peer window will appear.

Choose WireGuard interface (wireguard1) from Interface dropdown menu.

Put the Public Key that was generated at R2 Router when WireGuard was enabled, in Public
Key input field.

Put the Public IP address (For demo purpose, in this article: 172.26.0.2) of R1 Router
in Endpoint input field.

If you don’t change the port number (default is 13231), no need to change the Endpoint Port but if
you change, put the listen port of R1 Router in Endpoint Port input field.

Put the IP blocks (in this article: 10.10.10.0/30 for tunnel interface and 192.168.26.0/24 LAN IP Block
of R2 Router) those will be passed over WireGuard VPN Tunnel in Allowed Address input field. If you
want to allow all IP addresses, put 0.0.0.0/0 in this field.

In Persistent Keepalive input, put a time value in seconds (for 10 second: 00:00:10) when the tunnel
will be checked and keep lived.

Click Apply and OK button.

Peer Configuration R1 Router

Similarly, create peer in R2 Router and information accordingly. Be careful to put Public Key,
Endpoint and Endpoint Port of R1 Router. Also be careful to put IP block of R2 Router’s LAN block.
The configuration should be like the following image.