PSY IT Runbooks

WireGuard “Road Warrior” on MikroTik (RouterOS v7)

by

GDanu
in

MikroTik WireGuard Remote Access (RouterOS v7): Secure “Road Warrior” Setup

Last updated: 2026-01-02
This guide shows a clean, secure WireGuard “road warrior” setup on MikroTik RouterOS v7 with step-by-step commands, validation, and rollback.

Assumption: RouterOS v7+ is installed (WireGuard is RouterOS v7 feature). WireGuard configuration concepts and CLI paths follow official MikroTik docs. MikroTik Help

1) Plan & variables (edit these first)

Replace values in ALL CAPS:

  • WG_IF=wg-remote

  • WG_PORT=51820

  • WG_NET=10.66.66.0/24

  • Router WG IP: 10.66.66.1/24

  • Client WG IP: 10.66.66.2/32

  • LAN_NET=192.168.88.0/24 (your LAN)

  • WAN_IF=ether1 (your internet-facing interface)

  • CLIENT_PUBLIC_KEY="PASTE_CLIENT_PUBLIC_KEY_HERE"

2) Create WireGuard interface + IP address

/interface/wireguard
add name=wg-remote listen-port=51820

/ip/address
add address=10.66.66.1/24 interface=wg-remote comment="WireGuard remote access"

3) Add the remote client peer (road warrior)

For road warrior clients, you typically don’t set endpoint-address (client IP changes). The peer is identified by public-key and constrained by allowed-address. MikroTik Help

/interface/wireguard/peers
add interface=wg-remote public-key="PASTE_CLIENT_PUBLIC_KEY_HERE" \
allowed-address=10.66.66.2/32 comment="RoadWarrior-01"

4) Routing choice: Split tunnel vs Full tunnel

Option A — Split tunnel (recommended initially)

Client can access only your LAN (and any other internal subnets you add).
You mainly need firewall rules (below). Routing is already handled if your LAN is directly connected to MikroTik.

On the client config, set:

  • AllowedIPs = 10.66.66.0/24, 192.168.88.0/24

Option B — Full tunnel (send all client traffic through MikroTik)

You must NAT WireGuard traffic out to the internet.

/ip/firewall/nat
add chain=srcnat action=masquerade out-interface=ether1 src-address=10.66.66.0/24 \
comment="NAT for WireGuard clients (full tunnel)"

5) Firewall rules (SAFE baseline)

5.1 Allow WireGuard UDP port to the router (input chain)

Put this rule above generic drops.

/ip/firewall/filter
add chain=input action=accept protocol=udp dst-port=51820 in-interface=ether1 \
comment="Allow WireGuard (UDP 51820) to router"

MikroTik firewall filtering concepts: allow/deny policies must be consistent and ordered. MikroTik Help

5.2 Allow WG client access to LAN (forward chain)

/ip/firewall/filter
add chain=forward action=accept src-address=10.66.66.0/24 dst-address=192.168.88.0/24 \
comment="WG clients -> LAN"
add chain=forward action=accept src-address=192.168.88.0/24 dst-address=10.66.66.0/24 \
comment="LAN -> WG clients (optional, for returning sessions)"

5.3 (Optional) Basic protection

If you already have established/related rules, keep them. If not, add:

/ip/firewall/filter
add chain=input action=accept connection-state=established,related comment="input: established,related"
add chain=forward action=accept connection-state=established,related comment="forward: established,related"
add chain=input action=drop connection-state=invalid comment="input: drop invalid"
add chain=forward action=drop connection-state=invalid comment="forward: drop invalid"

6) Client configuration (WireGuard app)

Example (Windows/macOS/Linux WG):

[Interface]
PrivateKey = <client_private_key>
Address = 10.66.66.2/32
DNS = 192.168.88.1

[Peer]
PublicKey = <router_public_key>
Endpoint = YOUR_PUBLIC_IP:51820
AllowedIPs = 10.66.66.0/24, 192.168.88.0/24
PersistentKeepalive = 25

Router public key can be read from the WG interface properties (WinBox/CLI).

7) Verification (must-do)

7.1 On MikroTik

Check peer handshake/time and traffic:

/interface/wireguard/peers print detail

You want to see recent handshake after connecting. MikroTik Help

7.2 From the client

  • Ping router WG IP: ping 10.66.66.1

  • Ping a LAN host: ping 192.168.88.10

  • If full tunnel: check external IP changed (browser “what is my IP”)

8) Rollback (clean removal)

/ip/firewall/filter remove [find comment~"WireGuard"]
/ip/firewall/nat remove [find comment~"WireGuard"]

/interface/wireguard/peers remove [find interface="wg-remote"]
/ip/address remove [find interface="wg-remote"]
/interface/wireguard remove [find name="wg-remote"]

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *