Routers
Mikrotik Mikrotik Jun 3, 2026
Posted Wed, Jun 3, 2026 3:58 PM
Edited Wed, Jun 3, 2026 4:44 PM

How to setup AmneziaWG on Mikrotik

This guide was created by a community member and reviewed by us. Firmware and router interfaces may change over time, so some steps may differ depending on your device or version.

The Mikrotik home series comes pre-configured, so you should have internet access immediately after turning it on.

Requirements:

  • MikroTik RouterOS 7.4+ with the container package
  • Architecture: ARM64, ARM (v7), or x86_64

Setup:

  1. Download WinBox from the official Mikrotik website.
    After unpacking, launch WinBox and find your router in the list. The default login is admin; the password is provided in the manual or on the router's box.

  2. Next, you need to set the DNS servers on the router. On the left: IP → DNS. Set them to, for example, 1.1.1.1 and 8.8.8.8.

  3. Install the container package. Go to the website, select the appropriate architecture (ARM64, ARM, x86) and RouterOS version. The current RouterOS version and router architecture are written at the bottom of the WinBox window when you are logged into the router. After downloading, the package must be uploaded to the router and the router must be rebooted.

  4. Then you need to open the terminal. Click the New Terminal button and change the administrator account password or decline to do so.

  5. After that, we need to generate a connection configuration file on the Xeovo website. In the advanced settings, you need to select AmneziaWG.

  6. Next, go to the Mikrotik configuratator and paste the configuration file. Copy only the AWG Proxy installation and paste it into the terminal in WinBox.
    If an error occurs, you need to enter the command:

    /system/device-mode/update container=yes fetch=yes

    The router will request physical confirmation (press a button or reboot, depending on the model). After physical confirmation, the router will reboot.

  7. After the successful installation of AWG Proxy, you need to copy and paste these commands into the terminal together:

/ip firewall nat add chain=srcnat action=masquerade out-interface=wg-awg-proxy comment="nat-via-awg"
/ip dhcp-client set [find interface=ether1] add-default-route=yes default-route-distance=10
 
/ip route add dst-address=0.0.0.0/0 gateway=wg-awg-proxy distance=1 comment="all-via-awg"
 
/system script add name=update-awg-route policy=read,write,test source={
    :local awgHost "example.com" 
    :local routes [/ip route find where dst-address="0.0.0.0/0" dynamic=yes]
    :local wanGw [/ip route get [:pick $routes 0] gateway]
 
    /ip route remove [find comment="dns-via-wan"]
    /ip route add dst-address=1.1.1.1/32 gateway=$wanGw distance=1 comment="dns-via-wan"
    /ip route add dst-address=8.8.8.8/32 gateway=$wanGw distance=1 comment="dns-via-wan"
    /ip dns set servers=1.1.1.1,8.8.8.8
    :local awgIp [:resolve $awgHost]
 
    /ip route remove [find comment="awg-server-via-wan"]
    /ip route add dst-address=($awgIp . "/32") gateway=$wanGw distance=1 comment="awg-server-via-wan"
}
/system script run update-awg-route
/system scheduler add name=update-awg-route interval=30m on-event=update-awg-route

These commands assume that the internet cable is connected to the first Ethernet port. If this is not the case, change ether1 to the appropriate port in the sequence.

You need to change the domain "example.com" to the one used in the connection config file and change 1.1.1.1 and 8.8.8.8 if other DNS servers should be used on the router.

To verify a connection, visit https://doesmyvpn.work

0 ⁨0⁩ ⁨comments⁩
Comment You don't have permission to do this. Controls