Routers
MikroTik
Mikrotik Mikrotik Jun 14, 2026
Posted Fri, Nov 22, 2024 7:13 PM
Edited Sun, Jun 14, 2026 1:38 PM

How to set up WireGuard on Mikrotik

This guide was created by a community member and reviewed by us. Firmware and router interfaces may change over time, so some steps may differ depending on your device or version.

Prerequisites:

  1. Ensure that you have RouterOS Version 7.23.1 or newer.
  2. Download WireGuard configuration for specific location from the generator.
  3. Connect to your router using Winbox, SSH, or Telnet.

This guide assumes your WAN interface is configured via DHCP. If not, pre-configure your internet connection as instructed by your ISP.

The commands in this guide assume that your local network is on the “192.168.88.0/24“ subnet, and the bridge for LAN interfaces is named “bridge”. If this is not the case, replace the values in the commands with those relevant to your network.

In the video, I will show you how to set up via the WinBox GUI. The terminal commands are an alternative way to configure the router.

Setup:

  1. Plug the WAN cable into port 1, and the cable from your PC into port 2 of the router.

  2. Set your PC's network adapter to obtain an IP address automatically via DHCP.

  3. Launch WinBox and find your router in the list on the right. Default login: admin, password is empty.

  4. Upon first login, accept the default configuration (click OK in the pop-up window).

  5. The system will prompt you to change the administrator password. Enter a new password and confirm it.

  6. Change the DNS servers that will be issued to clients via DHCP.

/ip dhcp-server network set [find address=192.168.88.0/24] dns-server=8.8.8.8,1.1.1.1

  1. Assign an IP address to the device(s) that will route traffic through the VPN. Go to IP -> DHCP Server -> Leases tab, find your device, and click Make Static. Remember its IP address (in the following steps, we will use 192.168.88.254 as an example).

  2. Disable FastTrack:

/ip firewall filter disable [find action=fasttrack-connection]

After this, be sure to reboot the router. Reconnect via WinBox; you will need to enter the password you created.

  1. Create an address list for devices that should use the VPN.
/ip firewall address-list add address=192.168.88.254 list=xeovo_vpn_list

  1. Download the WireGuard configuration from the Xeovo website. In WinBox, open the Files menu, create a folder named flash/xeovo_wg_configs, and upload the downloaded .conf file for the desired location into it.

  2. Import the configuration. Go to WireGuard -> WireGuard tab -> click the WG Import button, select the file, and click Import.
    Then go to the Peers tab, open the created peer, and set the Persistent Keepalive parameter to 25.

Our goal is to route devices included in a specific list to the internet via VPN. We will create a separate routing table and a set of rules for these devices, thereby directing devices from our VPN list into this table. Devices not included in this list should access the internet the standard way, through the ISP's network.

  1. Create a new routing table.
/routing/table/add disabled=no fib name=xeovo_route_table
  1. Add routes to the new table.
/ip/route/add dst-address=0.0.0.0/0 gateway=wg1 routing-table=xeovo_route_table
/ip/route/add dst-address=192.168.88.0/24 gateway=bridge routing-table=xeovo_route_table
  1. Add the device that should access the internet via VPN to the xeovo_vpn_list. I’m adding my PC, the one I’m using for this setup.
/ip/firewall/address-list/add address=192.168.88.254 list=xeovo_vpn_list
  1. Add a rule to allow traffic within the local network.
/ip/firewall/mangle/add chain=prerouting action=accept dst-address=192.168.88.0/24
  1. Add a rule for connection marking.
/ip/firewall/mangle/add chain=prerouting action=mark-connection \
src-address-list=xeovo_vpn_list \
new-connection-mark=xeovo_vpn passthrough=yes
  1. Add a rule for routing marking.
/ip/firewall/mangle/add chain=prerouting action=mark-routing \
connection-mark=xeovo_vpn new-routing-mark=xeovo_route_table passthrough=yes
  1. Configure NAT for the VPN interface.
/ip firewall nat add action=masquerade chain=srcnat out-interface=wg1
  1. Configure a Kill Switch to block internet access for devices in the list if the VPN connection suddenly drops or if the marking rules stop working for some reason.
/ip firewall filter add action=drop chain=forward out-interface=!wg1 \ dst-address=!192.168.88.0/24 src-address-list=xeovo_vpn_list place-before=0
  1. You are done. Now, devices that you have added to xeovo_vpn_list will access the internet through the Xeovo network. Other devices on the local network will remain accessible to them. Devices not included in xeovo_vpn_list will access the internet as usual — through the ISP's network.
    To verify the connection, visit DoesMyVPN.work from a device added to the xeovo_vpn_list.

Troubleshooting

Unfortunately, when creating/recreating the WireGuard interface, as well as when rebooting the router, issues may arise with the tunnel, as happened in my case. In such situations, you have to deactivate and then reactivate the peer to establish the connection. Do not rush to enable the interface immediately; wait from 30 seconds to a minute.

0 ⁨0⁩ ⁨comments⁩
Comment You don't have permission to do this. Controls