Routers
Mikrotik Mikrotik Nov 22, 2024

How to set up WireGuard on Mikrotik

Prerequisites:

  1. Ensure that you have RouterOS Version 7.4+
  2. Disable FastTrack. Navigate to IP → Filter Rules and disable the firewall rule named defconf: fasttrack.
  3. Download WireGuard configuration for specific location from the generator.
  4. Connect to your router using Winbox, SSH, or Telnet.

Setup:

Modify next commands depending on your configuration file and run each command one by one:

  • By default local subnet of Mikrotik is 192.168.88.0/24. Replace it if you have different one.
  • Add private key and public key from your WireGuard config file.
  • Replace domain in "endpoint-address=no.gw.xeovo.com" to any other location you prefer for example "fi.gw.xeovo.com" (Finland).
/ip firewall address-list add address=192.168.88.0/24 list=Xeovo_VPN
/ip firewall mangle add action=mark-connection chain=prerouting src-address-list=Xeovo_VPN new-connection-mark=Xeovo_VPN passthrough=yes

/interface/wireguard/add name=xeovo-norway private-key="HERE-GOES-YOUR-PRIVATE-KEY" comment="Xeovo Norway"/interface/wireguard/peers/add endpoint-address=no.gw.xeovo.com endpoint-port=51820 public-key="HERE-GOES-YOUR-PUBLIC-KEY" allowed-address=0.0.0.0/0 interface=xeovo-norway persistent-keepalive=20
/ip/address/add address=10.128.5.89/32 interface=xeovo-norway
/routing/table/add name=Xeovo_Norway_table fib
/ip/firewall/mangle/add chain=prerouting src-address-list=Xeovo_VPN action=mark-routing new-routing-mark=XEOVO_Norway_table passthrough=yes
/ip/route/add routing-table=Xeovo_Norway_table dst-address=0.0.0.0/0 gateway=xeovo-norway comment="Xeovo VPN Wireguard default route"
/ip firewall mangle add action=change-mss chain=forward new-mss=1360 passthrough=yes protocol=tcp connection-mark=Xeovo_VPN tcp-flags=syn tcp-mss=!0-1375
/ip/firewall/nat/ add action=masquerade chain=srcnat out-interface=xeovo-norway src-address-list=Xeovo_VPN

KillSwitch Configuration

/ip/firewall/filter add action=drop chain=forward out-interface=!xeovo-norway src-address-list=Xeovo_VPN
/ip/firewall/filter add action=drop chain=forward dst-address-list=Xeovo_VPN in-interface=!xeovo-norway

Disconnecting

  1. To disconnect WireGuard, disable the xeovo-norway interface.
  2. Disable the two firewall rules under the Filter tab related to KillSwitch, if enabled.
0 ⁨0⁩ ⁨comments⁩
Comment You don't have permission to do this. Controls