Setting Up a Site-to-Site VPN Connection Using MikroTik Routers with WireGuard

In today's interconnected world, secure site-to-site VPN connections are essential for linking remote networks, such as branch offices to a central hub. MikroTik routers, powered by RouterOS, offer robust support for WireGuard, a modern, efficient VPN protocol known for its simplicity and performance. This article walks through creating a site-to-site VPN tunnel between two MikroTik routers: a central "hub" and a remote "edge" (or "wedge") router. We'll use sample configurations provided for RouterOS versions 7.19.4 (edge) and 7.19.6 (hub) to illustrate the process.

WireGuard operates on UDP port 51820 by default and uses public-key cryptography for authentication. In this setup, the edge router initiates the connection to the hub, allowing the edge's LAN (192.168.100.0/24) to route traffic through the tunnel to the hub and beyond to the internet or other networks.

Prerequisites

Before starting, ensure:

• Both routers run RouterOS v7.x (WireGuard is built-in since v7).

• You have administrative access via Winbox, SSH, or the web interface.

• Public keys are generated and exchanged securely (use /interface wireguard generate-keypair on each router).

• The hub has a static public IP or dynamic DNS (e.g., the edge uses "mowana.amastelek.com" in the sample).

• Firewall rules allow UDP 51820 on the hub's WAN.

• Basic networking knowledge, including IP addressing and routing.

We'll assume the hub is behind a NAT with a DMZ VLAN (as in the sample), and the edge has a simple WAN/LAN setup.

Step 1 | Configure the Hub Router

The hub acts as the VPN concentrator, listening for incoming connections and routing traffic from connected edges. Start by resetting the router to a clean state if needed (/system reset-configuration), then apply configurations via the terminal or script import.

Interface Setup

Configure the physical and virtual interfaces:

/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no

/interface vlan
add interface=ether1 name=dmzvlan vlan-id=902

• Ether1 is the WAN uplink.

• A VLAN (dmzvlan) is created for DMZ isolation.

WireGuard Interface & Peers

Create the WireGuard interface and add the peer for the edge router:

/interface wireguard
add comment="WireGuard Hub" listen-port=51820 mtu=1420 name=wg-hub

/interface wireguard peers
add allowed-address=100.66.0.2/32,192.168.100.0/24 comment=wedge-peer interface=wg-hub name=peer1 persistent-keepalive=25s private-key="6CKgPkd1ndVHoql+C7M75o2BbSniM/NmqQeiK1k2y2c=" public-key="4OHK6GCkB/Ae9pFpO0fD7ZpBHHzMc74qRVvbySpBs00="

• The interface listens on UDP 51820 with MTU 1420 (to account for overhead).

• The peer allows the edge's tunnel IP (100.66.0.2/32) and its LAN subnet (192.168.100.0/24). Replace private/public keys with your generated ones.

• Persistent keepalive (25s) ensures the tunnel stays active behind NAT.

IP Addressing & DHCP

Assign IPs and enable DHCP client:

/ip address
add address=192.168.80.2/24 interface=dmzvlan network=192.168.80.0
add address=100.66.0.1/24 comment="WireGuard Hub" interface=wg-hub network=100.66.0.0

/ip dhcp-client
add interface=ether1

• dmzvlan gets a WAN/DMZ IP (adjust to your network).

• wg-hub gets the tunnel IP (100.66.0.1/24).

Firewall Rules

Secure the router while allowing VPN traffic:

/ip firewall filter
add action=accept chain=input comment="WireGuard Hub Access" dst-port=51820 protocol=udp
add action=accept chain=forward comment="Internet Access for Wireguard Tunnels" in-interface=wg-hub out-interface=dmzvlan

/ip firewall nat
add action=masquerade chain=srcnat comment="Wireguard Tunnels" in-interface=wg-hub out-interface=dmzvlan

• Input chain accepts WireGuard UDP.

• Forward chain allows tunnel traffic to the internet via dmzvlan.

• NAT masquerades outgoing tunnel traffic.

Routing

Add default gateway and route to edge LAN:

/ip route
add gateway=192.168.80.1
add comment="Wedge LAN" disabled=no dst-address=192.168.100.0/24 gateway=100.66.0.2 routing-table=main suppress-hw-offload=no

• Default route points to the upstream gateway.

• Static route to the edge's LAN via the tunnel peer IP.

Additional Settings

Configure DNS, cloud DDNS (for dynamic IP), and services:

/ip dns
set servers=9.9.9.9,1.1.1.2

/ip cloud
set ddns-enabled=yes ddns-update-interval=5m update-time=yes

/ip service
set ftp disabled=yes
set ssh address=*.*.*.0/25,*.*.*.254/32
set telnet disabled=yes
set www disabled=yes
set winbox address=*.*.*.0/25,*.*.*.254/32,*.*.*.0/24
set api disabled=yes
set api-ssl disabled=yes

• Restrict services to trusted IPs for security.

• Enable DDNS if the hub's WAN IP is dynamic.

BGP and other advanced features (like in the sample) are optional for basic site-to-site; they handle peering with upstream providers.

Step 2 | Configure the Edge Router

The edge router connects its LAN to the hub via the tunnel, routing internet traffic through it for centralized control.

Interface Setup

/interface ethernet
set [ find default-name=ether1 ] comment=WAN disable-running-check=no
set [ find default-name=ether2 ] comment=LAN disable-running-check=no

/interface wireguard
add comment="Wedge Wireguard" listen-port=51820 mtu=1420 name=wedge-wireguard

• Ether1: WAN, Ether2: LAN.

• WireGuard interface matches hub's MTU.

WireGuard Peers

Add the hub as a peer:

/interface wireguard peers
add allowed-address=100.66.0.1/32,0.0.0.0/0 comment="Access to Wireguard Hub" endpoint-address=mowana.amastelek.com endpoint-port=51820 interface=wedge-wireguard name=peer1 persistent-keepalive=25s public-key="Bg7JHsHyZ2dQjiQVPGjfQpWGdbHtcv861puGi4Tf/Ro="

• Allowed addresses: Hub's tunnel IP and default route (0.0.0.0/0) to send all traffic through the tunnel.

• Endpoint: Hub's domain/IP and port.

• Public key: Hub's WireGuard public key.

IP Addressing, Pools, & DHCP

/ip pool
add name=dhcp-pool ranges=192.168.100.50-192.168.100.250

/ip dhcp-server
add address-pool=dhcp-pool interface=ether2 name=dhcp-server

/ip address
add address=172.16.0.2/30 comment=WAN interface=ether1 network=172.16.0.0
add address=192.168.100.1/24 comment=LAN interface=ether2 network=192.168.100.0
add address=100.66.0.2/24 comment="Wireguard Edge" interface=wedge-wireguard network=100.66.0.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=192.168.100.0/24 dns-server=1.1.1.1 gateway=192.168.100.1

• WAN IP: Static or via DHCP client.

• LAN: DHCP server for clients.

• Tunnel IP: 100.66.0.2/24.

Firewall Rules

/ip firewall filter
add action=accept chain=input comment="Allow established" connection-state=established,related
add action=drop chain=input comment="Drop invalid to router" connection-state=invalid
add action=accept chain=input in-interface=ether2
add action=accept chain=input dst-port=22,80,443 in-interface=ether1 protocol=tcp src-address=172.16.0.0/30
add action=drop chain=input comment="Drop all further conections from WAN" in-interface=ether1
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward comment="Drop invalid via router" connection-state=invalid
add action=accept chain=forward comment="Allow Internet Traffic" in-interface=ether2 out-interface=ether1
add action=accept chain=forward comment="Allow Wireguard Tunnel Traffic" in-interface=ether2 out-interface=wedge-wireguard
add action=drop chain=forward comment="Drop all further connections from LAN" in-interface=ether2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1

• Input: Allow established, LAN, and limited WAN access (SSH/HTTP/HTTPS from specific subnet).

• Forward: Allow LAN to WAN and LAN to tunnel; drop others.

• NAT: Masquerade WAN outbound (tunnel traffic will use hub's NAT).

Routing

/routing table 
add name=vpn-route fib

/ip route
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=172.16.0.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Hub disabled=no distance=1 dst-address=*.*.*.46/32 gateway=172.16.0.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment=Tunnel disabled=no distance=2 dst-address=0.0.0.0/0 gateway=100.66.0.1 routing-table=wg-route scope=30 suppress-hw-offload=no target-scope=10

/ip firewall mangle add action=mark-routing chain=prerouting in-interface=bridge-local new-routing-mark=wg-route passthrough=yes

• Multipl

• e default routes: Higher distance (3) for direct WAN, lower (2) prefers tunnel, and specific route to hub's public IP via WAN.

Step 3 | Verify the Connection

After applying configs:

1. Check WireGuard status: /interface wireguard peers print on both (look for "current-endpoint" and "last-handshake").

2. Ping from edge LAN to hub's tunnel IP (100.66.0.1).

3. Test routing: From edge client, ping an internet host (should go via tunnel).

4. Monitor logs: /log print for WireGuard events.

5. Use Tools > Torch or Packet Sniffer to inspect traffic.

Troubleshooting

• No handshake: Verify keys, endpoints, and UDP 51820 openness (use telnet hub-ip 51820 or port scanners).

• Routing issues: Check routes with /ip route print and ensure no conflicts.

• NAT/Firewall: Temporarily disable rules to isolate problems.

• MTU: If fragmentation occurs, lower MTU to 1380.

• Dynamic IP: Ensure DDNS updates correctly.

This setup provides a secure, low-overhead tunnel. Scale by adding more peers on the hub. For production, enable logging, backups, and regular key rotation. Consult MikroTik documentation for advanced tweaks like BGP integration seen in the hub sample.