This guide provides a complete MikroTik WireGuard Setup VPS workflow for RouterOS v7, which enables a secure and high-performance VPN tunnel. By deploying this modern VPN protocol on a MikroTik VPS running Cloud Hosted Router (CHR), you benefit from high-speed and secure tunneling with lower overhead than traditional protocols like OpenVPN or IPsec.

Since RouterOS v7 supports WireGuard by default, you can set it up with simple CLI commands. This guide covers everything you need to build the tunnel, from setting up the server and firewall rules to connecting one or more clients.

Requirements for MikroTik WireGuard Setup VPS

Before you start the WireGuard configuration on MikroTik RouterOS v7, ensure you have the following prerequisites ready:

• A Cloud Hosted Router (CHR) running MikroTik RouterOS v7.
• Administrative access to your MikroTik server via SSH, WebFig, or Winbox.
• The official WireGuard client application is installed on your connecting device, such as Windows, macOS, Linux, iOS, or Android.

For a stable and high-performance network connection, you can deploy this on a reliable MikroTik VPS from PerLod Hosting.

Initialize the WireGuard Interface on RouterOS v7

The first step is to initialize the WireGuard interface on your server, which automatically generates the necessary cryptographic keypair. You can use the command below to create an interface named wg0 listening on UDP port 51820:

/interface wireguard add name=wg0 listen-port=51820

To view your server’s public key, you can use the command below:

/interface wireguard print

You will need the public key later for the client configuration.

Set WireGuard Tunnel IP for MikroTik VPS

At this point, you must assign a private IP address subnet to your WireGuard interface that you have created. Run the following command to set the server’s tunnel IP to 10.10.10.1:

/ip address add address=10.10.10.1/24 interface=wg0 network=10.10.10.0

This specific IP address acts as the default gateway for all connected VPN clients.

Allow WireGuard Traffic in the RouterOS Firewall

You must allow incoming WireGuard traffic through the router’s firewall so external devices can establish a connection. To accept UDP packets on the listening port, you can run the following command:

/ip firewall filter add chain=input protocol=udp dst-port=51820 action=accept comment="Allow WireGuard"

Note: Make sure this rule sits above any drop rules in your firewall list; if you don’t do this, the router will block your connection.

Set Up WireGuard Client NAT on MikroTik CHR

To allow connected clients to browse the internet through the VPN, you must configure Network Address Translation (NAT).

You can run the following command to mask client IP addresses behind your server’s public IP:

/ip firewall nat add chain=srcnat src-address=10.10.10.0/24 out-interface=ether1 action=masquerade comment="WireGuard NAT"

Adjust the ether1 to match your actual WAN interface name.

Add First WireGuard Client on RouterOS v7

To add a client, you must register its public key and assign it a specific IP address on the router. You can use the command below to bind the client to the wg0 interface:

/interface wireguard peers add interface=wg0 public-key="CLIENT_PUBLIC_KEY_HERE" allowed-address=10.10.10.2/32

The /32 subnet mask limits routing to this single device to prevent network conflicts.

Add Multiple WireGuard Peers on RouterOS v7

To connect more devices, you need to add each one separately with its own keys and a unique IP address. For the second client, you can run the command below:

/interface wireguard peers add interface=wg0 public-key="SECOND_CLIENT_PUBLIC_KEY" allowed-address=10.10.10.3/32

Note: Always use the /32 subnet mask for each additional peer, so RouterOS routes traffic to the correct specific client.

Configure WireGuard Client App

Finally, you must configure your client devices using the standard WireGuard application by creating a new tunnel.

You can use the following configuration and update the IP address in the [Interface] section for each client:

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY_HERE
Address = 10.10.10.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = SERVER_PUBLIC_KEY_HERE
Endpoint = YOUR_VPS_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Using AllowedIPs = 0.0.0.0/0 sends all your internet traffic through the VPN, and PersistentKeepalive = 25 stops the connection from dropping.

Once your client application is configured and activated, you can make sure traffic is actually routing through your MikroTik VPS.

On the RouterOS, run the command below:

/interface wireguard peers print

If it works, you’ll see a recent last-handshake time and data moving in the rx and tx columns.

Also, you can ping 10.10.10.1 from your client device to confirm it can reach the server.

FAQs

Conclusion

With RouterOS v7’s native support for WireGuard, configuring a MikroTik WireGuard setup VPS is highly efficient and straightforward. Whether you are connecting a single device or a whole team, relying on a stable and reliable foundation like a MikroTik VPS ensures your network traffic remains secure and your routing stays predictable.

We hope you enjoy this guide. Subscribe to our X and Facebook channels to get the latest updates and articles on MikroTik VPS Hosting.

For further reading:

How to Configure DNS over HTTPS (DoH) on MikroTik