Complete Guide: Configure WireGuard on MikroTik VPS for Windows & Linux

WireGuard is a modern, fast, and secure VPN protocol that has gained immense popularity for its simplicity and excellent performance. In this comprehensive guide, we'll walk you through setting up WireGuard on a MikroTik VPS and connecting from both Windows and Linux clients.

🔐 Why Choose WireGuard?

WireGuard offers several advantages over traditional VPN protocols:

Lightning Fast - Built for speed with minimal overhead
Secure by Default - Modern cryptography with Curve25519, ChaCha20, and Poly1305
Simple Configuration - Minimal lines of code, easy to set up
Low Resource Usage - Perfect for VPS and embedded systems
Open Source - Transparent and auditable code

📋 Prerequisites

Before You Begin:

☑️ MikroTik VPS - RouterOS 7.x or newer
☑️ Root Access - Admin privileges on the MikroTik
☑️ Static IP Address - For your VPS (or DDNS)
☑️ Firewall Access - UDP port 51820 (default) open
☑️ Client Devices - Windows 10/11 or Linux distribution

🖥️ Step 1: Configure WireGuard on MikroTik VPS

Let's start by setting up WireGuard on your MikroTik router. We'll use the command-line interface for precise control.

1.1 Create the WireGuard Interface

/interface wireguard
add name=wg0 listen-port=51820 private-key="" mtu=1420

1.2 Generate Key Pair

You need to generate a private key for the server and public keys for clients. On your MikroTik terminal:

/interface wireguard generate private-key
/interface wireguard export private-key

Save these keys securely. The private key stays on the server, and you'll share the corresponding public key with clients.

1.3 Assign IP Address to WireGuard Interface

/ip address
add address=10.0.0.1/24 interface=wg0 network=10.0.0.0

This creates a private network for your VPN clients (10.0.0.x range).

1.4 Configure Firewall Rules

/ip firewall filter
add chain=input protocol=udp dst-port=51820 action=accept comment="Allow WireGuard"
add chain=forward in-interface=wg0 out-interface=wan action=accept
add chain=forward in-interface=wan out-interface=wg0 action=accept

1.5 Enable NAT for VPN Clients

/ip firewall nat
add chain=srcnat out-interface=wan action=masquerade src-address=10.0.0.0/24

👤 Step 2: Create Client Configurations

Now let's create client configurations. Each client needs a unique key pair.

2.1 Generate Client Keys (on client or server)

# On Linux client or server
wg genkey | tee privatekey | wg pubkey > publickey

2.2 Add Peer to MikroTik

/interface wireguard peers
add allowed-address=10.0.0.2/32 interface=wg0 public-key="CLIENT_PUBLIC_KEY"

Replace "CLIENT_PUBLIC_KEY" with the actual public key from your client.

🪟 Step 3: Connect from Windows

3.1 Install WireGuard for Windows

Download WireGuard from wireguard.com
Install the application
Launch WireGuard

3.2 Create Windows Client Configuration

[Interface]
PrivateKey = YOUR_CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

3.3 Import Configuration

Click "Add Tunnel" in WireGuard
Select "Import tunnel(s) from file..."
Choose your configuration file
Click "Activate"

3.4 Verify Connection

# In PowerShell
ping 10.0.0.1

# Check WireGuard status
wg

🐧 Step 4: Connect from Linux

4.1 Install WireGuard on Linux

# Ubuntu/Debian
sudo apt install wireguard -y

# CentOS/RHEL
sudo dnf install wireguard-tools -y

# Arch Linux
sudo pacman -S wireguard-tools

4.2 Create Linux Client Configuration

sudo nano /etc/wireguard/wg0.conf

[Interface]
PrivateKey = YOUR_CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24
DNS = 1.1.1.1

[Peer]
PublicKey = YOUR_SERVER_PUBLIC_KEY
Endpoint = YOUR_SERVER_IP:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

4.3 Set Proper Permissions

sudo chmod 600 /etc/wireguard/wg0.conf

4.4 Start WireGuard

# Start the connection
sudo wg-quick up wg0

# Enable on boot
sudo systemctl enable wg-quick@wg0

# Check status
sudo wg

4.5 Verify Connection

# Test connectivity
ping 10.0.0.1

# Check assigned IP
ip addr show wg0

# View connection details
sudo wg show

🔧 Step 5: Advanced Configuration

5.1 Add Multiple Clients

/interface wireguard peers
add allowed-address=10.0.0.2/32 interface=wg0 public-key="CLIENT1_PUBLIC_KEY"
add allowed-address=10.0.0.3/32 interface=wg0 public-key="CLIENT2_PUBLIC_KEY"
add allowed-address=10.0.0.4/32 interface=wg0 public-key="CLIENT3_PUBLIC_KEY"

5.2 Split Tunnel Configuration

To only route specific traffic through the VPN:

# On client - only route specific subnet
AllowedIPs = 10.0.0.0/24, 192.168.1.0/24

5.3 Kill Switch

Block all traffic if VPN disconnects:

# Linux - using iptables
sudo iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
sudo iptables -A OUTPUT -o wg0 -j ACCEPT
sudo iptables -A OUTPUT -j REJECT

🛠️ Troubleshooting

Common Issues and Solutions:

Connection Timeout

Check if UDP port 51820 is open on firewall
Verify server public key is correct
Check if server is reachable (ping server IP)

No Internet Access After Connecting

Verify NAT/masquerade is configured on server
Check if AllowedIPs includes 0.0.0.0/0
Verify firewall forward rules

DNS Not Working

Add DNS server in client config
Try different DNS (1.1.1.1, 8.8.8.8)
Check if DNS traffic is allowed

✅ Conclusion

You now have a fully functional WireGuard VPN server running on your MikroTik VPS! Your Windows and Linux clients can securely connect to your network and access resources remotely.

WireGuard's simplicity makes it easy to manage, while its modern cryptography ensures your connections remain secure. Remember to:

Keep your private keys secure
Regularly update your WireGuard installation
Monitor connection logs for any suspicious activity
Consider setting up fail2ban or similar for additional security

Enjoy your fast, secure, and private VPN connection!

🚀 Get Your MikroTik VPS at HostFactor.eu

Looking to deploy your own MikroTik VPS? Look no further than HostFactor.eu! We offer reliable, high-performance MikroTik VPS servers optimized for WireGuard VPN and all your networking needs.

Why Choose HostFactor for Your MikroTik VPS?

Expert Setup Included - Our technical team will install and configure WireGuard for you at no extra cost
High Performance - Enterprise-grade hardware with dedicated resources
99.9% Uptime - Reliable network connectivity you can count on
24/7 Support - Our experts are available around the clock to assist you
Competitive Pricing - Get premium VPS hosting at affordable rates
Full Root Access - Complete control over your MikroTik router

Simply purchase your MikroTik VPS from hostfactor.eu, and our support team will handle the WireGuard installation and configuration for you. Sit back and enjoy your secure VPN connection without the technical hassle!

Ready to get started? Visit hostfactor.eu today and deploy your MikroTik VPS with WireGuard pre-configured by our expert team.

Tags:

Live Chat	Get instant assistance from our experts, available 24/7 for real-time support with an average response time of under 30 seconds.	Chat Now
Ticket System	Submit detailed inquiries and track their progress through our efficient ticket system. We aim to respond to all tickets within 1-2 hours.	Open a Ticket
Knowledge Base	Access a comprehensive library of articles and guides for self-help.	Browse Articles