WireGuard Routing and Port Forwarding

WireGuard provides unlimited possibilities for creating private and secure networks without having to expose devices to the public internet. In this example I wanted to access the Mikrotik router configuration panel from anywhere in the world similar to how Cloud Key and Cloud Access enables it for Ubiquity devices. Note that RouterOS already supports VPN access but not through WireGuard.

Solar powered Mikrotik wAP LTE router.

I built a solar powered Raspberry Pi used as a security camera which is connected wirelessly to a solar powered Mikrotik LTE router to access the internet through a mobile data connection.

The Raspberry Pi is also running WireGuard so all we have to do is forward the incoming WireGuard traffic to a few ports on the Mikrotik router.

Here is how to configure the Raspberry Pi acting as a WireGuard peer to do the custom routing:

1. Enable IP Forwarding

IP forwarding is disabled by default on Raspbian so it’s extremely important to enable it for any of the iptables rules to work.

Enable IP forwarding in the Linux kernel by uncommenting or adding (uncommenting) net.ipv4.ip_forward = 1 to /etc/sysctl.conf to persist the setting between system restarts. Use sysctl -w net.ipv4.ip_forward=1 to enable IP forwarding immediately without having to reboot.

2. Configure Routing

We’re routing a WireGuard peer on a network interface wg0 and an IP range of to the IP address in the local network available through the wlan0 interface.

Mikrotik router on a WireGuard network
Mikrotik router connected to a WireGuard network through a Raspberry Pi.

First, make requests incoming on the WireGuard network interface wg0 appear as originating from the Raspberry Pi itself to the devices on the local network:

sudo iptables -t nat -A POSTROUTING -o wlan0 -s -j MASQUERADE

Then forward ports:

  • 80 for Mikrotik Webfig
  • 5678 for Mikrotik Neighbor Discovery Protocol
  • 8728 for RouterOS API
  • 8291 for Mikrotik Winbox

to the Mikrotik router at IP address

sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --match multiport --destination-ports 80,5678,8728,8291 -j DNAT --to-destination

or just a single port 80:

sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --destination-port 80 -j DNAT --to-destination

This could be adjusted to forward all traffic to the Mikrotik router but then you would need a separate WireGuard peer configuration for accessing the actual Raspberry Pi through the WireGuard network.

Now you should be able to access the Mikrotik router from any device on the same WireGuard network, including the phone app.

Persist the Routing Configuration

Finally, you can persist these custom routes by configuring the WireGuard PostUp and PostDown directives in the [Interface] section of wg0.conf:

PostUp = iptables -t nat -A ...
PostDown = iptables -t nat -D ...

Notice the -D flag which is used for removing the exact same entries.

Debug Routing and Forwarding

Add temporary rules to the PREROUTING and POSTROUTING tables to enable logging to /var/log/kern.log:

sudo iptables -t nat -A PREROUTING -j LOG
sudo iptables -t nat -A POSTROUTING -j LOG

And now you can view the logs:

sudo tail -f /var/log/kern.log

Leave a Reply