WireGuard provides unlimited possibilities for creating private and secure networks without having to expose devices to the public internet. In this example I wanted to access the Mikrotik router configuration panel from anywhere in the world similar to how Cloud Key and Cloud Access enables it for Ubiquity devices. Note that RouterOS already supports VPN access but not through WireGuard.
I built a solar powered Raspberry Pi used as a security camera which is connected wirelessly to a solar powered Mikrotik LTE router to access the internet through a mobile data connection.
The Raspberry Pi is also running WireGuard so all we have to do is forward the incoming WireGuard traffic to a few ports on the Mikrotik router.
Here is how to configure the Raspberry Pi acting as a WireGuard peer to do the custom routing:
1. Enable IP Forwarding
IP forwarding is disabled by default on Raspbian so it’s extremely important to enable it for any of the
iptables rules to work.
Enable IP forwarding in the Linux kernel by uncommenting or adding (uncommenting)
net.ipv4.ip_forward = 1 to
/etc/sysctl.conf to persist the setting between system restarts. Use
sysctl -w net.ipv4.ip_forward=1 to enable IP forwarding immediately without having to reboot.
2. Configure Routing
We’re routing a WireGuard peer on a network interface
wg0 and an IP range of
10.200.200.0/24 to the IP address
192.168.88.1 in the local network available through the
First, make requests incoming on the WireGuard network interface
wg0 appear as originating from the Raspberry Pi itself to the devices on the local network:
sudo iptables -t nat -A POSTROUTING -o wlan0 -s 10.200.200.0/24 -j MASQUERADE
Then forward ports:
80for Mikrotik Webfig
5678for Mikrotik Neighbor Discovery Protocol
8728for RouterOS API
8291for Mikrotik Winbox
to the Mikrotik router at IP address
sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --match multiport --destination-ports 80,5678,8728,8291 -j DNAT --to-destination 192.168.88.1
or just a single port
sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --destination-port 80 -j DNAT --to-destination 192.168.88.1
This could be adjusted to forward all traffic to the Mikrotik router but then you would need a separate WireGuard peer configuration for accessing the actual Raspberry Pi through the WireGuard network.
Now you should be able to access the Mikrotik router from any device on the same WireGuard network, including the phone app.
Persist the Routing Configuration
Finally, you can persist these custom routes by configuring the WireGuard
PostDown directives in the
[Interface] section of
PostUp = iptables -t nat -A ... PostDown = iptables -t nat -D ...
-D flag which is used for removing the exact same entries.
Debug Routing and Forwarding
Add temporary rules to the
POSTROUTING tables to enable logging to
sudo iptables -t nat -A PREROUTING -j LOG sudo iptables -t nat -A POSTROUTING -j LOG
And now you can view the logs:
sudo tail -f /var/log/kern.log