WireGuard provides unlimited possibilities for creating private and secure networks without having to expose devices to the public internet. In this example I wanted to access the Mikrotik router configuration panel from anywhere in the world similar to how Cloud Key and Cloud Access enables it for Ubiquity devices. Note that RouterOS already supports VPN access but not through WireGuard.
I built a solar powered Raspberry Pi used as a security camera which is connected wirelessly to a solar powered Mikrotik LTE router to access the internet through a mobile data connection.
The Raspberry Pi is also running WireGuard so all we have to do is forward the incoming WireGuard traffic to a few ports on the Mikrotik router.
Here is how to configure the Raspberry Pi acting as a WireGuard peer to do the custom routing:
1. Enable IP Forwarding
IP forwarding is disabled by default on Raspbian so it’s extremely important to enable it for any of the
iptables rules to work.
Enable IP forwarding in the Linux kernel by uncommenting or adding (uncommenting)
net.ipv4.ip_forward = 1 to
/etc/sysctl.conf to persist the setting between system restarts. Use
sysctl -w net.ipv4.ip_forward=1 to enable IP forwarding immediately without having to reboot.
2. Configure Routing
We’re routing a WireGuard peer on a network interface
wg0 and an IP range of
10.200.200.0/24 to the IP address
192.168.88.1 in the local network available through the
First, make requests incoming on the WireGuard network interface
wg0 appear as originating from the Raspberry Pi itself to the devices on the local network:
sudo iptables -t nat -A POSTROUTING -o wlan0 -s 10.200.200.0/24 -j MASQUERADE
Then forward ports:
80for Mikrotik Webfig
5678for Mikrotik Neighbor Discovery Protocol
8728for RouterOS API
8291for Mikrotik Winbox
to the Mikrotik router at IP address
sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --match multiport --destination-ports 80,5678,8728,8291 -j DNAT --to-destination 192.168.88.1
or just a single port
sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --destination-port 80 -j DNAT --to-destination 192.168.88.1
This could be adjusted to forward all traffic to the Mikrotik router but then you would need a separate WireGuard peer configuration for accessing the actual Raspberry Pi through the WireGuard network.
Now you should be able to access the Mikrotik router from any device on the same WireGuard network, including the phone app.
Persist the Routing Configuration
Finally, you can persist these custom routes by configuring the WireGuard
PostDown directives in the
[Interface] section of
PostUp = iptables -t nat -A ... PostDown = iptables -t nat -D ...
-D flag which is used for removing the exact same entries.
Debug Routing and Forwarding
Add temporary rules to the
POSTROUTING tables to enable logging to
sudo iptables -t nat -A PREROUTING -j LOG sudo iptables -t nat -A POSTROUTING -j LOG
And now you can view the logs:
sudo tail -f /var/log/kern.log
Have you any experience with the WG interface on MT, available in the dev version of RouterOS?
I know everyone is saying on the Internet that is very easy to setup, but I cannot make the routing through the WG interface work – interface is esy, two commands, but when it comes to routing through the MT router, nothing I tried works.
I know this post of yours is old(ish), but combing two great options – WG+MT – seems great way to create tunnels instead of IPsec/OpenVPN
Yes, I tried WireGuard on Mikrotik’s RouterOS when it was initially released but it had an issue where the
endpoint-addresscouldn’t be configured as hostname and had to be specified via IP. I’m not sure if that has been resolved yet.
Are you looking to use the WireGuard instance on the Mikrotik router as the relay server for other peers or do you just want to connect to it from other peers? For using it as relay server you would need to have the router accessible from the public internet.
Or do you want it as a peer through which you can access the local network? That would require setting the correct
allowed-addressand some firewall rules as described in the wiki. The Mikrotik forums usually have some useful examples of working setups and even setup instructions.