--- title: WireGuard Routing and Port Forwarding date: 2020-08-16T09:00:52+00:00 modified: 2025-12-01T16:08:50+00:00 image:: https://kaspars.net/wp-content/uploads/2020/08/wireguard-routing-mikrotik.png permalink: https://kaspars.net/blog/wireguard-routing post_type: post author: name: Kaspars avatar: https://reverse.kaspars.net/gravatar/avatar/92bfcd3a8c3a21a033a6484d32c25a40b113ec6891f674336081513d5c98ef76?s=96&d=mm&r=g category: - Home Automation - Linux post_tag: - How to - raspberrypi - WireGuard --- # WireGuard Routing and Port Forwarding WireGuard provides unlimited possibilities for creating private and secure networks without having to expose devices to the public internet. In this example I wanted to access the [Mikrotik](https://mikrotik.com/) router configuration panel from anywhere in the world similar to how [Cloud Key](https://www.ui.com/unifi/unifi-cloud-key/) and Cloud Access enables it for [Ubiquity](https://www.ui.com/) devices. **Update in 2025**: RouterOS now has [full WireGuard support](https://help.mikrotik.com/docs/spaces/ROS/pages/69664792/WireGuard) (including the [“back to home” feature](https://help.mikrotik.com/docs/spaces/ROS/pages/197984280/Back+To+Home)) so this setup can be simplified by [exposing the whole LAN over WireGuard](https://kaspars.net/blog/wireguard-mikrotik-routeros). ![](https://kaspars.net/wp-content/uploads/2020/08/mikrotik-solar-powered-lte-router-scaled.jpeg?strip=all&quality=90&resize=1024,683)Solar powered Mikrotik wAP LTE router.I built [a solar powered Raspberry Pi used as a security camera](https://kaspars.net/blog/solar-raspberry-pi-camera) which is connected wirelessly to a solar powered Mikrotik LTE router to access the internet through a mobile data connection. The Raspberry Pi is [also running WireGuard](https://kaspars.net/blog/wireguard-raspberry-pi) so all we have to do is forward the incoming WireGuard traffic to a few ports on the Mikrotik router. Here is how to configure the Raspberry Pi acting as a WireGuard peer to do the custom routing: ## 1. Enable IP Forwarding **IP forwarding is disabled by default** on Raspbian so it’s extremely important to enable it for any of the `iptables` rules to work. Enable IP forwarding in the Linux kernel by uncommenting or adding (uncommenting) `net.ipv4.ip_forward = 1` to `/etc/sysctl.conf` to persist the setting between system restarts. Use `sysctl -w net.ipv4.ip_forward=1` to enable IP forwarding immediately without having to reboot. ## 2. Configure Routing We’re routing a WireGuard peer on a network interface `wg0` and an IP range of `10.200.200.0/24` to the IP address `192.168.88.1` in the local network available through the `wlan0` interface. ![Mikrotik router on a WireGuard network](https://kaspars.net/wp-content/uploads/2020/08/wireguard-peer-mikrotik-raspberrypi.png?strip=all&quality=90&resize=3206,1924)Mikrotik router connected to a WireGuard network through a Raspberry Pi. First, make requests incoming on the WireGuard network interface `wg0` appear as originating from the Raspberry Pi itself to the devices on the local network: ``` sudo iptables -t nat -A POSTROUTING -o wlan0 -s 10.200.200.0/24 -j MASQUERADE ``` Then forward ports: - `80` for Mikrotik Webfig - `5678` for Mikrotik Neighbor Discovery Protocol - `8728` for RouterOS API - `8291` for Mikrotik Winbox to the Mikrotik router at IP address `192.168.88.1`: ``` sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --match multiport --destination-ports 80,5678,8728,8291 -j DNAT --to-destination 192.168.88.1 ``` or just a single port `80`: ``` sudo iptables -t nat -A PREROUTING -i wg0 -p tcp --destination-port 80 -j DNAT --to-destination 192.168.88.1 ``` This could be adjusted to forward all traffic to the Mikrotik router but then you would need a separate WireGuard peer configuration for accessing the actual Raspberry Pi through the WireGuard network. Now you should be able to access the Mikrotik router from any device on the same WireGuard network, including the phone app. ## Persist the Routing Configuration Finally, you can persist these custom routes by configuring the WireGuard `PostUp` and `PostDown` directives in the `[Interface]` section of `wg0.conf`: ``` PostUp = iptables -t nat -A ... PostDown = iptables -t nat -D ... ``` Notice the `-D` flag which is used for removing the exact same entries. ## Debug Routing and Forwarding Add temporary rules to the `PREROUTING` and `POSTROUTING` tables to enable logging to `/var/log/kern.log`: ``` sudo iptables -t nat -A PREROUTING -j LOG sudo iptables -t nat -A POSTROUTING -j LOG ``` And now you can view the logs: ``` sudo tail -f /var/log/kern.log ```