Setting up a home VPN using Wireguard on Mikrotik

I wanted to use create a VPN back to my home network which I could use on the road. The idea was that I could interact with resources on my home network but also have a secure tunnel which I could use if I was needed to use an untrusted WiFi hotspot when in hotels, coffee shops etc.

I had previously implemented OpenVPN to do this, with the VPN server running on a small linux machine inside my home network. However, I wanted to move away from this setup for several reasons:

Remove the dependency on a separate linux machine and use my Mikrotik RB4011 router instead (MikroTik RouterOS version 7 added support for Wireguard)
Wireguard is positioned as being secure, lightweight and easy to configure. The Wireguard site lists the following key benefits:
- Simple and easy to use
- Cryptographically sound
- Minimal Attack Surface
- High Performance
- Well Defined & Throughly considered

A note on the use of “Client” and “Server”

In this post, I use the terms “Client” and “Server” to describe the MikroTik Router and my MacBook Pro respectively. I do this because the use-case described in my introduction is a common one; connecting back “home” (to a server) when on the road, using a client application. However, Wireguard doesn’t really differentiate between Clients and Servers in the way that other VPNs (such as OpenVPN) does. Rather than having clients and servers, everything is just a peer, in the same way that a site-to-site VPN might be configured.

Because of this, a peer configuration is required for every device that needs to connect. In the following example, the Mikrotik would need to hold a peer configuration for every device that I wanted to be able to connect with. For example, as well as an entry for my MacBook pro, entries for my iPhone and iPad would also be needed. However, the following instructions show the configuration of a single “Client”, the MacBook Pro.

Step 1 - Server (Mikrotik Router) Config

Create a wireguard interface on the MikroTik router

The Mikrotik needs a new interface for all Wireguard traffic. It can be created like this:

/interface/wireguard
add listen-port=13231 name=wg0 comment="wireguard interface"

Creating the wireguard interface autogenerates a public and private key which can be seen when viewing the interface details:

/interface/wireguard print
Flags: X - disabled; R - running
0  R name="wg0" mtu=1420 listen-port=13231 private-key="MIKROTIK-WIREGUARD-PRIVATE-KEY" public-key="MIKROTIK-WIREGUARD-PUBLIC-KEY"

Assign an IP address to the wireguard interface that you’ve just created:

The wireguard interface needs an IP address. Obviously you can select any RFC1918 address range here which suits you.

/ip/address
add interface=wg0 comment="wireguard ip address" network=192.168.16.0 address=192.168.16.1/24

Step 2 - Client (MacBook) Config

The next step is to install wireguard on the client device. Go to the Wireguard installation page for more info. As already mentioned, the client in this example is a MacBook Pro and I downloaded wireguard from the app store.

Once wireguard is installed, run it and click the “+” icon in the bottom left corner of the window. Click “add empty tunnel” to bring up a new configuration and note the private and public keys which have been autogenerated. Link Name

Add the remaining configuration:

[Interface]
PrivateKey = MACBOOK-WIREGUARD-PRIVATE-KEY
Address = 192.168.16.2
DNS = DNS_IP, search.domain

[Peer]
PublicKey = MIKROTIK-WIREGUARD-PUBLIC-KEY
AllowedIPs = 0.0.0.0/0
Endpoint = PUBLIC-IP:13231
PersistentKeepAlive = 30

Give the connection a name and click save when complete. If there are any errors, the “Save” button will be greyed-out. Sometimes this can be caused by copy and pasting oddities and carrage returns.

Step 3 - Peer configuration on the Mikrotik

A wireguard ‘peer’ needs to be configured for each device that will connect on the Mikrotik:

/interface wireguard peers
add allowed-address=192.168.16.2/32 public-key="MACBOOK-WIREGUARD-PUBLIC-KEY" \
persistent-keepalive=30 comment="macbook pro" interface=wg0

The “allowed address” is the IP address which the peer (in this case, the macbook pro) will have. The public-key is taken in from the client application (see first screenshot above)

Adding a Pre-Shared Key

A pre-shared key (PSK) can be configured on peers as an extra layer of security. These can be easily generated on Linux or Mac using the following command in a terminal:

openssl rand -base64 32

The resulting key should then be added to both peers (“Client” and “Server”), like this:

Configuring the Pre-Shared Key on the Mikrotik

When creating the entry for a peer, an extra parameter for the pre-shared key can be provided:

/interface wireguard peers
add allowed-address=192.168.16.2/32 public-key="MIKROTIK-WIREGUARD-PUBLIC-KEY" \
persistent-keepalive=30 comment="macbook pro" interface=wg0 preshared-key="PRE-SHARED-KEY"

Alternatively, a pre-shared key can be added to an existing peer configuration like this (where 0 is the number of the peer to edit):

/interface/wireguard/peers/edit 0 preshared-key

The Pre-Shared Key can then be added in the editor which opens and saved with ctrl+o

Configuring the Pre-Shared Key on the MacBook Pro

Add an extra parameter in the wireguard “Client” software under the “[Peer]” section, like this:

PresharedKey = PRE-SHARED-KEY

A note on the use of “Client” and “Server”#

Step 1 - Server (Mikrotik Router) Config#

Create a wireguard interface on the MikroTik router#

Assign an IP address to the wireguard interface that you’ve just created:#

Step 2 - Client (MacBook) Config#

Step 3 - Peer configuration on the Mikrotik#

Adding a Pre-Shared Key#

Configuring the Pre-Shared Key on the Mikrotik#

Configuring the Pre-Shared Key on the MacBook Pro#