Does MikroTik support WireGuard?
Yes, on RouterOS 7. WireGuard was added in RouterOS 7.0 (December 2021) as a first-class interface type alongside the existing IPsec, OpenVPN, L2TP, SSTP, and EoIP options. Every MikroTik board that can run RouterOS 7 supports it — that's effectively all hAP, RB, and CCR hardware from the last five years.
RouterOS 6 does not support WireGuard and will not be back-ported; this is by far the single most-requested feature that nudged operators off RouterOS 6 onto 7. If your MikroTik is still on RouterOS 6, the upgrade is the prerequisite to everything in this guide. The path is in System → Packages → Check For Updates with the upgrade channel set to stable.
WireGuard on RouterOS is the kernel-level implementation (not a userspace wrapper). The same protocol as on Linux, FreeBSD, and the official Windows/Mac/iOS/Android clients — fully interoperable.
Why RouterOS 7 is the prerequisite
This is the one point where MikroTik's situation differs from OpenWrt, OPNsense, or pfSense: RouterOS 7 is a substantial rewrite of RouterOS 6, not just a feature addition. Some configuration patterns migrated cleanly (firewall rules, interface assignments), some changed (the routing daemon was reworked), and a few RouterOS 6 features were dropped (older WiFi drivers, some legacy queuing tree behaviour).
For WireGuard specifically, the implication is simple: RouterOS 7 is required, full stop. If you're running RouterOS 6 and don't want to upgrade, your options are (a) leave WireGuard on a separate device — a small x86 mini-PC running OpenWrt is the common workaround, or (b) upgrade to RouterOS 7 and confirm any RouterOS 6-only features you depended on still work. The MikroTik docs maintain a RouterOS 7 migration guide covering the gotchas.
Setup with the RouterOS CLI
The CLI is faster than Winbox for WireGuard configuration because every field is on one line. The four commands below produce a working tunnel:
# 1. Create the WireGuard interface (generates a keypair)
/interface/wireguard
add name=wg0 listen-port=51820 private-key=auto
# 2. Print the public key (capture for the remote peer)
/interface/wireguard/print
# 3. Assign the tunnel address
/ip/address
add address=10.100.0.2/16 interface=wg0
# 4. Open the firewall (place above the default drop rule)
/ip/firewall/filter
add chain=input action=accept protocol=udp dst-port=51820 \
comment="WireGuard handshake" place-before=0
# 5. Add the remote peer
/interface/wireguard/peers
add interface=wg0 \
public-key="REMOTE_PUBLIC_KEY" \
endpoint-address=peer.example.com \
endpoint-port=51820 \
allowed-address=10.100.0.0/16,192.168.20.0/24 \
persistent-keepalive=21sThat's the entire configuration. private-key=auto generates a key on the router — no need to paste one. place-before=0 on the firewall rule is the small detail that catches most operators: without it, the rule ends up after the default drop all not from connection-state=established and the tunnel never handshakes.
For automation across many routers, MikroTik's .rsc script format is just the same CLI commands in a file — drop the snippet above into tunnel-setup.rsc and run /import file-name=tunnel-setup.rsc on each board.
Setup with Winbox / WebFig
For operators who prefer the GUI, the same setup in Winbox lives in four places:
- Interfaces → + → WireGuard. Name the interface (
wg0), set Listen Port (51820). Save. The public key field auto-populates after save. - Interfaces → wg0 → Peers tab → Add. Paste the remote public key. Set Endpoint (host) and Endpoint Port if the remote has a stable public address. Set Allowed Addresses (comma-separated CIDRs). Set Persistent Keepalive to
00:00:21if behind NAT. - IP → Addresses → Add. Address:
10.100.0.2/16, Interface:wg0. - IP → Firewall → Filter Rules → Add. Chain:
input, Action:accept, Protocol:udp, Dst. Port:51820. Drag the new rule above the default drop rule.
The same configuration applies in WebFig (RouterOS's web admin); menu structure is identical to Winbox.
Site-to-site between two MikroTiks
For two-branch deployment, run the setup symmetrically. Conventional addressing:
| Field | HQ (Mumbai) | Branch (Pune) |
|---|---|---|
| Interface name | wg0 | wg0 |
| Tunnel address | 10.100.0.2/16 | 10.100.0.3/16 |
| Listen port | 51820 | 51820 |
| Peer public key | Branch's public key | HQ's public key |
| Peer endpoint-address | Branch's public IP | HQ's public IP |
| Peer allowed-address | 10.100.0.3/32, 192.168.20.0/24 | 10.100.0.2/32, 192.168.10.0/24 |
| Persistent keepalive | (set on whichever side is behind NAT) | 21s (if behind CGNAT) |
| Firewall input rule | Accept UDP 51820 | Accept UDP 51820 |
For routing LAN traffic across the tunnel, the kernel will automatically install routes for the allowed-address CIDRs — no manual /ip/route needed. If the side behind NAT has a dynamic public IP, omit endpoint-address on the static-IP side's peer record; the dynamic side dials out and the static side accepts the connection.
The firewall input-chain rule everyone forgets
The most common reason a freshly-configured MikroTik WireGuard tunnel never handshakes: the firewall input chain blocks UDP 51820 by default. RouterOS ships with a sensible default ruleset that drops everything not from connection-state=established,related. The WireGuard handshake is the new connection, so it gets dropped.
The fix is one line:
/ip/firewall/filter
add chain=input action=accept protocol=udp dst-port=51820 \
comment="WireGuard handshake" place-before=0The place-before=0 matters: it inserts the rule at the top of the list, above the default drop. Without that flag, the rule lands at the bottom (after the drop) and has no effect. After running, /ip/firewall/filter/print should show the new rule as rule 0.
If you have other VPNs running, also confirm the input chain accepts the listen-ports for those (IPsec uses UDP 500 / 4500, OpenVPN typically TCP/UDP 1194). MikroTik's default ruleset assumes you've added these explicitly.
Throughput per MikroTik board
WireGuard throughput on MikroTik is bound by the CPU's symmetric-crypto performance — none of the hardware acceleration that helps IPsec on MikroTik applies to WireGuard. The realistic numbers:
| Board | CPU | WireGuard single-tunnel |
|---|---|---|
| CCR2116-12G-4S+ | 16-core ARM A72 @ 2.0 GHz | 5+ Gbps (line rate on 10G) |
| CCR2004-16G-2S+ | 4-core ARM A72 @ 1.7 GHz | ~2.5 Gbps |
| RB5009UG+S+IN | 4-core ARM Cortex-A72 @ 1.4 GHz | ~1.5 Gbps |
| hAP ax² (C53UiG+5HPaxD2HPaxD) | 4-core ARM A53 @ 1.4 GHz | ~700 Mbps |
| hAP ac² (RBD52G-5HacD2HnD) | 4-core ARM A7 @ 716 MHz | ~300 Mbps |
| RB750Gr3 (hEX) | 2-core MIPS @ 880 MHz | ~150 Mbps |
| CHR (x86 VM) | Depends on host CPU | 1 Gbps+ per allocated core |
For most Indian SMB branch deployments the local internet uplink (50–300 Mbps) is the binding constraint on anything from hAP ax² upwards. The exception worth noting: on the older hAP ac² and RB750Gr3, a 1 Gbps fibre uplink will saturate the WireGuard CPU before the link, so plan an RB5009 or better if your fibre is fast.
From two routers to ten branches
MikroTik WireGuard handles two-site tunnels cleanly. The shape changes when the operator needs more:
- Five sites in a full mesh = ten peer relationships. Each must be configured on both ends, so twenty entries to manage. Ten sites = forty-five relationships, ninety entries.
- Key rotation. WireGuard hygiene rotates keys periodically. With ten MikroTiks in a mesh, rotating one router's key means editing the peer entry on every other router — manually, by SSH or Winbox, on each board.
- Per-peer access policy. WireGuard's
allowed-addresscovers route+encryption but not L4 access policy. Restricting "branch A can talk to branch B but not branch C" means firewall rules per board. - Branches behind CGNAT. Two MikroTiks both behind CGNAT (common on cellular failover or rural fibre) can't directly handshake. They need an intermediary listener; MikroTik doesn't ship a relay layer, so you'd run one on a cloud VM with the operational cost that implies.
- Cross-router visibility.
/interface/wireguard/peers/print statsshows one router's view. Ten branches means ten SSH sessions or ten Winbox tabs.
How MeshWG fits with MikroTik
MeshWG layers above the RouterOS-native WireGuard. Your MikroTik keeps using its kernel WireGuard module exactly as it does today; MeshWG provides the orchestration:
- Generated RouterOS scripts. For each MikroTik you add, MeshWG produces a paste-ready
.rscscript with every peer pre-populated. New branch joins the mesh, MeshWG regenerates everyone'sallowed-addressso you don't visit each router. - Central policy. Allow / deny rules between any two devices are configured once in the dashboard. The rules apply before traffic reaches the destination — no per-router firewall edits across ten boards.
- Relay layer for double-NAT. Two MikroTiks both behind CGNAT use a MeshWG relay automatically; no extra configuration.
- Single dashboard. Every router's last handshake, transferred bytes, and live state in one view. Replaces SSH-ing into each board.
- Honest billing. First two routers free forever. After that, ₹349/router/month annual or ₹499/router/month monthly in INR via Razorpay.
The MikroTik + MeshWG combination is what most ISP-class and MSP buyers actually want: keep the RouterOS expertise, keep the existing hardware investment, add a mesh layer on top that handles the parts that don't scale.
Frequently asked questions
Does MikroTik support WireGuard?
Yes, on RouterOS 7. WireGuard was added in RouterOS 7.0 (December 2021) as a first-class interface type alongside the existing VPN options. RouterOS 6 does not and will not support WireGuard — it is the single most-requested feature that prompted many operators to migrate to RouterOS 7. All MikroTik hardware that runs RouterOS 7 (most hAP, RB, and CCR boards from the last 5+ years) supports WireGuard.
How do I configure WireGuard on MikroTik?
Three commands in the CLI: (1) /interface/wireguard add name=wg0 listen-port=51820 private-key=auto creates the interface and generates a keypair. (2) /ip/address add address=10.100.0.2/16 interface=wg0 assigns the tunnel address. (3) /interface/wireguard/peers add interface=wg0 public-key="PEER_PUBKEY" endpoint-address=peer.example.com endpoint-port=51820 allowed-address=10.100.0.0/16 persistent-keepalive=21s adds the remote peer. Finally /ip/firewall/filter add chain=input action=accept protocol=udp dst-port=51820 place-before=0 opens the firewall.
Where is WireGuard in Winbox?
Under the Interfaces menu. Click Add (the + icon), select WireGuard. The same fields exist in both Winbox and the terminal CLI; Winbox is just a GUI wrapper around the same RouterOS configuration. For peer management, navigate to Interfaces → WireGuard → double-click the wg0 interface → Peers tab → Add.
What throughput can a MikroTik router achieve over WireGuard?
Throughput is bound by the CPU's symmetric-crypto performance. On a CCR2004-16G-2S+ (the common SMB rackmount choice), expect ~2.5 Gbps single-tunnel WireGuard. On a CCR2116 (12-core ARM), expect 5+ Gbps. On an RB5009 (ARM 4-core), ~1.5 Gbps. On the popular hAP ax² (Wi-Fi 6 SOHO router), ~700 Mbps. On older hAP ac² or RB750Gr3, 300-500 Mbps. MikroTik's hardware-accelerated IPsec does not apply to WireGuard — encryption is unaccelerated software, but WireGuard is fast enough on these chipsets that you usually saturate the internet uplink before the router.
Why doesn't my MikroTik WireGuard tunnel connect?
Four most-common causes. (1) The firewall input chain is blocking UDP on the listen-port — add /ip/firewall/filter add chain=input action=accept protocol=udp dst-port=51820 place-before=0 (the place-before=0 puts it ahead of the default reject rule). (2) Allowed-address on the peer doesn't include the destination subnet you're trying to reach. (3) The remote endpoint is unreachable — verify with /tool/ping from RouterOS itself. (4) The persistent-keepalive is missing on the side behind NAT, so the UDP state in the upstream NAT table expires after 30 seconds and the tunnel falls silent until the next outbound packet.
Can MikroTik WireGuard run a mesh of more than two sites?
Yes mechanically — each MikroTik router can hold many peers in /interface/wireguard/peers, and any topology is possible. The configuration burden grows quadratically with sites in a full mesh (5 sites = 10 peer relationships, 10 sites = 45). For more than three sites the practical patterns are hub-and-spoke (every branch peers only with a central router) or a managed mesh layer that generates and synchronises the per-router peer lists. Both keep individual router config small.
Next steps
Try the generated RouterOS script on your own MikroTik with the free tier — two routers, no card required, indefinite.