Site icon System Zone

WireGuard Site to Site VPN Between MikroTik RouterOS 7

WireGuard is a free, open source, secure and high-speed modern VPN solution. WireGuard is extremely easy to implement but utilizes state-of-the-art cryptography. WireGuard can be used as either Client-Server VPN technology or Site to Site VPN technology.

From the RouterOS 7, MikroTik introduces WireGuard VPN as their native package. So, who are using RouterOS 7 can use WireGuard VPN and can implement both client-server and site to site VPN with WireGuard free VPN server.

In my previous article, I discussed how to configure client-server free VPN server with WireGuard and how to connect windows client with WireGuard VPN. In this article, I am going to show how to setup a site-to-site WireGuard VPN between two MikroTik RouterOS 7.

Site to Site WireGuard VPN Network Diagram

In this article, we are going to implement a site-to-site VPN like the following image where two offices are connected over WireGuard site to site VPN service.

Site to Site Wiregurard VPN

Note: in the above diagram, we are using private IP addresses in public interface for demo purpose. In live network, you should replace these IP Addresses with your public IP Addresses.

Site to Site WireGuard VPN Configuration in RouterOS 7

According to the above network diagram, we will now configure site to site WireGuard VPN in MikroTik RouterOS. But before going to start WireGuard VPN, you should have RouterOS 7 basic configuration which includes WAN, LAN, DNS, Gateway and Masquerade setup.

If you are new in MikroTik RouterOS, feel free to study another article about how to configure MikroTik RouterOS 7 first time and complete WAN, LAN, DNS and other Setup and then follow our WireGuard configuration steps.

If you have existing network and RouterOS 7 is running there, don’t forget to replace my demo IP information according to your existing one. You just follow my steps keeping your existing IP information.

We will now do configurations those are required for WireGuard configuration. For WireGuard configuration we need to do enabling WireGuard, Creating Peers, assigning IP address in WireGuard virtual interface and doing routing over virtual interface to communicate among LAN devices.

Enabling WireGuard in MikroTik RouterOS  

WireGuard package is installed by default in MikroTik RouterOS 7. So, you will get a WireGuard menu item in Winbox by default. To enable WireGuard in R1 Router, do the following steps.

Similarly, enable WireGuard in R2 Router of Office 2 Router and create a new WireGuard interface. Your configurations will look like the following image.

Enabling WireGuard in RouterOS 7

Assigning IP Address on WireGuard Virtual Interface

After enabling WireGuard in RouterOS 7, a new virtual interface will be created in each Router. We will now assign IP address in each WireGuard interface so that both interfaces can communicate with each other after establishing WireGuard tunnel.

To assign IP address on WireGuard virtual interface in R1 Router, issue the following steps.

Similarly, add the second IP address on the WireGuard virtual interface of R2 Router at office 2. According to the above diagram, the second router’s IP will be 10.10.10.2/30.

Creating WireGuard Peers Between Two RouterOS

After assigning IP addresses on WireGuard virtual interface, we will now configure peers in both Routers. To create peers in R1 Router of office1, issue the following steps.

Peer Configuration R1 Router

Similarly, create peer in R2 Router and information accordingly. Be careful to put Public Key, Endpoint and Endpoint Port of R1 Router. Also be careful to put IP block of R2 Router’s LAN block. The configuration should be like the following image.

Peer Configuration in R2 Router

Static Routing Configuration Between RouterOS

At the last step of site-to-site WireGuard VPN configuration, we will configure static routing between R1 and R2 Router so that R1 Router’s LAN can access R2 Router’s LAN and vice versa.

To configure static routing in R1 Router, do the following steps.

Static Routing Configuration in R1 Router

Similarly, configure static routing in R2 Router and put the LAN IP block (in this article: 192.168.25.0/24) of R1 Router and WireGuard interface IP address (10.10.10.1) of R1 Router.

How to configure site to site WireGuard VPN between two RouterOS has been discussed in this article. I hope, you will now be able to configure site to site WireGuard VPN in MikroTik RouterOS. However, if you face any issue to configure site to site WireGuard VPN in MikroTik RouterOS, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.

Exit mobile version