MikroTik WireGuard VPN: Complete Dual-Stack IPv4/IPv6 Configuration
Configure WireGuard VPN on MikroTik RouterOS with full IPv4/IPv6 dual-stack. Access your home network with native IPv6 from any connection.
WireGuard has revolutionized VPN technology with its simplicity, speed, and modern cryptography. Unlike traditional VPN protocols like OpenVPN or IPSec, WireGuard uses a minimal codebase (~4,000 lines vs 100,000+) and state-of-the-art cryptographic primitives as described in the WireGuard whitepaper, resulting in faster connections and lower latency.
This guide demonstrates how to configure a production-ready WireGuard VPN on MikroTik RouterOS with dual-stack IPv4/IPv6 support. The result? You can connect from any network—even those without IPv6—and enjoy full IPv6 connectivity through your home router.
What You'll Build
- A WireGuard VPN server on MikroTik RouterOS with full IPv4 + IPv6 dual-stack support
- IPv6 via ULA + NAT66: VPN clients get private ULA addresses translated to your ISP’s global prefix
- Firewall rules: Input, forward, NAT/masquerade, MSS clamping, and RAW table optimizations
- Multi-client support: Each device gets unique keys and a dedicated IP pair (IPv4 + IPv6)
- Full tunnel or split tunnel: Route all traffic through VPN, or only home network traffic
- Tested on RouterOS 7.x with RB5009, but applicable to any MikroTik router with WireGuard support
Why WireGuard on MikroTik?
| Feature | WireGuard | OpenVPN | IPSec/IKEv2 |
|---|---|---|---|
| Code complexity | ~4,000 lines | ~100,000 lines | ~400,000 lines |
| Connection time | 100ms | 3-10 seconds | 1-3 seconds |
| CPU overhead | Very low | High (userspace) | Medium |
| Cryptography | ChaCha20, Curve25519 | Configurable (varies) | AES, RSA/ECDH |
| Roaming support | Seamless | Reconnection needed | Limited (MOBIKE) |
Architecture overview
Our configuration creates a dual-stack VPN where connected clients receive both IPv4 and IPv6 addresses. Traffic from clients is NAT’d (masqueraded) to access the internet through your home connection. For detailed MikroTik WireGuard documentation, refer to the official wiki.
Network addressing scheme
| Component | IPv4 Address | IPv6 Address |
|---|---|---|
| WireGuard Interface (Router) | 192.168.100.1/24 | fd00:1111:2222:100::1/64 |
| VPN Client Range | 192.168.100.2-254 | fd00:1111:2222:100::2-ffff |
| Home LAN | 192.168.0.0/24 | ISP-assigned prefix |
Prerequisites
Step 1: create the WireGuard interface
First, we create the WireGuard interface on the MikroTik router. The router will generate a keypair automatically.
/interface wireguard add \
name=wg_devices \
mtu=1500 \
listen-port=53537 \
comment="VPN for Mobile Devices"Retrieve the server’s public key
After creating the interface, retrieve the public key to configure clients:
Save the public-key value—you’ll need it when configuring client devices.
Step 2: assign IP addresses to the interface
The WireGuard interface needs both IPv4 and IPv6 addresses to serve as the gateway for VPN clients.
# IPv4 address for WireGuard interface
/ip address add \
address=192.168.100.1/24 \
interface=wg_devices \
network=192.168.100.0 \
comment="VPN Devices Network"
# IPv6 ULA address for WireGuard interface
/ipv6 address add \
address=fd00:1111:2222:100::1/64 \
interface=wg_devices \
advertise=no \
comment="VPN Devices IPv6 ULA"Step 3: create IPv6 pool (optional)
If you want to manage IPv6 address allocation centrally, create a pool:
/ipv6 pool add \
name=wg_devices_pool_global \
prefix=fd00:1111:2222:100::/64 \
prefix-length=64 \
comment="WireGuard Devices Global IPv6 Pool"Step 4: add the interface to interface lists
MikroTik uses interface lists for firewall rules. Adding WireGuard to the appropriate lists ensures proper traffic handling.
# Add to VPN list for VPN-specific rules
/interface list member add \
interface=wg_devices \
list=VPN \
comment="VPN Devices"
# Add to LAN list to allow access to local resources
/interface list member add \
interface=wg_devices \
list=LAN \
comment="VPN Devices - LAN Access"Step 5: configure firewall rules
The firewall configuration is critical for security and connectivity. We need rules for:
- Accepting WireGuard traffic on the listening port
- Allowing VPN clients to access the internet
- Allowing VPN clients to access local networks
- NAT/Masquerade for outbound traffic
Input chain: accept WireGuard connections
# Allow WireGuard UDP port (IPv4)
/ip firewall filter add \
chain=input \
action=accept \
protocol=udp \
dst-port=53537 \
comment="WireGuard - Accept incoming connections"
# Allow WireGuard UDP port (IPv6)
/ipv6 firewall filter add \
chain=input \
action=accept \
protocol=udp \
port=53537 \
comment="Allow WireGuard"Forward chain: allow VPN traffic
# FastTrack for established WireGuard connections (performance)
/ip firewall filter add \
chain=forward \
action=fasttrack-connection \
connection-state=established,related \
src-address-list=WireGuard \
comment="FastTrack for WireGuard Networks"
# Allow VPN clients to internet
/ip firewall filter add \
chain=forward \
action=accept \
src-address=192.168.100.0/24 \
out-interface-list=WAN \
comment="Allow WireGuard Devices to Internet"
# Allow return traffic from internet to VPN
/ip firewall filter add \
chain=forward \
action=accept \
connection-state=established,related \
dst-address=192.168.100.0/24 \
in-interface-list=WAN \
comment="Allow Internet to WireGuard Devices (replies)"
# Allow VPN clients to Home LAN
/ip firewall filter add \
chain=forward \
action=accept \
src-address=192.168.100.0/24 \
dst-address=192.168.0.0/24 \
comment="Allow WireGuard Devices to Home LAN"# Allow VPN clients all outbound IPv6 traffic
/ipv6 firewall filter add \
chain=forward \
action=accept \
in-interface=wg_devices \
comment="WireGuard Devices: Allow all outbound"
# Allow return IPv6 traffic to VPN clients
/ipv6 firewall filter add \
chain=forward \
action=accept \
connection-state=established,related \
out-interface=wg_devices \
comment="WireGuard Devices: Allow replies"Create address list for WireGuard networks
/ip firewall address-list add \
list=WireGuard \
address=192.168.100.0/24 \
comment="WireGuard Devices Network"Step 6: configure NAT/Masquerade
For VPN clients to access the internet, their private addresses must be translated (NAT) to your public IP.
# IPv4 Masquerade for WireGuard
/ip firewall nat add \
chain=srcnat \
action=masquerade \
src-address=192.168.100.0/24 \
out-interface-list=WAN \
comment="WireGuard Devices - Internet Access"
# IPv6 NAT66 for WireGuard (ULA to Global)
/ipv6 firewall nat add \
chain=srcnat \
action=masquerade \
src-address=fd00:1111:2222:100::/64 \
out-interface-list=WAN \
comment="WireGuard Devices - IPv6 Internet Access"Step 7: configure MSS clamping
TCP Maximum Segment Size (MSS) clamping prevents fragmentation issues with VPN tunnels. The WireGuard overhead reduces the effective MTU, so we must adjust TCP MSS accordingly.
/ip firewall mangle add \
chain=forward \
action=change-mss \
protocol=tcp \
tcp-flags=syn \
tcp-mss=1349-65535 \
new-mss=1420 \
in-interface=wg_devices \
comment="WireGuard MSS clamping - Devices"Step 8: configure RAW table for performance
Skip flood protection for WireGuard traffic to ensure smooth connectivity:
# IPv4: Skip flood protection for WireGuard
/ip firewall raw add \
chain=prerouting \
action=accept \
protocol=udp \
dst-port=53537 \
comment="WireGuard - Skip flood protection"
# IPv6: Skip flood protection for WireGuard
/ipv6 firewall raw add \
chain=prerouting \
action=accept \
protocol=udp \
dst-port=53537 \
comment="WireGuard - Skip flood protection"Step 9: add WireGuard peers (clients)
Now we add client devices. Each client needs:
- Unique IP addresses: A dedicated IPv4 and IPv6 address within the WireGuard subnet
- Keypair: Private and public keys for authentication
- Preshared key: Optional but recommended additional encryption layer
Create a peer
Choose how to generate the cryptographic keys. The recommended approach lets RouterOS generate everything automatically, but you can also pre-generate keys on the client device.
Since RouterOS 7.x, the router can generate all cryptographic keys automatically. This is the simplest approach — the router creates the private key, computes the public key, and generates the preshared key in a single command.
Create the peer with auto-generated keys
/interface wireguard peers add \
interface=wg_devices \
name=wg_client1 \
private-key=auto \
preshared-key=auto \
allowed-address=192.168.100.2/32,fd00:1111:2222:100::2/128 \
persistent-keepalive=25s \
comment="Client 1 - Mobile"Set client configuration properties (optional)
These properties define the client-side configuration and enable the QR code feature in WinBox/WebFig:
/interface wireguard peers set wg_client1 \
client-address=192.168.100.2/32,fd00:1111:2222:100::2/128 \
client-dns=192.168.0.1,fd00:1111:2222:100::1 \
client-endpoint=your-domain.com:53537 \
client-allowed-address=0.0.0.0/0,::/0 \
client-keepalive=25Retrieve keys for manual client configuration
If you need to configure the client manually instead of scanning the QR code, retrieve the generated keys from the router:
# Client's private key → goes into client's [Interface] section
:put [/interface wireguard peers get [find name=wg_client1] private-key]
# Preshared key → goes into client's [Peer] section
:put [/interface wireguard peers get [find name=wg_client1] preshared-key]
# Server's public key → goes into client's [Peer] section
:put [/interface wireguard get [find name=wg_devices] public-key]Use these values to fill in the client configuration file in Step 10.
Generate keys on the client device first, then add the peer on the router using the client’s public key.
Generate keys on the client
Add peer on MikroTik
Use the client’s public key (not the private key) and the preshared key:
/interface wireguard peers add \
interface=wg_devices \
name=wg_client1 \
public-key="<CLIENT_PUBLIC_KEY>" \
preshared-key="<PRESHARED_KEY>" \
allowed-address=192.168.100.2/32,fd00:1111:2222:100::2/128 \
persistent-keepalive=25s \
comment="Client 1 - Mobile"The WireGuard Windows app generates keys automatically when creating a new tunnel.
- Download and install WireGuard for Windows
- Open the app and click Add Tunnel → Add empty tunnel
- The app generates a keypair — copy the Public Key shown at the top
- Generate a preshared key from the command line:
Add peer on MikroTik
/interface wireguard peers add \
interface=wg_devices \
name=wg_client1 \
public-key="<CLIENT_PUBLIC_KEY>" \
preshared-key="<PRESHARED_KEY>" \
allowed-address=192.168.100.2/32,fd00:1111:2222:100::2/128 \
persistent-keepalive=25s \
comment="Client 1 - Mobile"| Parameter | Value | Purpose |
|---|---|---|
private-key | auto / none | Auto-generates keypair on the router (recommended method) |
public-key | Client’s public key | Identifies and authenticates the client |
preshared-key | auto / shared secret | Additional symmetric encryption layer (post-quantum security) |
allowed-address | Client IP(s) | IPs the client can use; also acts as routing table |
persistent-keepalive | 25 seconds | Maintains NAT mappings, enables incoming connections |
Example: multiple peers
Each peer must have a unique keypair and unique IP addresses. Never reuse keys between devices.
# Client 1 - Mobile Device (e.g., iPhone)
/interface wireguard peers add \
interface=wg_devices \
name=wg_phone \
private-key=auto \
preshared-key=auto \
allowed-address=192.168.100.2/32,fd00:1111:2222:100::2/128 \
persistent-keepalive=25s \
comment="Phone - Mobile VPN"
# Client 2 - Laptop (e.g., MacBook)
/interface wireguard peers add \
interface=wg_devices \
name=wg_laptop \
private-key=auto \
preshared-key=auto \
allowed-address=192.168.100.3/32,fd00:1111:2222:100::3/128 \
persistent-keepalive=25s \
comment="Laptop - Mobile VPN"
# Client 3 - Remote Site (Site-to-Site VPN)
/interface wireguard peers add \
interface=wg_devices \
name=wg_remote_site \
private-key=auto \
preshared-key=auto \
allowed-address=192.168.100.10/32,fd00:1111:2222:100::a/128 \
persistent-keepalive=25s \
comment="Remote Site - Site-to-Site"Step 10: client configuration
Now configure the client device. If you used the RouterOS auto-keys method and set the client properties in Step 9, you can simply scan the QR code from WinBox/WebFig — no manual configuration needed.
For manual setup, the configuration file format is the same across all platforms, but the setup method varies.
Download the WireGuard app from the App Store or Google Play. You can either:
- Import a .conf file or scan a QR code
- Create manually in the app
[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 192.168.100.2/32, fd00:1111:2222:100::2/128
DNS = 192.168.0.1, fd00:1111:2222:100::1
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
PresharedKey = <PRESHARED_KEY>
Endpoint = your-domain.com:53537
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25Install WireGuard:
Create the configuration file:
[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 192.168.100.2/32, fd00:1111:2222:100::2/128
DNS = 192.168.0.1, fd00:1111:2222:100::1
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
PresharedKey = <PRESHARED_KEY>
Endpoint = your-domain.com:53537
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25Activate the tunnel:
- Download and install WireGuard for Windows
- Open the app and click Add Tunnel → Import tunnel(s) from file (if you have a
.conffile) or Add empty tunnel to paste the configuration - If creating from scratch, replace the configuration with:
[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 192.168.100.2/32, fd00:1111:2222:100::2/128
DNS = 192.168.0.1, fd00:1111:2222:100::1
[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
PresharedKey = <PRESHARED_KEY>
Endpoint = your-domain.com:53537
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25- Click Save then Activate
Configuration options explained
| Parameter | Description |
|---|---|
Address | The IP addresses assigned to this client (both IPv4 and IPv6) |
DNS | DNS servers to use. Can be your router or any DNS server accessible via VPN |
Endpoint | Your router’s public IP or domain name with the WireGuard port |
AllowedIPs | 0.0.0.0/0, ::/0 routes ALL traffic through VPN. Use specific subnets for split-tunnel |
Split tunnel vs full tunnel
Full tunnel — all traffic goes through VPN:
- Hides your location from all websites
- Higher latency for general browsing
- Full IPv6 access through home connection
# Route ALL traffic through VPN
AllowedIPs = 0.0.0.0/0, ::/0Split tunnel — only traffic to specified networks uses VPN:
- Better performance for general internet use
- Home network access without routing everything
# Only route home network traffic through VPN
AllowedIPs = 192.168.0.0/24, 192.168.100.0/24, fd00:1111:2222::/48Step 11: verify the connection
After configuring both sides, test the connection.
On the client
On the MikroTik router
Test IPv6 connectivity
Complete configuration summary
Here’s the complete RouterOS configuration for reference. Values marked with # ← CUSTOMIZE must be replaced with your own.
wireguard-complete.rsc
# ═══════════════════════════════════════════════════════════════════════════════
# WIREGUARD VPN - COMPLETE DUAL-STACK CONFIGURATION
# ═══════════════════════════════════════════════════════════════════════════════
# MikroTik RouterOS 7.x
# IPv4 + IPv6 dual-stack with full internet access
# ═══════════════════════════════════════════════════════════════════════════════
# ───────────────────────────────────────────────────────────────────────────────
# INTERFACE CONFIGURATION
# ───────────────────────────────────────────────────────────────────────────────
/interface wireguard add \
name=wg_devices \
mtu=1500 \
listen-port=53537 \
comment="VPN for Mobile Devices" # ← CUSTOMIZE port
# ───────────────────────────────────────────────────────────────────────────────
# IP ADDRESS ASSIGNMENT
# ───────────────────────────────────────────────────────────────────────────────
/ip address add \
address=192.168.100.1/24 \
interface=wg_devices \
network=192.168.100.0 \
comment="VPN Devices Network" # ← CUSTOMIZE subnet
/ipv6 address add \
address=fd00:1111:2222:100::1/64 \
interface=wg_devices \
advertise=no \
comment="VPN Devices IPv6 ULA" # ← CUSTOMIZE ULA prefix
# ───────────────────────────────────────────────────────────────────────────────
# IPv6 POOL (Optional)
# ───────────────────────────────────────────────────────────────────────────────
/ipv6 pool add \
name=wg_devices_pool_global \
prefix=fd00:1111:2222:100::/64 \
prefix-length=64 \
comment="WireGuard Devices Global IPv6 Pool"
# ───────────────────────────────────────────────────────────────────────────────
# INTERFACE LISTS (create 'VPN' list if it doesn't exist)
# ───────────────────────────────────────────────────────────────────────────────
/interface list add name=VPN comment="VPN Interfaces" # only if list doesn't exist yet
/interface list member add interface=wg_devices list=VPN comment="VPN Devices"
/interface list member add interface=wg_devices list=LAN comment="VPN Devices - LAN Access"
# ───────────────────────────────────────────────────────────────────────────────
# ADDRESS LISTS
# ───────────────────────────────────────────────────────────────────────────────
/ip firewall address-list add \
list=WireGuard \
address=192.168.100.0/24 \
comment="WireGuard Devices Network"
# ───────────────────────────────────────────────────────────────────────────────
# FIREWALL - INPUT CHAIN
# ───────────────────────────────────────────────────────────────────────────────
/ip firewall filter add \
chain=input \
action=accept \
protocol=udp \
dst-port=53537 \
comment="WireGuard - Accept incoming connections" # ← CUSTOMIZE port
/ipv6 firewall filter add \
chain=input \
action=accept \
protocol=udp \
port=53537 \
comment="Allow WireGuard" # ← CUSTOMIZE port
# ───────────────────────────────────────────────────────────────────────────────
# FIREWALL - FORWARD CHAIN (IPv4)
# ───────────────────────────────────────────────────────────────────────────────
/ip firewall filter add \
chain=forward \
action=fasttrack-connection \
connection-state=established,related \
src-address-list=WireGuard \
comment="FastTrack for WireGuard Networks"
/ip firewall filter add \
chain=forward \
action=accept \
src-address=192.168.100.0/24 \
out-interface-list=WAN \
comment="Allow WireGuard Devices to Internet" # ← CUSTOMIZE subnet
/ip firewall filter add \
chain=forward \
action=accept \
connection-state=established,related \
dst-address=192.168.100.0/24 \
in-interface-list=WAN \
comment="Allow Internet to WireGuard Devices (replies)" # ← CUSTOMIZE subnet
/ip firewall filter add \
chain=forward \
action=accept \
src-address=192.168.100.0/24 \
dst-address=192.168.0.0/24 \
comment="Allow WireGuard Devices to Home LAN" # ← CUSTOMIZE subnets
# ───────────────────────────────────────────────────────────────────────────────
# FIREWALL - FORWARD CHAIN (IPv6)
# ───────────────────────────────────────────────────────────────────────────────
/ipv6 firewall filter add \
chain=forward \
action=accept \
in-interface=wg_devices \
comment="WireGuard Devices: Allow all outbound"
/ipv6 firewall filter add \
chain=forward \
action=accept \
connection-state=established,related \
out-interface=wg_devices \
comment="WireGuard Devices: Allow replies"
# ───────────────────────────────────────────────────────────────────────────────
# NAT / MASQUERADE
# ───────────────────────────────────────────────────────────────────────────────
/ip firewall nat add \
chain=srcnat \
action=masquerade \
src-address=192.168.100.0/24 \
out-interface-list=WAN \
comment="WireGuard Devices - Internet Access" # ← CUSTOMIZE subnet
/ipv6 firewall nat add \
chain=srcnat \
action=masquerade \
src-address=fd00:1111:2222:100::/64 \
out-interface-list=WAN \
comment="WireGuard Devices - IPv6 Internet Access" # ← CUSTOMIZE ULA prefix
# ───────────────────────────────────────────────────────────────────────────────
# MANGLE - MSS CLAMPING
# ───────────────────────────────────────────────────────────────────────────────
/ip firewall mangle add \
chain=forward \
action=change-mss \
protocol=tcp \
tcp-flags=syn \
tcp-mss=1349-65535 \
new-mss=1420 \
in-interface=wg_devices \
comment="WireGuard MSS clamping - Devices"
# ───────────────────────────────────────────────────────────────────────────────
# RAW TABLE - SKIP FLOOD PROTECTION
# ───────────────────────────────────────────────────────────────────────────────
/ip firewall raw add \
chain=prerouting \
action=accept \
protocol=udp \
dst-port=53537 \
comment="WireGuard - Skip flood protection"
/ipv6 firewall raw add \
chain=prerouting \
action=accept \
protocol=udp \
dst-port=53537 \
comment="WireGuard - Skip flood protection"
# ───────────────────────────────────────────────────────────────────────────────
# PEERS — Using auto-generated keys (recommended)
# Retrieve keys with: :put [/interface wireguard peers get [find name=X] private-key]
# ───────────────────────────────────────────────────────────────────────────────
/interface wireguard peers add \
interface=wg_devices \
name=wg_phone \
private-key=auto \
preshared-key=auto \
allowed-address=192.168.100.2/32,fd00:1111:2222:100::2/128 \ # ← CUSTOMIZE IPs
persistent-keepalive=25s \
comment="Phone - Mobile VPN" # ← CUSTOMIZE
/interface wireguard peers add \
interface=wg_devices \
name=wg_laptop \
private-key=auto \
preshared-key=auto \
allowed-address=192.168.100.3/32,fd00:1111:2222:100::3/128 \ # ← CUSTOMIZE IPs
persistent-keepalive=25s \
comment="Laptop - Mobile VPN" # ← CUSTOMIZETroubleshooting
Connection won’t establish
The most common issue. If last-handshake never appears on either side, the initial handshake isn’t completing.
Check the WireGuard interface is running — a disabled or stopped interface won’t accept connections:
/interface wireguard print
# Look for the "R" (running) flag. If you see "X" (disabled), enable it:
/interface wireguard enable wg_devicesVerify the UDP port is reachable — the firewall must accept incoming WireGuard packets. Check the input chain has an accept rule for your port:
# List input rules that match your WireGuard port
/ip firewall filter print where chain=input and dst-port~"53537"
# If empty, add the rule:
/ip firewall filter add chain=input action=accept protocol=udp dst-port=53537 \
comment="WireGuard - Accept incoming connections" place-before=0Verify the peer’s public key matches — the most subtle error. The server must have the client’s public key, and the client must have the server’s public key. Any mismatch silently drops all packets:
# Show the server's public key (this goes into the client's [Peer] section)
:put [/interface wireguard get wg_devices public-key]
# Show the client's public key stored on this peer
:put [/interface wireguard peers get [find name=wg_client1] public-key]Check if the peer shows a handshake — if last-handshake shows a time, the tunnel is established even if traffic isn’t flowing:
/interface wireguard peers print detail where interface=wg_devices
# Look for: last-handshake=Xs (seconds since last handshake)
# If empty or very old, the tunnel is not establishedCan connect but no internet access
The tunnel is up (handshake succeeds) but the client can’t browse the web or reach external hosts.
Check NAT/masquerade rules — without masquerade, the VPN client’s private IP reaches the internet but return packets have nowhere to go:
# Check IPv4 masquerade
/ip firewall nat print where chain=srcnat and src-address~"192.168.100"
# Should show: action=masquerade out-interface-list=WAN
# Check IPv6 masquerade
/ipv6 firewall nat print where chain=srcnat and src-address~"fd00"Check forward chain rules — even with NAT, the firewall’s forward chain must allow VPN traffic toward the WAN:
/ip firewall filter print where chain=forward and src-address~"192.168.100"
# You need at least:
# accept src=192.168.100.0/24 out-interface-list=WAN
# accept connection-state=established,related dst=192.168.100.0/24 in-interface-list=WANTest DNS resolution — a common cause of “no internet” is that DNS queries fail. From the client, try reaching an IP directly to isolate the issue:
IPv6 not working
IPv4 works through the tunnel but IPv6 traffic doesn’t flow.
Verify the IPv6 address is assigned to the WireGuard interface:
/ipv6 address print where interface=wg_devices
# Should show your ULA address, e.g., fd00:1111:2222:100::1/64Check IPv6 NAT66 rule — unlike IPv4, the IPv6 masquerade is often forgotten:
/ipv6 firewall nat print where chain=srcnat
# Must include: action=masquerade src-address=fd00:1111:2222:100::/64 out-interface-list=WANCheck IPv6 forward rules — the IPv6 firewall is independent from IPv4. You need explicit forward rules:
/ipv6 firewall filter print where chain=forward and interface~"wg_devices"
# Need at minimum:
# accept in-interface=wg_devices (outbound)
# accept connection-state=established,related out-interface=wg_devices (return)Test from the client — run these commands while connected to the VPN:
Slow performance
WireGuard is extremely efficient, but several factors can limit throughput on MikroTik devices.
Enable FastTrack — this is the single largest performance improvement. FastTrack bypasses most firewall processing for established connections:
# Verify FastTrack rule exists and has packet counters increasing
/ip firewall filter print stats where action=fasttrack-connection and comment~"WireGuard"
# If missing:
/ip firewall filter add chain=forward action=fasttrack-connection \
connection-state=established,related src-address-list=WireGuard \
comment="FastTrack for WireGuard Networks"Check MSS clamping — symptoms of missing MSS clamping include: pages partially loading, HTTPS sites timing out, large file downloads failing while small requests work fine:
/ip firewall mangle print where action=change-mss and in-interface=wg_devices
# Should show: new-mss=1420 tcp-flags=syn tcp-mss=1349-65535Check MTU — if you experience packet loss or stalls, try reducing the WireGuard interface MTU:
# Check current MTU
/interface wireguard print proplist=name,mtu
# If set to 1500 and experiencing issues, try the default 1420:
/interface wireguard set wg_devices mtu=1420
# Then update MSS clamping to match:
# new-mss = MTU - 40 (IPv6 header) - 20 (TCP header) = 1360Monitor CPU load — WireGuard encryption is not hardware-offloaded on MikroTik. High CPU usage limits throughput:
/system resource print
# Look for cpu-load percentage. On RB5009 with a single client,
# WireGuard typically uses <5% CPU at 100+ Mbps.Useful diagnostic commands
A quick-reference for common RouterOS diagnostic commands related to WireGuard:
# Show all peers with connection status and traffic stats
/interface wireguard peers print detail
# Show only connected peers (those with a recent handshake)
/interface wireguard peers print where last-handshake<1m
# Monitor WireGuard traffic in real-time
/interface monitor-traffic wg_devices once
# Check interface packet counters
/interface print stats where name=wg_devices
# View firewall rule hit counters (useful to find rules that never match)
/ip firewall filter print stats where comment~"WireGuard"
# Check if the port is listening
/tool netwatch print where host=127.0.0.1 and port=53537Security best practices
- Always use preshared keys for post-quantum security
- Use unique keypairs for each device (never share private keys)
- Keep RouterOS updated for security patches
- Use a non-standard port to reduce scan exposure
- Consider automatic IP whitelisting for connected peers
- Monitor connection logs for unauthorized access attempts
Conclusion
You now have a fully functional WireGuard VPN with dual-stack IPv4/IPv6 support on your MikroTik router. This configuration provides:
- Secure remote access to your home network from anywhere
- Full IPv6 connectivity even from IPv4-only networks
- Fast, modern encryption with minimal overhead
- Seamless roaming between Wi-Fi and cellular networks
WireGuard’s simplicity makes it easy to maintain, and MikroTik’s implementation is robust enough for production use. Whether you’re accessing your NAS, home automation, or simply want to browse securely on public Wi-Fi, this setup has you covered.
Further Reading & Resources
