What should I include in AllowedIPs?

Include the remote peer’s tunnel address (/32) and its LAN subnet so it routes through the tunnel.

Is NAT required for WireGuard?

Not when subnets are unique and routing is bidirectional. Use NAT for overlapping or specific policies.

Which port does WireGuard use?

UDP 51820 by default. It can be changed if blocked.

How do I keep the tunnel alive behind NAT?

Set persistent-keepalive=25 on the client to refresh sessions through NAT/firewall.

Does it work with dynamic IP/CGNAT?

Yes, with DDNS and an open port to the listening router. With CGNAT and no port-forward – initiate towards a public hub (VPS) or request a public IP from the ISP.

Quick help: We set up WireGuard site-to-site (MikroTik v7/v6) remotely (AnyDesk/SSH) in 30–40 min.

30–40 min consultation 📞 +359 2 958 6535

WireGuard site-to-site for MikroTik – complete guide

Step-by-step for RouterOS v7 and v6 + firewall/NAT, DDNS/port-forward, troubleshooting and common pitfalls.

⚠ This guide targets system administrators and advanced users. We’ll connect office ↔ branch over WireGuard with correct AllowedIPs, keepalive, MTU, and firewall/NAT rules.

WireGuard site-to-site – diagram office ↔ branch over the internet (MikroTik RouterOS)

WireGuard site-to-site is a fast, stable and secure tunnel between locations with minimal configuration. Works with static or dynamic IP (DDNS), as well as behind NAT (port-forward/initiated connection).

1) Address plan

Tunnel: 10.10.10.0/24 (A: 10.10.10.1, B: 10.10.10.2)
LAN (A): 192.168.1.0/24
LAN (B): 192.168.2.0/24
UDP port: 51820 (default; can be changed)

2) Keys (A and B)

/interface wireguard key generate

3) Router A (office) – configuration

Interface + address:

/interface wireguard
add name=wg-office listen-port=51820 private-key="A_PRIVATE_KEY"
/ip address
add address=10.10.10.1/24 interface=wg-office

Peer to B:

/interface wireguard peers
add interface=wg-office public-key="B_PUBLIC_KEY" \
    allowed-address=10.10.10.2/32,192.168.2.0/24 \
    endpoint-address= endpoint-port=51820 \
    persistent-keepalive=25

4) Router B (branch) – configuration

Interface + address:

/interface wireguard
add name=wg-branch listen-port=51820 private-key="B_PRIVATE_KEY"
/ip address
add address=10.10.10.2/24 interface=wg-branch

Peer to A:

/interface wireguard peers
add interface=wg-branch public-key="A_PUBLIC_KEY" \
    allowed-address=10.10.10.1/32,192.168.1.0/24 \
    endpoint-address=<A_PUBLIC_IP_or_DDNS> endpoint-port=51820 \
    persistent-keepalive=25

5) Firewall / NAT / ports

Allow inbound UDP 51820 to the router (chain: input):

/ip firewall filter add chain=input protocol=udp dst-port=51820 action=accept comment="Allow WireGuard"

Optional: NAT (only for overlapping networks or specific policies):

/ip firewall nat add chain=srcnat out-interface=wg-office action=masquerade comment="WG NAT (optional)"

6) Checks and diagnostics

Ping over the tunnel (A → B):

/ping 10.10.10.2

Ping to remote LAN (A → LAN(B)):

/ping 192.168.2.1

Peer status (check last-handshake, rx/tx):

/interface wireguard peers print detail

(Optional) Find fasttrack rule:

/ip firewall filter print where action=fasttrack-connection

(Optional) Temporarily disable/enable fasttrack for testing (replace X with the real number):

/ip firewall filter disable X
/ip firewall filter enable X

7) FAQ

AllowedIPs? Include the peer’s tunnel address /32 and its LAN subnet.
Is NAT required? No, if subnets are unique and routing is bidirectional. Use NAT for overlapping spaces.
MTU? Start with 1420; for PPPoE/overhead – test 1380–1412.
Dynamic IP/CGNAT? Use DDNS. With CGNAT and no port-forward – initiate from the inside to a public node (VPS) or request a public IP.
Keep the tunnel alive? Set persistent-keepalive=25 on the client behind NAT.

Need help with the setup?

Full configuration and testing of site-to-site tunnels
Integration with MikroTik Firewall, CAPsMAN and QoS
Monitoring, dual-WAN failover and automatic reconnect

Write to office@ntg.bg or request a consultation.

Tip: group your rules (WG input, WG peers, WG NAT), add clear comments, and keep their order above general rules.

Comments

Loading…

Only registered and logged-in users can comment.