← Back to Blog

How to Setup VPN on Mikrotik Routers

Why Mikrotik for VPN?

Mikrotik RouterOS is a favourite among network engineers for its flexibility, low cost, and rich feature set. Mikrotik devices support multiple VPN protocols out of the box — including WireGuard, L2TP/IPsec, PPTP, SSTP, and OpenVPN — making them suitable for everything from small offices to large multi-site deployments. The following guide focuses on WireGuard, which is the modern choice for new deployments thanks to its lean codebase, strong cryptography, and superior performance compared to older protocols.

Generating Keys and Creating the WireGuard Interface

Log in to the router via Winbox or SSH. Navigate to WireGuard and click Add to create a new interface. RouterOS will automatically generate a private key and derive the corresponding public key — note down the public key as you will need it on client devices. Set the Listen Port (default 51820) and give the interface a descriptive name such as wg-vpn. Apply the configuration. Next, assign an IP address to the interface — for example 10.10.0.1/24 — so that VPN clients have a routable subnet to communicate over.

Adding Peers and Firewall Rules

For each client that will connect, add a peer entry under the WireGuard interface. Paste in the client's public key, set the Allowed Address to the client's tunnel IP (e.g. 10.10.0.2/32), and optionally configure a persistent keepalive of 25 seconds to maintain the connection through NAT. On the firewall side, add an input rule to accept UDP traffic on port 51820 from the WAN interface, and ensure that forwarding rules allow traffic between the WireGuard subnet and your LAN subnet. A common mistake is forgetting to enable IP forwarding in IP → Settings; without it, clients can reach the router but cannot access LAN resources.

Configuring the Client and Testing Connectivity

On the client device, install a WireGuard client application and create a new tunnel configuration. Set the client's private key, assign the tunnel IP address (10.10.0.2/32), and add a peer pointing to the router's public IP and port 51820 with the router's public key. Set Allowed IPs to 0.0.0.0/0 to route all traffic through the VPN, or use the LAN subnet (e.g. 192.168.1.0/24) for split-tunnel mode. Once the tunnel activates, ping the router's tunnel address (10.10.0.1) to confirm connectivity, then try accessing a LAN host by IP. Use Mikrotik's built-in Tools → Ping and Torch to diagnose any issues with packet flow.