Mikrotik Wireguard
I have a requirement to have a separate Wireless network that will by default route all traffic over Wireguard. I will be using Surfshark VPN.
Step 1: Get a key pair from Surfshark for the Wireguard config
Log onto Surfshark, click on VPN, then Router, then Wireguard, then “I don’t have a key pair”. A key pair will be generated. You will get a private key and a public key. Save the private key as you won’t be able to retrieve it later.
You will then be asked to choose a location where you want to connect to, and then Surfshark will provide you with that location’s details. This will be our wireguard peer in Mikrotik, so save it for later use. So basically, our Mikrotik Wireguard setup will exit on this server.
Step 2: Mikrotik Wireguard Interface setup
Log on to your Mikrotik router and add a new Wireguard instance. Give it a name and then add the private and public key from the keypair that you generated.
Still in Wireguard, click on Peers and add the peer (the location you selected in step 1) details. Give it a name, select the Wireguard Interface you just created, enter the public key of the location and it’s endpoint name.
If all goes well, you should see an IP in the “Current Endpoint Address”
You will also see the Wireguard interface under your interface list.
Under IP -> Address we will see our Wireguard interface received a new IP address
Step 3: Add a new WiFi interface
I want this WiFi interface to exist over the new Mikrotik Wireguard Interface.
Give your new WiFi a name, select your existing WiFi as Master, add an SSID, and set its security and passphrase
Step 4: Add a new bridge
This ons is straight forward. Just go to Bridge, and add a new bridge. Make sure fast forward is enabled
Now assign that new WiFi interface to your new Bridge under the Bridge -> Ports menu
Step 5: Add a new DHCP Server
Under IP -> Pool, add a new DHCP Pool. You can add a pool that is completely out of the way of your existing DHCP
Next, under IP -> DHCP add a new DHCP Server. Select your newly created pool and assign it to your newly created bridge
Lets have a look at IP -> Addresses we will see an IP address was assigned to our Bridge.
Step 6: Routing
Under Routing -> Table add a new Routing Table
Under Routing -> Rules add a new routing rule. This IP range is the new range of the new DHCP server you just added.
Step 7: Firewall
We will add 3 rules.
Rule 1 – Scource Nat -> Masquerade
Under IP -> Firewall -> Nat add a new Srcnat rule on the IP range you just added to your new DHCP Server
Rule 2: Mark Prerouting
Under IP -> Firewall -> Mangle add this rule
Rule 3: Change MSS (MTU alignment)
Under IP -> Firewall -> Mangle add this rule
Now you can connect to your new WiFi network and Google for “what is my IP” and see if it is in the country you specified in WireGuard.
If you are interested in more routing articles, check this one out:
And if you want to read more about Mikrotik WiFi channels and AC Wave 2, check out this one:
