Mikrotik Wireguard

I have a requirement to have a separate Wireless network that will by default route all traffic over Wireguard. I will be using Surfshark VPN.


Step 1: Get a key pair from Surfshark for the Wireguard config

Log onto Surfshark, click on VPN, then Router, then Wireguard, then “I don’t have a key pair”. A key pair will be generated. You will get a private key and a public key. Save the private key as you won’t be able to retrieve it later.

Sirfshark wireguard key pair we will need for Mikrotik Wireguard

You will then be asked to choose a location where you want to connect to, and then Surfshark will provide you with that location’s details. This will be our wireguard peer in Mikrotik, so save it for later use. So basically, our Mikrotik Wireguard setup will exit on this server.

Select the server Mikrotik Wireguard should exit on


Step 2: Mikrotik Wireguard Interface setup

Log on to your Mikrotik router and add a new Wireguard instance. Give it a name and then add the private and public key from the keypair that you generated.

Mikrotik Wireguard new interface

Still in Wireguard, click on Peers and add the peer (the location you selected in step 1) details. Give it a name, select the Wireguard Interface you just created, enter the public key of the location and it’s endpoint name.

If all goes well, you should see an IP in the “Current Endpoint Address

Mikrotik Wireguard peer setup

You will also see the Wireguard interface under your interface list.

Interface list

Under IP -> Address we will see our Wireguard interface received a new IP address

New Mikrotik Wireguard IP


Step 3: Add a new WiFi interface

I want this WiFi interface to exist over the new Mikrotik Wireguard Interface.

Give your new WiFi a name, select your existing WiFi as Master, add an SSID, and set its security and passphrase

New WiFi that will route over Mikrotik Wireguard
New WiFi security settings


Step 4: Add a new bridge

This ons is straight forward. Just go to Bridge, and add a new bridge. Make sure fast forward is enabled

New Bridge

Now assign that new WiFi interface to your new Bridge under the Bridge -> Ports menu

Assign new WiFi to new Bridge


Step 5: Add a new DHCP Server

Under IP -> Pool, add a new DHCP Pool. You can add a pool that is completely out of the way of your existing DHCP

New DHCP Pool

Next, under IP -> DHCP add a new DHCP Server. Select your newly created pool and assign it to your newly created bridge

New DHCP Server

Lets have a look at IP -> Addresses we will see an IP address was assigned to our Bridge.

New Bridge IP


Step 6: Routing

Under Routing -> Table add a new Routing Table

New Route Table to route over our new Mikrotik Wireguard interface

Under Routing -> Rules add a new routing rule. This IP range is the new range of the new DHCP server you just added.

Routing rules


Step 7: Firewall

We will add 3 rules.

Rule 1 – Scource Nat -> Masquerade

Under IP -> Firewall -> Nat add a new Srcnat rule on the IP range you just added to your new DHCP Server

New srcnat rule for new DHCP range


Rule 2: Mark Prerouting

Under IP -> Firewall -> Mangle add this rule

Mangle Preroute 1
Mangle Preroute 2
Mangle Preroute 3


Rule 3: Change MSS (MTU alignment)

Under IP -> Firewall -> Mangle add this rule

Mangle Forward 1
Mangle Forward 2
Mangle Forward 3
Mangle Forward 3 - Action change MSS, clamp to pmtu

Now you can connect to your new WiFi network and Google for “what is my IP” and see if it is in the country you specified in WireGuard.

If you are interested in more routing articles, check this one out:


And if you want to read more about Mikrotik WiFi channels and AC Wave 2, check out this one:


necrolingus

Tech enthusiast and home labber