Hello everyone,
Im using Orther Brand Routers untill now. TP link and mostly Ubiquiti and i would like to start with the Mikrotiks. So i got one HEX for testing. But as i have learned Mikrotiks nees every step to be made by hand, i have researched some days now and i cannot find any solution for my Wireguard KEY that i got froma provider.
As start i have setup with basik steps the Network with 2 wan ports as Failover for the 2nd was with the Trick of DISTANCE on the Router List.
I am sending my setup from the Router plus a sample from the KEy i got from my provider.
I have tried some tuttorials but nearly all of the Guides are setup of mikrotik as Server VPN instead of Client.
The wireguard key is generated from routerOR also from my provider

Is there any other post or someone to explain what am i doing wrong on this one?
a tuttorial that i have tried and didnt work was this one. https://protonvpn.com/support/wireguard-mikrotik-routers/

/interface wireguard
add listen-port=13231 private-key="private_key_from_provider" name=wireguard1

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.172.196.95 endpoint-port="wireguard_port" interface=wireguard1 public-key="public_key_of_provider"

/ip address
add address=192.168.32.2xx/30 network=192.168.32.0 interface=wireguard1

/ip route
add dst-address=0.0.0.0 gateway=192.168.32.1
add dst-address=5.172.196.95 gateway=192.168.1.1 distance=1
add dst-address=5.172.196.95 gateway=192.168.2.1 distance=5

(1) Need persistent keep alive in your Peer settings so…
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.172.196.95 endpoint-port=“proton-provided-port” interface=wireguard1
persistent-keep-alive=30s public-key=“public_key_of_provider”

/routing table
add fib name=via-WG1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.172.196.95
endpoint-port=“proton-provided-port” interface=wireguard1 persistent-keep-alive=30s
public-key=“public_key_of_provider”
/ip dhcp-server network
add address=192.168.13.0/24 dns-server=192.168.32.1 gateway=192.168.13.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets”
new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=19.168.1.1 routing-table=main
add distance=5 dst-address=0.0.0.0/0 gateway=19.168.2.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=via-WG1
/routing rule
add action=lookup src-address=192.168.13.0/24 table=via-WG0

Note1: If you NEVER want your bridge LAN users to access your local WAN, if wireguard is not available then change action on routing rule to:
action=lookup-only-in-table

Note2: If you are using IP DHCP client for your two wans: Do NOT select add default route or peer DNS on IP DHCP clients.

I have tried this but nothing happened, still WAN1 and WAN2 internet continued working without the Wireguard. Might be anything missing commands?

Your routing setup follows nothing of what I suggested. so cannot help you there.
You seem to forget that the handshake starts on your router…
Best of luck…

_Although i havent underestand the way wireguard will work this was i have made all the lines and at the last line (/routing rule add action=lookup src-address=192.168.13.0/24 table=via-WG0)
internet and access to the mikrotik could not be manages, i had to hard reset the router. I got some questions although

1. at the start able name was via-WG1 and at the last line it was WG0. i suppose it should be WG1 right?
2. at Firewall NAT you write the first line (out-interface-list=WAN) i got only WAN1 and WAN2 i should make 2 line with each WAN?_

IP Adress from my VPN Provider is Address = 192.168.32.20/32.

Generaly as i said im new on mikrotiks so im taking lessons theese days from a platform.. im just trying to underestand how the wireguard could be setup and work because on the lessons there is not wireguard.

1. Sorry my bad on the TYPO, WG1 is the correct entry on the routing rule to match the routing-table defined.

2. put IP address on your router for wireguard1 as
   add address=192.168.32.20/24 interface=wireguard1 network=192.168.32.0

3. As long as both WAN interfaces are interface list members of the interface list=WAN, no need for anything extra.

So you suggest to go like this?

/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1 private-key=”your private key”
/ip address
add address=192.168.32.20/24 interface=wireguard1 network=192.168.32.0
/routing table
add fib name=via-WG1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.172.196.95
endpoint-port=“endpointadress” interface=wireguard1 persistent-keep-alive=30s
public-key=“public_key_of_provider”
/ip dhcp-server network
add address=192.168.13.0/24 dns-server=192.168.32.1 gateway=192.168.13.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets”
new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=19.168.1.1 routing-table=main
add distance=5 dst-address=0.0.0.0/0 gateway=19.168.2.1 routing-table=main
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=via-WG1
/routing rule
add action=lookup src-address=192.168.13.0/24 table=via-WG1

3. As long as both WAN interfaces are interface list members of the interface list=WAN, no need for anything extra.
Let me check that on the mikrotik how its done
i suppose the image i uploade is ok.

@anav i made the lines and the wireguard seems to work normally. thanks a lot for your help, now ill try to learn the way it works but i got a question.
1)is this firewall rule nessecary? internet works without it also.
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets”
new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
2) at speed test platforms the upload works properly exepr ookla’s, only download is working there is no upload on that test.

The mangle was recommended, not a random suggestions LOL. It does NO HARM to your setup and one never knows what particular website, through the thirdparty VPN, will give the router shits and giggles. So its a good safety net to keep.

To improve your setup you can setup both failover on the main WANs AND also recursive routing which is always more accurate then normal routing.
Normal routing says, hey I can reach the ISP equipment, recursive routing says I can reach the internet.

/ip route
add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=9.9.9.9 19.168.1.1 routing-table=main scope=10 target-scope=12
add distance=1 dst-address=9.9.9.9/32 gateway=192.168.1.1 routing-table=main scope=10 target-scope=11
++++++++++++++++++++++++
add check-gateway=ping distance=5 dst-address=0.0.0.0/0 gateway=8.8.4.4 routing-table=main scope=10 target-scope=12
add distance=5 dst-address=8.8.4.4/32 gateway=192.168.1.2 routing-table=main scope=10 target-scope=11
+++++++++++++++++
add dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=via-WG1

Now technically you dont need check-gateway on the backup WAN, but it does not harm and leaves the door open to situations like:
a. you decided to have WAN2 use VPN or a server on the LAN be accessed via WAN2
b. you decide to use PCC so that equal use of both WANs is made all the time for your traffic.

Thanks again for your reply, i will check everything better tomorrow morning. Its already late here and need to rest.
at the internet i see some anomalies like package losses although the itnernet is working fine with another VPN key on my ubiquiti for months now. Plus there is n upload on ooklas speedtest, on other spoeed platforms seems to work properly and i get some Tx errors and dropws on Wireguard.

I have made the setup as suggested and i can say with Widscribe Wireguard KEY everything seems to work properly. but when im installing My providers VPN key i got strange thing happening, like at speedtest of ookla upload does not work sometimes. Whatsapp web does not work either, (Windscribe VPN everything perfect as i saw), at Ubiquiti i had to lower mtu to 1412 in order to get it proper working but here even that does not fix anything.
Another issue with both VPNs is when i do the last line /routing rule i get disconnect from the winbox and i only got acces via MAC after that.

2024-03-22 00:13:04 by RouterOS 7.14

software id = M8KE-V5ID

model = RB750Gr3

serial number = HD2******2AS

/interface bridge
add name=Bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.13.100-192.168.13.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Bridge-LAN lease-time=1d name=dhcp1
/routing table
add disabled=no fib name=via-WG1
/interface bridge port
add bridge=Bridge-LAN interface=ether3
add bridge=Bridge-LAN interface=ether4
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=5.1**.1**.95 endpoint-port=
13231 interface=wireguard1 persistent-keepalive=25s public-key=
“ySD/xFuTQyxQeVbfhIS4xyT6wE=”
/ip address
add address=192.168.13.1/24 interface=Bridge-LAN network=192.168.13.0
add address=192.168.1.99/24 interface=WAN1 network=192.168.1.0
add address=192.168.2.98/24 interface=WAN2 network=192.168.2.0
add address=192.168.32.20/24 interface=wireguard1 network=192.168.32.0
/ip dhcp-client
add disabled=yes interface=WAN1
add disabled=yes interface=WAN2
/ip dhcp-server network
add address=192.168.13.0/24 dns-server=192.168.32.1 gateway=192.168.13.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall mangle
add action=change-mss chain=forward comment=
“Clamp MSS to PMTU for Outgoing Packets” new-mss=clamp-to-pmtu
out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=
192.168.1.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=
no target-scope=10
add disabled=no distance=5 dst-address=0.0.0.0/0 gateway=192.168.2.1
pref-src=“” routing-table=main scope=30 suppress-hw-offload=no
target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard1 routing-table=
via-WG1 suppress-hw-offload=no
#error exporting “/ipv6/nd/prefix/default” (timeout)
/routing rule
add action=lookup disabled=no src-address=192.168.13.0/24 table=via-WG1
/system clock
set time-zone-name=Europe/Athens
/system note
set show-at-login=no

1. You have three sourcenat rules, get rid of the first one, its incomplete and is just noise.

/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wireguard1

2. well it kinda makes sense, since you force all traffic out the wireguard tunnel its hard to reach something local on the router.
   However I would have thought 192.168.13.1:winbox port OR via mac address would still work but I guess not.

Try this and see if it works, order is important ( easy way to add rule in front and not have to delete the existing rule is make a copy of the existing rule. Then keep the copy second one as is, and change the first one.

/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.13.0/24 table=main
add action=lookup disabled=no src-address=192.168.13.0/24 table=via-WG1

First NAT deleted as informed, About teh connection via WinBox i can reach it without any problem via MAC Adress, just ip stopped working.
I added the rule also but when its like that wireguard is no more in front and internet goes via wan1 network, i got it disabled and internet is via wireguard normal.

I dont know if its my VPN providers issue but i got drops via the Wireguard as you can see. is that a problem to my network? is it fixable?

Okay, strange but if you can reach by mac you have access.
As far as packets, as long as your browsing experience is okay I wouldnt worry too much.
The extra rule is designed to ensure browsing performance is the best it can be.

nm duplicate/

if you mean this extra rule, it disables the vpn in general.

/routing rule
add action=lookup-only-in-table disabled=no dst-address=192.168.13.0/24 table=main
add action=lookup disabled=no src-address=192.168.13.0/24 table=via-WG1

i cant say that the experience is the same, as without the vpn. some things are unreachable, for example at whatsapp images sometimes it cannot be sent, or on speedtest the upload is going strange etc.
The provider has setup the vpn keys over routerOS also thats why its the same port.
on Ubiquiti about the MTU i had to lower it to 1412 in order not to have issues and also have the TCP MSS Clamping at 1372.

update: i have put Wireguard at 1412 also in mikoritk and at the firewall i added tcpmss 1372, things seems the same. any experience with that? am i putting it in correct place? at the NAT rule its grayed outand cannot put it there.
/ip firewall mangle
add action=change-mss chain=forward comment=
“Clamp MSS to PMTU for Outgoing Packets” new-mss=clamp-to-pmtu
out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1372

I have seen this rule also tried. Starting with putting wireguard mtu setting back to 1420 with

/ip mangle
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535[/color][/i]

i put the Wireguard 1420 back and replaced the Mangle as the one you showed, internet seems to work good now but i got one question… why tcp-mss=1381-65535 ?