AmneziaWG in RouterOS?

Dinosaur · October 27, 2025, 7:34pm

Hi guys. Finally i managed to run server and client on two mikrotik devices. Thanks for all of you. But now I'm wondering if there is any possibility to use more than one peer with one server? The thing is - once I add another peer to the server's config file, everything stops working even if only one peer connected to the server. Any ideas on what may happen and how can I fix it? Or I just want too much?
Here are the config files:

server.conf

[Interface]
Address = 10.0.0.1/32
PrivateKey = 8N4VDweB+y7cbNhw7Ays1wCw2+4R8TV2sR1e2So7Z0c=
MTU = 1440
ListenPort = 51820

Jc = 4
Jmin = 50
Jmax = 1000
S1 = 146
S2 = 42
H1 = 532916466
H2 = 2096090865
H3 = 406337014
H4 = 57583056

# Add IP masquerading
PostUp = iptables -t nat -A POSTROUTING -o awg-server-veth -j MASQUERADE
# Del IP masquerading
PostDown = iptables -t nat -D POSTROUTING -o awg-server-veth -j MASQUERADE

Table = awg
PostUp = ip rule add priority 300 from all iif awg-server-veth lookup awg || true
PostDown = ip rule del from all iif awg-server-veth lookup awg || true

[Peer]
PublicKey = 9+VoCywnwi2N6/8+5zTwJAVwwnV4+rsZfFPR70L+uBw=
AllowedIPs = 0.0.0.0/0

#[Peer]
#PublicKey = +XyH+Tex55ERoc7qm21CgaRaV+N2clTfSHHLlkPFOlk=
#AllowedIPs = 0.0.0.0/0

client_01.conf

[Interface]
Address = 10.0.0.2/32
PrivateKey = AFc6t48DkSxI32ESsaG8XX7490hJ7aLUNQ8DCfqd430=
MTU = 1440

Jc = 4
Jmin = 50
Jmax = 1000
S1 = 146
S2 = 42
H1 = 532916466
H2 = 2096090865
H3 = 406337014
H4 = 57583056

# Add IP masquerading
PostUp = iptables -t nat -A POSTROUTING -o vpn_chr_out_awg -j MASQUERADE
# Del IP masquerading
PostDown = iptables -t nat -D POSTROUTING -o vpn_chr_out_awg -j MASQUERADE

Table = awg
PostUp = ip rule add priority 300 from all iif vpn_chr_out_awg lookup awg || true
PostDown = ip rule del from all iif vpn_chr_out_awg lookup awg || true

[Peer]
PublicKey = sCVHs/enY5vuQh+vA2AdSU3EK2aTvpIqpTCjg35NDCY=
PersistentKeepalive = 25
AllowedIPs =  0.0.0.0/1, 128.0.0.0/1
Endpoint = IP_ADDRESS:51820

client_02.conf

[Interface]
Address = 10.0.0.3/32
PrivateKey = ICAs87JwSdTdlzHZswF/8SM2xemn5QhgCYNXtjKqClE=
MTU = 1440

Jc = 4
Jmin = 50
Jmax = 1000
S1 = 146
S2 = 42
H1 = 532916466
H2 = 2096090865
H3 = 406337014
H4 = 57583056

# Add IP masquerading
PostUp = iptables -t nat -A POSTROUTING -o vpn_chr_out_awg -j MASQUERADE
# Del IP masquerading
PostDown = iptables -t nat -D POSTROUTING -o vpn_chr_out_awg -j MASQUERADE

Table = awg
PostUp = ip rule add priority 300 from all iif vpn_chr_out_awg lookup awg || true
PostDown = ip rule del from all iif vpn_chr_out_awg lookup awg || true

[Peer]
PublicKey = sCVHs/enY5vuQh+vA2AdSU3EK2aTvpIqpTCjg35NDCY=
PersistentKeepalive = 25
AllowedIPs =  0.0.0.0/1, 128.0.0.0/1
Endpoint = IP_ADDRESS:51820

optio · October 27, 2025, 8:50pm

Peer AllowedIPs config for server and clients seems to be wrong, for server peers set client address (/32), for clients 0.0.0.0/0. You can generate WG configs on https://www.wireguardconfig.com/ and compare with yours or use generated and add AmneziaWG specific config values.

Dinosaur · October 28, 2025, 12:10pm

I got all the settings from this post. I tried the link you’ve posted, and got these settings:

server:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = AHzHL+sWFUkykOIcFSV8Szzq1PyrmozeA8Laq4jh6m8=
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE


[Peer]
PublicKey = D777whoC+HVbVDfKJH5sINGGsqJMt3bVsnoLS7g02zY=
AllowedIPs = 10.0.0.2/32

[Peer]
PublicKey = Ukpm2US02iji0sFpTVr6zIziYAn710FcIK5gXWr7d0c=
AllowedIPs = 10.0.0.3/32

[Peer]
PublicKey = UKUNHuRfMURK3RR7udTauBafwgaERkmWpyDkumYdSh0=
AllowedIPs = 10.0.0.4/32

client:

[Interface]
Address = 10.0.0.2/24
ListenPort = 51820
PrivateKey = UETXywq4scWDGU5ohORT4eQ6wqzg+EvoeebDaHc4U3Q=


[Peer]
PublicKey = CqbXOdY4jUIjyx+VLUmfXQlneQ9YZ70Ehsjl+UKY100=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = IP_ADDRESS:51820

And yes, there is some difference with my config’s, so I tried to get as close as possible to these settings (please kindly check the notes I made - the problem is described there):

My new server config:

[Interface]
#Address = 10.0.0.1/32	# this one works fine
Address = 10.0.0.1/24	# this one works fine either
PrivateKey = IKXEaVln/MMsmtlb4Glwtt9nmXOh3WLw68HyAo8ih0Y=
ListenPort = 51820

Jc = 4
Jmin = 50
Jmax = 1000
S1 = 146
S2 = 42
H1 = 532916466
H2 = 2096090865
H3 = 406337014
H4 = 57583056

# Add IP masquerading
#PostUp = iptables -t nat -A POSTROUTING -o awg-server-veth -j MASQUERADE					# this one works fine
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o awg-server-veth -j MASQUERADE	# this one works fine either
# Del IP masquerading
#PostDown = iptables -t nat -D POSTROUTING -o awg-server-veth -j MASQUERADE					# this one works fine
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o awg-server-veth -j MASQUERADE	# this one works fine either

Table = awg
PostUp = ip rule add priority 300 from all iif awg-server-veth lookup awg || true
PostDown = ip rule del from all iif awg-server-veth lookup awg || true

# when I uncomment more than one peer - it stops working (routing stops working though the tunnel works)

#[Peer]
#PublicKey = 937HLQPnh0bxm1trf7+QvDRy5YaBHGSbAYkpycbGsic=
#AllowedIPs = 10.0.0.2/32	# when I do this - it stops working (routing stops working though the tunnel works)
#AllowedIPs = 0.0.0.0/0		# this one works fine

[Peer]	
PublicKey = eeneTfy78yF9vgOWO+xp62sjH+GbqiahqLRmSMndbAA=
#AllowedIPs = 10.0.0.3/32	# when I do this - it stops working (routing stops working though the tunnel works)	
AllowedIPs = 0.0.0.0/0		# this one works fine

#[Peer]	
#PublicKey = c1Ieo11mdBFRKuYUIajpXSa5VTXVBGlF9z1mKlD/bDE=
#AllowedIPs = 10.0.0.4/32	# when I do this - it stops working (routing stops working though the tunnel works)	
#AllowedIPs = 0.0.0.0/0		# this one works fine

and one of the client’s:

[Interface]
#Address = 10.0.0.3/32	# this one works fine
Address = 10.0.0.3/24	# this one works fine either
PrivateKey = kPGJqo/WybxiIXz4tG1n0xmbVVISDQawKcRt2SLx0Fk=

Jc = 4
Jmin = 50
Jmax = 1000
S1 = 146
S2 = 42
H1 = 532916466
H2 = 2096090865
H3 = 406337014
H4 = 57583056

# Add IP masquerading
#PostUp = iptables -t nat -A POSTROUTING -o vpn-chr-awg-out -j MASQUERADE					# this one works fine
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o vpn-chr-awg-out -j MASQUERADE	# this one works fine either
# Del IP masquerading
#PostDown = iptables -t nat -D POSTROUTING -o vpn-chr-awg-out -j MASQUERADE					# this one works fine
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o vpn-chr-awg-out -j MASQUERADE	# this one works fine either

Table = awg
PostUp = ip rule add priority 300 from all iif vpn-chr-awg-out lookup awg || true
PostDown = ip rule del from all iif vpn-chr-awg-out lookup awg || true

[Peer]
PublicKey = thLWprYVDAKtdc2INUQrA2z3axIqRqyF/MVDzOnu9is=
PersistentKeepalive = 25
#AllowedIPs =  0.0.0.0/1, 128.0.0.0/1	# this one works fine
AllowedIPs = 0.0.0.0/0, ::/0		# this one works fine either
Endpoint = IP_ADDRESS:51820

And I am there where I was yesterday. Any more ideas or comments?

optio · October 28, 2025, 4:34pm

Can’t help you more, issue that I noticed is just by comparing configurations with regular WG but I didn't personally configured AmneziaWG in container yet (I gave plan to do it eventually) to give you more insights on this.

dcavni · October 28, 2025, 5:09pm

I also did not manage to use more than one client with AmneziaWG. It’s enough for what i need (actualy my friend), to connect Tik to Tik over difficult networks. I also added EOIP over it.

For other devices such as phones etc. we installed dedicated Amnezia server.

And now i am loosing my head on how to add Wireguard to Xray container on Tik. It works in older versions of Xray but in new versions that use XHTTP i can’t figure it out.

optio · October 28, 2025, 6:12pm

Here are my working Xray configs for tunneling WG over xhttp, maybe it helps.

config_client.json.txt (2.9 KB)

config_server.json.txt (2.0 KB)

dcavni · October 28, 2025, 8:08pm

Thank you. I will try to make something out of it. I’m not realy good at editing this config files, today i probably changed 20 config files unsucessfully

dcavni · October 28, 2025, 9:02pm

I talked to Grok for a whole day today through unssucessful atempts and he tried to make something out of your files but offcourse it doesn’t work for me. He is promising me whole day already that this one will be the last and it will work He is simply making things up on the go.

This is what i got. Don’t mind the left keys, i will change them later anyway

Veth IP of Client XRAY is 172.21.0.2 and this IP is also set as endpoint in Wireguard config, together with port 51822

Server listens on 51822, but i think, that connection never makes it to the other side.

Server:

{
"log": { "loglevel": "debug" },
"inbounds": [
{
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{ "id": "3814e8c0-5a5d-4f58-9d6a-c2252be65f9c", "flow": "" }
],
"decryption": "none"
},
"streamSettings": {
"network": "xhttp",
"xhttpSettings": {
"path": "/",
"mode": "auto",
"host": "x.sn.mynetname.net",
"xPaddingBytes": "100-1000",
"noSSEHeader": false,
"scMaxEachPostBytes": 1000000,
"scMaxBufferedPosts": 30,
"scStreamUpServerSecs": "20-80"
},
"security": "reality",
"realitySettings": {
"dest": "github.com:443",
"serverNames": [ "github.com" ],
"privateKey": "6OuioP9XyTwWPllmnCSH-nedM5AD-BIU7qGZHYhAAV8",
"shortIds": [ "1257a64c46289c42" ]
}
},
"tag": "proxy"
}
],
"outbounds": [
{ "protocol": "freedom", "tag": "direct" },
{ "protocol": "blackhole", "tag": "block" }
]
}

Client:

{
"log": { "loglevel": "debug" },
"inbounds": [
{
"listen": "127.0.0.1",
"port": 51822,
"protocol": "dokodemo-door",
"settings": {
"address": "127.0.0.1",
"port": 51822,
"network": "udp",
"followRedirect": true,
"timeout": 0
},
"tag": "wg-in"
}
],
"outbounds": [
{
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "x.sn.mynetname.net",
"port": 443,
"users": [
{ "id": "3814e8c0-5a5d-4f58-9d6a-c2252be65f9c", "encryption": "none" }
]
}
]
},
"streamSettings": {
"network": "xhttp",
"xhttpSettings": {
"path": "/",
"host": "x.sn.mynetname.net",
"xPaddingBytes": "100-1000",
"noGRPCHeader": false,
"scMaxEachPostBytes": 1000000,
"scMinPostsIntervalMs": 30,
"xmux": {
"maxConcurrency": "16-32",
"maxConnections": 0,
"cMaxReuseTimes": 0,
"hMaxRequestTimes": "600-900",
"hMaxReusableSecs": "1800-3000",
"hKeepAlivePeriod": 0
}
},
"security": "reality",
"realitySettings": {
"fingerprint": "chrome",
"serverName": "x.sn.mynetname.net",
"publicKey": "ad1ZV3Ejw80lt-3zATlSym6OWROOVxl1o2fhtkZepgo",
"shortId": "1257a64c46289c42"
}
},
"tag": "proxy"
},
{ "protocol": "freedom", "tag": "direct" },
{ "protocol": "blackhole", "tag": "block" }
],
"routing": {
"rules": [
{ "type": "field", "inboundTag": ["wg-in"], "outboundTag": "proxy" }
]
}
}

optio · October 28, 2025, 9:24pm

On quick look, dokodemo-door client config has 127.0.0.1 for settings.address (don’t mix with listen config, that’s local client side address for binding port), this must be IP address on server side where WG is listening. If WG not served on same host where Xray runs (which is case if Xray is running in ROS container), tunnel will not be established because WG is not listening on such IP. In my case that’s ROS bridge IP, because WG is served by ROS.

dcavni · October 28, 2025, 11:10pm

I tried with the IP of xray server container and docker bridge ip but it didn’t work. I will try also with bridge IP, maybe it will help.

Is there any simple way to check if XRAY connection between client and server is even active?

optio · October 29, 2025, 6:40am

In client config create socks or http proxy inbound like in config I sent in above post and set that proxy in browser. If browsing works and you have different IP over browser then connection over Xray is ok.

dcavni · October 29, 2025, 10:11pm

Ok, thank you, will do. I now must first make new lab setup for testing since my friend alredy went to “DPI problematic” country with what we had configured on tik until then.

corkofacat · January 11, 2026, 8:29am

Hi folks! I set up AmneziaWG server on the VPS side and am trying to create a client on mikrotik using wiktorbgu’s solution. I am nearly there (I think).

I used the AmneziaVPN app on the local PC to add a new peer (Share → New connection (use ‘AmneziaWG native format’ option), which provided me with the keys, parameters and config (and also appended a peer record in amneziawg container’s wg0.conf file on the VPS-side).

I added the firewall rules to client’s config, specifying my VETH interface. Here’s my resulting \docker_configs\amnezia_wg_conf\awg.conf which was mounted to MikroTik container:

[Interface]
Address = 10.8.1.3/32
DNS = 1.1.1.1, 1.0.0.1
PrivateKey = MaGbE…..=
Jc = ..5
Jmin = ..0
Jmax = ..0
S1 = ..5
S2 = ..6
H1 = ..95
H2 = ..36
H3 = ..60
H4 = ..51

PostUp = iptables -t nat -A POSTROUTING -o AMNEZIAWG -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o AMNEZIAWG -j MASQUERADE

PostUp = iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
PostDown = iptables -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Table = awg
PostUp = ip rule add priority 300 from all iif AMNEZIAWG lookup awg || true
PostDown = ip rule del from all iif AMNEZIAWG lookup awg || true

[Peer]
PublicKey = pEKN1…..=
PresharedKey = AeHKC…..=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xxx.xxx.xxx.xxx:51820
PersistentKeepalive = 25

On RouterOS I added VETH to the docker bridge, specified networks (192.168.254.0/24) and mangle rule to route certain hosts (firewall list) via this tunnel. Further, I added the following rules in RouterOS /ip/firewall/:

/ip firewall filter
add action=accept chain=forward comment="AWG: Allow outbound VPS connection" dst-address=xxx.xxx.xxx.xxx dst-port=51820 protocol=udp
add action=accept chain=forward comment="AWG: Allow Return from VPS" connection-state=established,related dst-address=192.168.254.4 in-interface=ether8

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=AWG_list new-routing-mark=awg-tunnel passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp
add action=masquerade chain=srcnat comment="AWG NAT rule" out-interface=ether8 src-address=192.168.254.0/24

When spinning up the container I can see incoming packages on the VPS side, but there’s very few packets received and the hosts from my AWG_list are timing out. Container’s shell ‘awg’ command returns the following:

interface: awg
public key: S1H…=
private key: (hidden)
listening port: 57165
jc: ..5
jmin: ..0
jmax: ..0
s1 = ..5
s2 = ..6
h1 = ..95
h2 = ..36
h3 = ..60
h4 = ..51

peer: pEK…=
preshared key: (hidden)
endpoint: xxx.xxx.xxx.xxx:51820
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 9 minutes, 19 seconds ago
transfer: 276 B received, 330.05 MiB sent
persistent keepalive: every 25 seconds

I suspect I messed up my firewall rules somehow. Is there something obvious that I am missing?

tetyys · January 11, 2026, 11:41am

what’s the difference between amneziaWG and Xray/v2ray/vless/trojan/etc.? I don’t think anyone has found a way to block these protocols (or at least the latest one among them), so why would we need another one?