Best Practices to Secure WireGuard Tunnel Against Device Theft or Key Leakage

Hello everyone,

I’ve successfully set up a WireGuard tunnel on my MikroTik router, and it’s working perfectly. However, I’m thinking ahead about security risks, and I’d like your advice on best practices.

Let’s say a laptop that’s already configured with the WireGuard client is stolen, or somehow the private key is leaked. In that case, an unauthorized person could connect through the tunnel and gain access to my internal network.

So I’d like to ask:

1.* Can I whitelist based on IP/MAC or detect peer identity in any way?
2. What other layers of security can I add inside my LAN (for example: requiring logins, setting up 2FA-protected jump hosts, or segmenting access)?

Basically, wg only authenticates using the key. This is by design. There are services built on top of it that do things like 2FA, a popular one being TailScale. Mikrotik doesn’t directly support these.

One moderately good thing that comes out of wg’s design is that devices must have individual unique keys, so removing them is straightforward in case they’re compromised.

Many (most?) devices support locking away the key in some sort of tpm-y store, but this is a per-client thing.

Segmenting your network is something that always increases security, whichever vpn you choose, and even if you don’t use any.