I have my WireGuard VPN setup and I can get a connection. But I cannot ping from the VPN clent to a workstation on the VPN network, nor from the VPN network to the assigned IP. I’m likely missing something obvious.
2026-02-09 15:30:59 system,clock,critical,info ntp change time Feb/09/2026 15:30:39 => Feb/09/2026 15:30:59
[admin@AWOD1] > export print
expected end of command (line 1 column 8)
[admin@AWOD1] > export
# 2026-02-09 16:45:28 by RouterOS 7.21.2
# software id = 4462-Q26S
#
# model = RB750Gr3
# serial number = HGR0A9X7FJX
/interface ethernet
set [ find default-name=ether2 ] name="LAN 2"
set [ find default-name=ether3 ] name=LAN3
set [ find default-name=ether1 ] name=WAN-Ether1
/interface wireguard
add listen-port=13231 mtu=1420 name=WireGuard
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=PoolDHCP ranges=10.10.1.100-10.10.1.199
add name=VPNPool ranges=10.10.1.200-10.10.1.254
/ip dhcp-server
add address-pool=PoolDHCP interface=LAN3 lease-time=1d name=DHCPNew
/ip smb users
set [ find default=yes ] disabled=yes
/routing bgp template
set default as=65530 disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=*6 comment=defconf disabled=yes ingress-filtering=no interface=WAN-Ether1 internal-path-cost=10 \
path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add interface=WAN-Ether1 list=WAN
add interface=LAN3 list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:96:EB:4B:0C:B1 name=ovpn-server1
/interface wireguard peers
add allowed-address=10.10.1.200/32 client-allowed-address=::/0 interface=WireGuard name=peer1 public-key=\
"2XVa1EVsCQwndb8+msWU0OH7HYYN7TX7QAPE0n59LF4="
/ip address
add address=192.168.1.220/24 interface=WAN-Ether1 network=192.168.1.0
add address=10.10.1.1/24 interface=LAN3 network=10.10.1.0
/ip dhcp-server network
add address=10.10.1.0/24 dns-server=192.168.1.14 gateway=10.10.1.1
/ip dns
set servers=192.168.1.14
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=America/New_York
/system identity
set name=AWOD1
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.5.41.40
add address=192.5.41.41
add address=192.168.1.14
[admin@AWOD1] >
Thank you!
Remove serial number from post, not required and for security reasons, best to remove.
The config is incorrect which is causing issues!
There is no pool required for the wireguard subnet!
The wireguard subnet, should NOT be the same as your LAN subnet.
TO be clear, the wireguard subnet is strictly for identifying devices ( such as another router, or client devices, like remote laptop, smartphone etc, so that they are part of the wireguard network).
It is not for any users behind the router, they require a normal subnet.
It would appear you are not using a bridge and only have a LAN on ether3. It is not clear what the purpose ether2 is or ether4, or ether5. It will be easier to change local subnet than wireguard subnet as you already have client assigned. It would appear your client needs access to at least the internet (0.0.0.0) which also includes your local subnet ( as dictated by firewall rules ). Change internet detect to none.
Where are your firewall rules?? Since you are hosting wireguard as server for handshake, assuming you have a public Facing IP?? Confused because you are using private WANIP?
I am assuming an upstream router, possibly the ISP has a public facing IP but you are forwarding port 13231 to the LANIP of the MT (its WANIP) 192.168.1.220 ???
It's always polite to include a diagram, which is useful for your own internal documentation as well, or a short description of your scenario.
The problem with your current config is that you're trying to assign an address to the vpn client from the target (machine) subnet. Although this is ultimately possible, this is not the idiomatic configuration - wireguard is usually set up as a purely routed configuration.
So, these are the steps I'd suggest:
Remove the VPNPool. It could stay, but it's useless.
Select another subnet just for the VPN, and an address on it for the Mikrotik and for the client. Let's choose 172.22.0.0/24 for the subnet, 172.22.0.1 for the router and 172.22.0.11 for this client.
Add the address /ip address add address=172.22.0.1/24 interface=WireGuard
Correct the router-side wg peer config to allowed-address=172.22.0.11/32
Correct the client-side wg config to address=172.22.0.11, and allowed ips to 10.10.1.0/24,172.22.0.0/24 (the latter subnet is only recommended for a neater config). Also, ensure that you have a PersistentKeepalive=25 in the [Peer] section.
Now you should be able to ping 172.22.0.1 and 10.10.1.1 from the client. If all is well, you should also be able to ping the devices.
An additional masquerade rule may be needed: /ip firewall nat add chain=srcnat action=masquerade out-interface=LAN3 src-address=172.22.0.0/24 This is to make the devices think that all connections to them are initiated from their own subnet, instead of through a vpn. Some devices need this, some don't.
EDIT: This is based on your posted configuration, without the added bridge or firewall rules. Both are good ideas, but the bridge is not strictly necessary, and the firewall (if needed) is something you can afford to figure out after basic connectivity is established and verified.
“It would appear you are not using a bridge and only have a LAN on ether3. It is not clear what the purpose ether2 is or ether4, or ether5.”
Not using a bridge, don’t need on right now. Ether1, 4 and 5 have no purpose right now.
“Where are your firewall rules??”
“… assuming you have a public Facing IP??”
Don’t have a firewall. Is one needed? This is a router being used to issolate one network from another. There is no public facting IP in the internet way. The WAN connection is onto a corporate network that is behind a firewall.
Thanks for the info. I out of habit always put the firewall in place but in your case it sounds like a minimalist approach may be just fine. However, if you dont have a public IP on the router and you cannot forward a port from the internet facing router to the MT, you cannot use wireguard ‘normal’. You will have to use BTH Wireguard.
OK, starting over or back filling what I should have posted, hahaha.
This application is a router being used to shield automated machinery from the corporate network traffice, but still letting them access share on the Microsoft Domain. Additionally, the PCL programmers need to connect to the subnet for that machine and have an IP on that subnet for their programming tools. There will be many of these subnets, 20 or 30 of them, each having their own IP range. The subnets do need internet access and that is provided down stream by the corporate network. The subnets are using the coprorate domains DNS so they can find the server shares they need.
The corporate domain is a 192.168.1.X network and the machine domains will be 10.10.Y.X where Y is a different number for each machine. For this learning, I will only forcus on 10.10.1.X as the subnet. Static DNS entried will provide routeing to each sub domin by different host names. The desire is that the programmers will use WireGuard on their desktop computers to attach to the sum domain they need to work on at that time.
This is a develop and learning process for me, so the programming in the RouterOS may have bits and pieces that are dead ends from ideas I pursued and then abandoned, like the extra IP Pools and such.
Now, down to figuring this out. Am I hearing that I cannot have the WireGuard client get an IP directly on the LAN subnet behind the RouterOS? The intent is to have the Windows client on the corporation network to have an extra IP address in the 10.10.1.X range temporarily on their machine.
I am gravely concerned about the amount of beer I will have to purchase if you guys make it to NYC! hahaha
I understood your request the first time around. Follow the directions above, and you'll get what you want, at least with the wireguard and programming part.
The reason why the PC's don't exactly get their IP's from the machine network is that wireguard is an IP (layer 3/routed) tunnel and not ethernet (layer 2).
The traffic addressed to 10.10.1.x will be sent to the router, and it will pass it on to the intended PLC/device. Everything is as it should be.
The added bonus is that because the topology is routed, a singe wg tunnel can (optionally) be used to access all of the machines.
You're not the first person who gets stuck on the additional subnet and "just wants an address on the subnet." That's not how things work. Even if you use a layer 2 tunnel (which is more or less exactly like having an additional ethernet card in the computer,) you still will have to set up proper routing. Believe me, this is easier.
All working now! I’ll have to see if the programmers have a problem with their IP being in a different subnet that the LAN. But I'll cross that bridge when it happens. Siemens is weak in their NIC implemntation so we’ll see what happens.
I've been around this block a couple of times. Generally, the programming software doesn't mind having their own address in another subnet and/or having an IP level routed connection. This is mostly because of the prevalence of VPNs and address translation devices (1:1 NAT, NATR, etc.).
If this does pose a problem, the PC's address can actually be chosen from the target subnet, it just requires setting up proxy-arp. This does not meaningfully impact anything, but it does make the setup a little bit less honest.
What will not work in these situations is the various auto-discovery features, like connecting to the devices when they have no address assigned or connect to them based only on their MAC addresses. Auto-enumeration will also not work. This is a common property of all of the above configurations.
Some other suggestions, if you don't mind, just while you're at it, and if you have some time to spare around this:
You should really think about your topology. I don't know if you have a plan yet, but it sounds like you're going to use one router per machine. This is totally fine. Just be aware that a single router can be used for several, or even all machines, and (depending on things like physical configuration) may be easier to maintain. Of course, more routers means more redundancy. If you really have the amount of machines you say, just know that it's perfectly acceptable to "add" ports to your device with a managed switch.
You should really use the same version of RouterOS on your routers. Choose one that you're happy with and deploy all of them with the same. There are new features introduced, which tweaks the way things have to be configured. This, ultimately has little effect on a basic config, but having various "random" versions around can definitely cause headaches. Currently, I would choose the 7.20.8 long-term version. This has the best chance of only containing bug fixes and no new features.
Familiarize yourself with the commands /export show-sensitive file=mylittlexpost.rs and the Files->Backup feature which create text-based and binary backups of your router configuration which can then be shipped off of the router and stored in a safe place.
If you have a newer device with at least 128MB of flash memory, Mikrotiks support a very useful "partitioning" feature, where the storage is split in two (or 4, etc.) pieces, with each of them having a full RouterOS install, configuration, etc., and it can be chosen freely, which one to boot at any given time. This enables having an entire backup of the device on the device itself. Very useful for working on the router, because rolling back to the known-good configuration couldn1 be simpler. You should partition your device to have two partitions right from the start. This will lead you to device-mode (a feature that was introduced to disable some features of the router in order to protect them from becoming harmful parts of a botnet.) Specifically, to enable partitions, you'll have to issue the command /system/device-mode/update partitions=yes after which the device has to be power cycled (the power cord yanked) in a given time to confirm the setting. You should also familiarize yourself with the other device mode restrictions, and which ones you want to remove.
Another fun fact is that multiple users can't simultaneously use the same wireguard configuration. This is a limitation of the (bare) wireguard protocol itself. This means that if you have multiple people programming these devices, a single wireguard configuration may be shared between them, but only one of them may be active at any given time.
This is due to two things. One is that the wireguard configuration (and peer setting) has the 172.22.0.11 IP address, and more than one client can't share it. The second is that wireguard identifies the different clients by their cryptographic keys. Therefore, for each new connection, you'll have to have:
a separate client-side configuration with it's own ip address and private key. The peer public key remains the same.
a separate wireguard->peer entry on the router, with the distinct ip address and the public key corresponding to the private key in the client-side configuration.