After a lot of wrangling and help from anav I have come up with this simplified wireguard Mikrotik config specifically for a “VPN provider” scenario, NOT road warrior, and NOT site to site. I am going to call it “Cosmic Mikrotik Wireguard” so it will be easy to find with an internet search engine. NOTE: This is recommended to be done on a router with a fresh reset configuration.
/interface wireguard
add name="wireguard-VPN" mtu=1420 listen-port=51820 \
private-key="INSERT YOUR PRIVATE KEY HERE"
/ip address
add address=YOUR.INTERFACE.ADDRESS/24 interface=wireguard-VPN network=YOUR.INTERFACE.NETWORK
#EXAMPLE: If your interface is 192.168.1.1 then your interface network would be 192.168.1.0
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-dns=YOUR.VPN.DNS.SERVER \
disabled=no endpoint-address=YOUR.ENDPOINT.ADDRESS endpoint-port=YOUR ENDPOINT PORT interface=\
wireguard-VPN name=wireguard-VPN-interface persistent-keepalive=25s \
public-key=\
"INSERT YOUR PUBLIC KEY HERE"
/ipv6 settings set disable-ipv6=yes
/ipv6 firewall filter
add chain=input action=drop
add chain=forward action=drop
/ip dhcp-server network remove 0
/ip dhcp-server network
add address=YOUR.LAN.SUBNET/24 dns-server=YOUR.VPN.DNS.SERVER gateway=YOUR.LAN.GATEWAY
/ip dns static remove 0
/ip dns
set allow-remote-requests=no servers=YOUR.VPN.DNS.SERVER
/routing table
add disabled=no fib name=wireguard-VPN-table
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=wireguard-VPN-interface \
routing-table=wireguard-VPN-table suppress-hw-offload=no
/routing rule
add action=lookup-only-in-table dst-address=YOUR.LAN.SUBNET/24 table=main
add action=lookup-only-in-table src-address=YOUR.LAN.SUBNET/24 table=wireguard-VPN-table
/ip firewall nat remove 0
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wireguard-VPN-interface \
src-address=YOUR.LAN.SUBNET/24
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=YOUR.ENDPOINT.ADDRESS endpoint-port=YOUR ENDPOINT PORT interface=
wireguard-VPN name=“Name of 3r party provider & location” persistent-keepalive=25s
public-key=“INSERT YOUR PUBLIC KEY HERE”
/ip dhcp-server network remove 0 < ---- Remove this line not sure why its here???
/ip dns static remove 0 < ---- Remove this line not sure why its here???
/ip dns
set allow-remote-requests=no servers=1.1.1.1,8.8.8.8 { add if ISP default dns is not used, to ensure router has ability to reach external DNS for handshake }
/ip route add dst-address=0.0.0.0/0 gateway=ISP-gateway-IP routing-table=main { add if ISP default route is not selected } add dst-address=0.0.0.0/0 gateway=wireguard-VPN-interface routing-table=wireguard-VPN-table
/ip firewall nat remove 0 < ---- Remove this line not sure why its here??? /ip firewall nat
add action=masquerade chain=srcnat out-interface=etherX ( or pppoe-out1 etc.) { router requires a route to establish handshake } add action=masquerade chain=srcnat out-interface=wireguard-VPN-interface { source address is not required, not a firewall or routing function }
Note: If having trouble with remote websites, then consider adding /ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard-VPN protocol=tcp tcp-flags=syn tcp-mss=1381-65535
Anav, I think some people will still use the web interface as opposed to using Winbox, so I included those remove commands in order to clear out those config items in that scenario where they may have made initial ip configurations.