Wireguard generate Preshared key

mikey · March 26, 2022, 10:30am

Good morning

I am setting up a wireguard tunnel. the tunnel is working as expected but I would like to add an extra layer of security by using a preshared key.

This preshared key has to be a 256-bit symmetric encryption key following the wireguard document. How can I generate such key in routerOS without using 3rd party tools?

When I installing a wireguard server on Debian (or any other linux distro’s) it comes with the command “wg genpsk” to generate such keys. However I do not find the equivalent on RouterOS.

Thank you on advance for your help

Sob · March 26, 2022, 6:32pm

RouterOS doesn’t seem to have any generator for that. You could probably just create temporary WG interface and take its generated key to use as pre-shared key elsewhere. It’s the same size and format. It won’t have the ideal cryptographic randomness, but I can’t tell how big problem it could be.

kevinlukas · March 26, 2022, 7:43pm

I see the WG Peer allow to create Preshared key, but when I enter the key and press apply, it gives the error “Couldn’t add New Wireguard Peer - invalid preshared key (6)”

How can I make this preshared key, without having to use Private Key & Public Key automatically generated by WG ?

Please help ! Thanks !

Sob · March 29, 2022, 7:12pm

You can’t use any random string. It’s supposed to be exactly 256-bit key (32 bytes) encoded using base64 algorithm. It looks the same as Public Key in your screenshot. If you don’t have anything better, Google found this: https://www.wireguardconfig.com/ It says that any info doesn’t leave your browser, but I didn’t verify that.

kevinlukas · March 30, 2022, 10:05pm

Thank you very much !

alaine · March 13, 2024, 8:14pm

I used a linux machine (or Windows Debian, or MAC CLI…).

# Create Preshared Key
> wg genpsk
KH8nrvx0cuczwE3R56qH5/vyLyHAEBv0QwogCA50ZjU=

# Create keys, first is private key, then public key
> wg genkey | tee /dev/tty | wg pubkey
+PENj+zzPfIsTmc35JMPqCEfNzJD56ecPgh8C+ol8GE=
7+C0DcBwtIozJXrZ7tjIbDRbtfgwRVnC/MPBmwe3Rms=

For Presahed key, the RouterOS seems to have “Preshared Key = auto”, where ROS (now tested RouterOS 7.14.1) generates you one.

For less unixy titityyyy-people, you can create the private key first. Then you can feed the private key to extract its partnering public key:

# Create private key
> wg genkey 
+PENj+zzPfIsTmc35JMPqCEfNzJD56ecPgh8C+ol8GE=

# Create public key
echo "+PENj+zzPfIsTmc35JMPqCEfNzJD56ecPgh8C+ol8GE=" | wg pubkey
7+C0DcBwtIozJXrZ7tjIbDRbtfgwRVnC/MPBmwe3Rms=

mantouboji · March 14, 2024, 3:27am

no need any other linux box, just do it all in RouterOS command line:

/interface/wireguard/peers/add interface=YOUR_WG_IF  private-key="auto" preshared-key="auto" allowed-address=YOUR_CLIENT_IP/32

Daniel678675555 · March 19, 2024, 11:31am

I spent some time in the last few days reading many forum posts and trying to have a basic understanding of the capabilities of the RouterOS, after - while looking for a possible better solution to my current failover setup (none or manual/caveman) - I learned from posts and links by Sob on this thread:

A9691 · June 28, 2025, 7:11am

.. If someone gets here, trying to find a way to generate a pre-shared key:

:global psk [:convert [:rndstr length=32] to=base64]

It generates a string that can be used as pre-shared key.
If changed while the connection is in use, it won’t break immediately the connection. (Ros 7.19.1)