RouterOS v7 Wireguard Inbound Tunnel

7th March 2021

Recently I've swapped out my old router for a MikroTik hEX RB750Gr3 (buy using my amazon link, thanks :) ), as I wanted more control & visibility of my home network traffic. Switching to a MikroTik router isn't for the faint hearted, they're not a plug in play. You have to configure everything. As I've got some networking experience (configuring linux firewalls, making network cables, configuring switches, etc.) I thought I would give it a go and try something new. I highly recommend you get one and have a play, they are really good fun.

One of the first things I did was to upgrade to RouterOS v7, to make use of the new Wireguard support (at the time of writing RouterOS v7 is still in it's development beta phase). I'm a big fan of Wireguard ever since I switched to Algo VPN (a roll your own VPN), it's lightweight, easy to use and really quick to set up. To be fair, Algo VPN does all of the Wireguard configuration for you so all you need to do is scan a QR code and you're done! Anyway I thought I would set up a inbound Wireguard endpoint for my home router, so I can connect back and keep and eye on things on the go.

Hopefully this guide will help you set up your own inbound Wireguard endpoint so you can connect back to your home/office network from anywhere.

  1. Create the Wireguard interface
/interface wireguard 
add comment="Inbound" listen-port=13233 name=wg_inbound
  1. Add a peer

    • On your peer device generate a public and private key and enter the public key in the command below
    • Generate a preshared key running wg genpsk (brew install wireguard-tools) and save this on your device and enter it in the command below
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="Inbound Device" interface=wg_inbound preshared-key="<PRESHARED KEY>" public-key="<PEER PUBLIC KEY>"
  1. Allow UDP traffic to your new wg_inbound interface from your WAN
/ip firewall filter
add action=accept chain=input comment="Inbound Wireguard" dst-port=13233 in-interface=<WAN-INTERFACE> protocol=udp ∏

Remember to move your rule to be above any DROP actions in the input chain

  1. Setup an IP range for the Wireguard peers on your network and add the interface to the LAN interface list.
/ip address
add address=10.51.0.1/24 interface=wg_inbound network=10.51.0.0
/interface list member
add interface=wg_inbound list=LAN
  1. Setup your peer

    • Set the IP address to 10.51.0.2/32
    • Enter your endpoint (public IP) and port (use MikroTiks DDNS)
    • set the allowed ips to 0.0.0.0/0 to route all traffic back to your router

Wireguard Peer on iOS

You should now be able to connect back to home/office LAN via a Wireguard tunnel.

If you get stuck, remember you can use the MikroTik Torch to inspect packets and connections.

Good luck.