Remote Access
WireGuard Remote MikroTik Management
Set up a WireGuard VPS server, configure a MikroTik client, route the LAN subnet, and harden the tunnel for reliable remote access.
Summary WireGuard pairs a Linux VPS as the rendezvous point with one or more MikroTik routers as peers, giving you stable remote management through a UDP tunnel that survives CGNAT, dynamic IPs, and most ISP-side weirdness. This guide configures the VPS server, the MikroTik client (RouterOS v7), the routing that lets you reach the LAN behind the router from the VPS side, and the security hardening that keeps the tunnel safe over time.
How does WireGuard enable remote MikroTik management?
WireGuard is a modern Layer-3 VPN built around modern crypto (Curve25519 for key agreement, ChaCha20-Poly1305 for encryption) and a tiny auditable codebase. For MikroTik remote management, the typical topology is a small Linux VPS acting as a stable always-online rendezvous point, with one or more MikroTik routers (running RouterOS v7) connecting outbound to the VPS as peers. Because WireGuard is UDP-based and the routers initiate the tunnel outbound, the topology works the same way whether the routers sit on a real public IP, behind NAT, or behind CGNAT.
Once the tunnel is up, the VPS holds the routes that let you reach each router’s LAN through its WireGuard IP. From an admin laptop connected to the VPS (or to the WireGuard network itself), every site is reachable as if it were on a private LAN — and there is no exposed Winbox or WebFig port on the customer router for an attacker to find.
Why use WireGuard for MikroTik remote access?
WireGuard wins on five practical dimensions that matter for fleet management: high throughput with low CPU use even on small routers, a minimal auditable codebase that has had far fewer CVEs than OpenVPN, simple per-peer config files that diff cleanly under version control, native cross-platform support (Linux, Windows, macOS, Android, iOS, RouterOS v7+), and clean behavior under NAT and CGNAT because of how its handshake design tolerates address changes. The downside is that WireGuard does not have an OpenVPN-style certificate revocation infrastructure — you manage trust by adding and removing peer entries directly, which means peer management at scale requires either a small control plane or scripting.
Step 1: Install WireGuard on the VPS (Ubuntu)
apt update && apt install -y wireguardStep 2: Generate server keys
wg genkey | tee /etc/wireguard/privatekey | wg pubkey > /etc/wireguard/publickeyThe private key stays on the VPS. The public key gets pasted into the MikroTik peer configuration.
Step 3: Create the server config
/etc/wireguard/wg0.conf:
[Interface]Address = 10.8.0.1/24ListenPort = 51820PrivateKey = <server_private_key>SaveConfig = true
[Peer]PublicKey = <mikrotik_public_key>AllowedIPs = 10.8.0.2/32Add one [Peer] block per MikroTik router, each with a unique tunnel IP under AllowedIPs.
Step 4: Start the tunnel and open the firewall
systemctl enable wg-quick@wg0systemctl start wg-quick@wg0ufw allow 51820/udp(Adapt the firewall command to nftables or iptables as appropriate for the VPS distribution.) Use a non-standard UDP port if you want to dodge automated internet scans.
Step 5: Configure the MikroTik as a WireGuard peer
RouterOS v7 has built-in WireGuard support — no add-on packages needed. Open a Winbox terminal:
/interface wireguard add name=wg-vps listen-port=51820 private-key="<mikrotik_private_key>"
/interface wireguard peers add interface=wg-vps \ public-key="<server_public_key>" \ endpoint-address=<VPS_IP> \ endpoint-port=51820 \ allowed-address=10.8.0.2/32 \ persistent-keepalive=25
/ip address add address=10.8.0.2/24 interface=wg-vpspersistent-keepalive=25 is the small but important detail — it keeps NAT mappings alive on the WAN-side router so the tunnel doesn’t quietly drop after a few minutes of idle.
Check status:
/interface/wireguard/print/interface/wireguard/peers/printWhen the peer shows handshake activity and latest-handshake is recent (within the keepalive interval), the tunnel is up.
Step 6: Route to LAN devices behind the MikroTik
To reach the LAN behind the MikroTik (say 192.168.88.0/24) from the VPS:
On the VPS:
ip route add 192.168.88.0/24 via 10.8.0.2On the MikroTik, add an srcnat masquerade rule so return traffic finds its way back through the tunnel:
/ip firewall nat add chain=srcnat src-address=192.168.88.0/24 \ out-interface=wg-vps action=masqueradeNow LAN services behind the MikroTik are reachable from the VPS, and from any other peer the VPS knows about, through the WireGuard tunnel. Only expose networks you control, and use firewall rules to limit which hosts and ports are reachable across the tunnel. For the client-side variant of this setup (the MikroTik as a VPN client to a commercial provider rather than as a peer to your own VPS), see our WireGuard client tutorial.
Security hardening
- Unique keypair per device. Never reuse keys across MikroTiks. Generating a new pair takes seconds and dramatically simplifies revocation.
- Tight
AllowedIPs. SetAllowedIPsto the minimum needed (10.8.0.2/32for a single router, plus the LAN if routing through). Wider ranges open the door to peer-to-peer traffic between sites that may not be desired. - Firewall the WireGuard port. Even though WireGuard rejects invalid traffic silently, having
51820/udpopen to the whole internet is unnecessary. Restrict by source IP if your administration workflow allows it. - Revoke lost devices. Remove the
[Peer]entry from the VPS config and restart the tunnel. The router can no longer connect. - Monitor handshakes. A tunnel that hasn’t handshaked in 24 hours is broken — usually a key rotation desync or a routing change.
Rotate keys periodically as part of your standard credential rotation. Store private keys with the same discipline you use for SSH host keys. For fleets of more than 10–20 routers, plan a small control-plane workflow for peer creation rather than editing the VPS config by hand.
Compared with other VPN options
| Solution | Base | Performance | Setup ease | Best for |
|---|---|---|---|---|
| WireGuard | Kernel VPN | Very high | Simple | Modern high-performance management |
| OpenVPN | TLS/OpenSSL | Medium | Complex | Legacy devices, PKI-heavy environments |
| Tailscale | WireGuard + control plane | High | Very easy | Teams, identity-based access |
| ZeroTier | Custom mesh | High | Easy | Flexible mesh topologies |
For broader remote-management options, see our guides to VPS-based MikroTik management and SSTP remote management.
Take the next step
A single WireGuard tunnel between a VPS and one MikroTik is straightforward. Managing keys, peer entries, and routing tables across dozens or hundreds of routers — with the inevitable churn as keys rotate and customers move — is where the operational cost piles up.
MKController’s NATCloud removes the manual tunnel plumbing entirely. Each MikroTik comes online over an outbound tunnel to the control plane with no per-device key babysitting, no VPS config edits, and no scripts to maintain. You get centralized monitoring, secure remote access, and a much simpler onboarding flow than rolling your own WireGuard infrastructure.