Published June 7, 2026
VPN on a MikroTik Router: WireGuard Setup in RouterOS 7 (Step by Step)
A complete guide to configuring a WireGuard client on MikroTik (RouterOS 7) from a Fiery config: interface, peer, addresses, allowed-ips, route, firewall and NAT β VPN for the whole home.
To run a VPN on a MikroTik router, RouterOS 7 needs a WireGuard interface, a peer built from your Fiery config, a tunnel address, a route, and a single NAT (masquerade) rule. Once that's in place, all traffic from your home network goes through the VPN with no app on each device. Below are the exact RouterOS 7 commands and an explanation of every parameter.
In short: create a /interface wireguard, add a peer with the server's public key, the endpoint, and allowed-address=0.0.0.0/0, assign the tunnel address from the config, add a default route via WireGuard, and add a masquerade rule under NAT. For specific devices, use mangle plus a separate routing table. If your ISP blocks plain WireGuard, it will not work on the router either β then you need an obfuscated protocol (AmneziaWG) on a separate device or mini-PC.
What you'll need
- A MikroTik router on RouterOS 7 (WireGuard exists only in 7.x; check the version under System β Packages or with /system resource print).
- A ready WireGuard config from Fiery β a .conf text file issued by the bot @fiery_VPN_bot or the mini-app.
- Access to the router via WinBox, the web UI (WebFig), or the terminal (SSH). The commands below are for the terminal β paste them into WinBox's New Terminal window.
How to read the Fiery config
Open the .conf file β it has two sections. The [Interface] section holds PrivateKey (your client's private key) and Address (the tunnel address, e.g. 10.0.0.5/32). The [Peer] section holds PublicKey (the server's public key), Endpoint (server IP and port), AllowedIPs (usually 0.0.0.0/0), and sometimes PresharedKey. These are the values we'll move into RouterOS.
Step 1. Create the WireGuard interface
The interface is the tunnel's virtual network adapter. RouterOS will generate a key pair on creation, but we need the private key from the Fiery config, so we set it explicitly.
- /interface wireguard add name=wg-fiery listen-port=13231 private-key="YOUR_PRIVATEKEY_FROM_INTERFACE"
Here name=wg-fiery is arbitrary, and for an outbound client listen-port can be anything (it doesn't have to match the server port). Paste the private-key exactly as it appears in [Interface], including the trailing =.
Step 2. Assign the tunnel address
Take the Address value from the config (e.g. 10.0.0.5/32) and attach it to the new interface. This is the router's address inside the VPN network.
- /ip address add address=10.0.0.5/32 interface=wg-fiery
Step 3. Add the peer (the Fiery server)
The peer describes the server the router connects to. Move PublicKey, Endpoint, and AllowedIPs from the [Peer] section here.
- /interface wireguard/peers add interface=wg-fiery public-key="SERVER_PUBLICKEY" endpoint-address=SERVER_IP endpoint-port=PORT allowed-address=0.0.0.0/0 persistent-keepalive=25s
Parameter by parameter:
- public-key β the server's public key (the PublicKey field in [Peer]).
- endpoint-address and endpoint-port β the config's Endpoint split into host and port (e.g. 203.0.113.10 and 51820).
- allowed-address β which traffic enters the tunnel. 0.0.0.0/0 means "the whole internet through the VPN." To route only some networks, list them here instead.
- persistent-keepalive=25s β a ping every 25 seconds so the connection doesn't go stale behind the ISP's NAT.
If the config includes a PresharedKey, add preshared-key="VALUE" to the command.
Step 4. Add the route for the whole home
An important RouterOS 7 detail: even with allowed-address=0.0.0.0/0, the router does not add a default route automatically (unlike a phone app). You must create the route yourself. To avoid cutting yourself off from the router and to avoid looping traffic destined for the server, it's cleanest to leave the ISP's main gateway in place and add routes carefully.
The simplest "all traffic into the VPN" approach is a default route via the interface with a better (lower) distance than the ISP's:
- /ip route add dst-address=0.0.0.0/0 gateway=wg-fiery distance=1
So that packets to the VPN server itself still go through the ISP (otherwise the tunnel would eat itself), add a separate route to the server address via your WAN gateway:
- /ip route add dst-address=SERVER_IP/32 gateway=YOUR_WAN_GATEWAY distance=1
You can find the WAN gateway with /ip route print where dst-address=0.0.0.0/0 (the value in the gateway column that existed before the VPN setup).
Step 5. Firewall and NAT (masquerade)
For LAN devices to reach the internet through the tunnel, you need NAT masquerading on the WireGuard interface:
- /ip firewall nat add chain=srcnat out-interface=wg-fiery action=masquerade
Also make sure the firewall passes established connections and the WireGuard traffic itself. On stock firmware the default rules plus a forward allow for the LAN are enough. If you configured the firewall manually, add:
- /ip firewall filter add chain=forward action=accept connection-state=established,related
- /ip firewall filter add chain=forward in-interface=bridge out-interface=wg-fiery action=accept (replace bridge with your LAN interface or bridge name)
Verifying the connection
Run /interface wireguard/peers print β you should see a recent last-handshake time and growing rx/tx counters. If there's no handshake, double-check the keys and endpoint, and make sure the server port isn't blocked by your ISP. From a device on the network, open an IP-checker site β it should show the Fiery location's address.
Optional: VPN for specific devices only
Often you want only the TV or one laptop through the VPN while the rest of the network stays direct. In that case, instead of a default route via WireGuard, use policy-based routing: mark the target devices' traffic in mangle and send it to a separate routing table.
- Create a table: /routing table add name=via-vpn fib
- A route in that table via the tunnel: /ip route add dst-address=0.0.0.0/0 gateway=wg-fiery routing-table=via-vpn
- Mark the device's traffic by its IP: /ip firewall mangle add chain=prerouting src-address=192.168.88.50 action=mark-routing new-routing-mark=via-vpn passthrough=no
Now only the device at 192.168.88.50 goes through the VPN. Reserve a fixed IP for it in DHCP so the rule doesn't break. For several devices, add separate mangle rules or use an address-list.
Routing modes compared
| Mode | What goes through the VPN | Difficulty | When to choose |
|---|---|---|---|
| Whole home (default route) | All traffic from all devices | Low | You want VPN by default for the entire network |
| Specific devices (mangle) | Selected IPs only | Medium | TV, console, or a single PC on VPN |
| Specific sites/subnets | Listed destination addresses | Medium | Access to particular services |
Important: the 2026 blocking context
In May 2026 Roskomnadzor moved to ASN- and subnet-level blocking and in places disrupted plain WireGuard and VLESS. A MikroTik router runs exactly that "plain" WireGuard β if your ISP throttles the protocol, the tunnel simply won't come up (no handshake), and this setup won't help. In that case the most reliable option is the obfuscated AmneziaWG (AWG 2.0), which disguises traffic. MikroTik has no native support for it, so AmneziaWG is usually run on a separate mini-PC, on a router with Keenetic/OpenWRT firmware that supports obfuscation, or on a device behind the router. More on this below.
Worth reading: VPN protocols compared and why VPN is blocked in Russia, plus the general Fiery setup.
FAQ
Does MikroTik support WireGuard?
Yes, starting with RouterOS 7. WireGuard is absent in 6.x. If you have older firmware, first upgrade RouterOS to the 7.x branch under System β Packages.
Why is there no internet after setup even though there's a handshake?
Most often the NAT masquerade rule on the WireGuard interface (Step 5) is missing, or the default route (Step 4) wasn't created. Also confirm the firewall allows forward from LAN into the tunnel.
Why do I need a separate route to the server IP?
If all traffic enters the tunnel, packets to the VPN server itself will also try to go through the tunnel β a loop, and the connection never establishes. A route to the server address via the WAN gateway fixes this.
Can I connect several Fiery locations?
Yes: create a separate WireGuard interface and peer for each location, then use mangle/routing-table to send specific devices into the right tunnel. Only one default route can carry the "whole home" at a time.
What if my ISP blocks WireGuard?
MikroTik has no obfuscation, so if the protocol is blocked, use AmneziaWG on a separate device behind the router, or connect the VPN on the devices themselves via the AmneziaVPN app. That's the most resilient option in 2026.
You can get a ready-made WireGuard config for MikroTik in a couple of clicks: subscribe in the mini-app at vpn.fiery.host or message the bot @fiery_VPN_bot β it issues a file with keys and suggests the nearest location. Fiery is no-logs and accepts MIR cards, SBP, and crypto.