Connecting Offices: A Step-by-Step Guide to MikroTik Site-to-Site WireGuard

/ IT, Networking / By
Spread the love

WireGuard has revolutionized the way we think about VPNs. It’s faster than OpenVPN, leaner than IPsec, and significantly easier to configure. If you are running MikroTik hardware (RouterOS v7+), setting up a secure tunnel between two locations is now a 10-minute task.

In this guide, we’ll walk through connecting Site A (Headquarters) to Site B (Branch Office).

The Network Map

To keep things clear, let’s define our environment:

DetailSite A (HQ)Site B (Branch)
Public IP1.1.1.12.2.2.2
Local LAN192.168.10.0/24192.168.20.0/24
WireGuard IP10.0.0.1/3010.0.0.2/30
Listen Port1323113231

Step 1: Create the WireGuard Interface

First, we need to create the “virtual” interface on both routers.

On Site A:

  1. Navigate to WireGuard in the main menu.
  2. Click + to add a new interface.
  3. Name it wireguard-site-b and set the port to 13231.
  4. Click OK. The router will automatically generate your Private and Public keys.

On Site B:

  1. Repeat the process. Name it wireguard-site-a and use the same port 13231.
  2. Crucial: Copy the Public Key from Site B; you will need to paste it into Site A’s configuration (and vice versa).

Step 2: Assign IP Addresses to the Tunnel

The tunnel itself needs its own tiny network to “talk” across.

  • Site A: Go to IP > Addresses. Add 10.0.0.1/30 to the wireguard-site-b interface.
  • Site B: Go to IP > Addresses. Add 10.0.0.2/30 to the wireguard-site-a interface.

Step 3: Link the Peers

This is where we tell Site A how to find Site B.

On Site A:

  1. In the WireGuard menu, go to the Peers tab.
  2. Interface: wireguard-site-b
  3. Public Key: (Paste Site B’s Public Key here)
  4. Endpoint: 2.2.2.2 (Site B’s Public IP)
  5. Endpoint Port: 13231
  6. Allowed Address: 10.0.0.2/32, 192.168.20.0/24 (This allows the tunnel IP and the remote LAN).

On Site B:

  1. In the Peers tab, add a new peer.
  2. Interface: wireguard-site-a
  3. Public Key: (Paste Site A’s Public Key here)
  4. Endpoint: 1.1.1.1 (Site A’s Public IP)
  5. Endpoint Port: 13231
  6. Allowed Address: 10.0.0.1/32, 192.168.10.0/24

Step 4: Routing and Firewall

Even if the tunnel is “Up,” your computers won’t know how to reach the other side without a map.

1. Static Routes:

  • Site A: Go to IP > Routes. Add a route for 192.168.20.0/24 with the gateway wireguard-site-b.
  • Site B: Go to IP > Routes. Add a route for 192.168.10.0/24 with the gateway wireguard-site-a.

2. Firewall (The Handshake):

You must allow the WireGuard port through your input filter so the routers can talk.

IP > Firewall > Filter Rules: Add a rule, Chain: input, Protocol: udp, Port: 13231, Action: accept. Move this to the top of your list.

Final Check

Go to the WireGuard > Peers tab. You should see “Last Handshake” updating every few minutes and “Tx/Rx” traffic increasing. If you can ping 192.168.20.1 from Site A, your site-to-site bridge is officially live!

Pro-Tip: If one of your sites has a dynamic IP, only set the Endpoint on the router with the static IP. The dynamic site will initiate the connection, and WireGuard will “learn” its address automatically.

Buy Me a Coffee