VPN Tunnels Guide

IPsec and WireGuard tunnel setup on RouterOS v7+.

Prerequisite: Ensure you have completed IP Addressing & Subnets before proceeding.

Prerequisites

• RouterOS: v7 or later (WireGuard requires v7+).
• Hardware: Supported RouterOS-based device with sufficient CPU for crypto (RB, CCR, CHR).
• Access: WinBox, SSH, or serial console.
• Knowledge: IP Addressing & Subnets — required for peer endpoints and tunnel subnets.

Tunnel Setup Flow

WireGuard: Interface and Peer

/interface wireguard add name=wg1 listen-port=13231 private-key="<key>"
/interface wireguard peers add endpoint-address=1.2.3.4 endpoint-port=13231 \
  interface=wg1 public-key="<peer-pubkey>" allowed-address=10.0.0.0/24

IPsec: Phase 1 and 2

/ip ipsec peer add address=1.2.3.4 auth-method=pre-shared-key secret="<psk>"
/ip ipsec proposal add auth-algorithms=sha256 enc-algorithms=aes-256-gcm
/ip ipsec policy add src-address=192.168.88.0/24 dst-address=10.0.0.0/24 \
  sa-src-address=0.0.0.0 sa-dst-address=1.2.3.4 proposal=default template=yes

Related

VLAN Configuration — for interface assignment. Firewall Best Practices — apply after tunnel establishment.

Common Pitfalls

• NAT traversal: IPsec behind NAT requires NAT-T. Enable nat-traversal=yes on the peer.
• Phase 2 mismatch: Proposal (auth/enc) must match peer. Mismatch causes tunnel to stay down.
• Subnet overlap: Tunnel subnet must not overlap LAN. See IP Addressing.
• WireGuard key: Private key is device-specific. Regenerating invalidates all peers.