1. **Create the WireGuard interface:** /interface wireguard add name=wg1 private-key="6JZgG9OmOZJ/8KU2CnmTOUYMy05IcmEusoFjuQv6eG4=" listen-port=51820 2. **Assign an IP address to the WireGuard interface:** /ip address add address=10.8.0.4/24 interface=wg1 3. **Set the DNS server:** /ip dns set servers=1.1.1.1 ### Step 2: Add the Peer Configuration 1. **Add the peer configuration:** /interface wireguard peers add interface=wg1 public-key="P2MPrD7vvp+YsyoDvLmTNz6BukiAMs1lWnnyUq3aXUE=" preshared-key="FUZoZx+xD1uhwGQhDBOYpPHUtETDSmAwltHgQN/+2J4=" allowed-address=0.0.0.0/0 endpoint-address=202.61.253.193 endpoint-port=51820 persistent-keepalive=1s ### Step 3: Configure Firewall Rules 1. **Allow WireGuard traffic (UDP 51820):** /ip firewall filter add chain=input protocol=udp dst-port=51820 action=accept comment="Allow WireGuard" 2. **Allow traffic from the WireGuard interface to the LAN:** /ip firewall filter add chain=forward in-interface=wg1 out-interface=bridge action=accept comment="Allow WireGuard to LAN" 3. **Masquerade traffic from the WireGuard interface:** /ip firewall nat add chain=srcnat src-address=10.8.0.0/24 out-interface=ether1 action=masquerade comment="Masquerade WireGuard traffic" ### Step 4: Enable the WireGuard Interface 1. **Enable the WireGuard interface:** /interface wireguard set wg1 disabled=no ### Step 5: Verify the Configuration 1. **Check the WireGuard interface status:** /interface wireguard print 2. **Check the peer status:** /interface wireguard peers print 3. **Check the firewall rules:** /ip firewall filter print /ip firewall nat print ### Summary of Commands: /interface wireguard add name=wg1 private-key="6JZgG9OmOZJ/8KU2CnmTOUYMy05IcmEusoFjuQv6eG4=" listen-port=51820 /ip address add address=10.8.0.4/24 interface=wg1 /ip dns set servers=1.1.1.1 /interface wireguard peers add interface=wg1 public-key="P2MPrD7vvp+YsyoDvLmTNz6BukiAMs1lWnnyUq3aXUE=" preshared-key="FUZoZx+xD1uhwGQhDBOYpPHUtETDSmAwltHgQN/+2J4=" allowed-address=0.0.0.0/0 endpoint-address=202.61.253.193 endpoint-port=51820 persistent-keepalive=1s /ip firewall filter add chain=input protocol=udp dst-port=51820 action=accept comment="Allow WireGuard" /ip firewall filter add chain=forward in-interface=wg1 out-interface=bridge action=accept comment="Allow WireGuard to LAN" /ip firewall nat add chain=srcnat src-address=10.8.0.0/24 out-interface=ether1 action=masquerade comment="Masquerade WireGuard traffic" /interface wireguard set wg1 disabled=no /interface wireguard print /interface wireguard peers print /ip firewall filter print /ip firewall nat print This configuration will set up a WireGuard VPN on your MikroTik RouterOS v7, including the necessary firewall rules to allow traffic through the VPN. Make sure to replace `ether1` with the actual interface name that connects to your WAN. 6. Enable masquerade for that interface Note: This setup assumes that you are using the default local network address used by MikroTik. If you have changed this, use that address for scr-address= instead. ``` /ip firewall nat add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=192.168.88.0/24 7. Redirect all internet traffic through WireGuard ``` ``` /ip route add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10 ``` 8. Configure DNS settings ``` /ip dns set servers=10.2.0.1 /ip dhcp-client set 0 use-peer-dns=no ``` Duhet me kriju edhe Routing > Tables:: ``` /routing table add comment=percka disabled=no fib name=emri ``` Mangle :::: ``` /ip firewall mangle add chain=prerouting src-address=192.1 68.88.0/24 action=mark-routing new-routing-mark=emri passthrough=no ``` After:: ``` /ip route add dst-address=0.0.0.0/0 gateway=40.44.44.1 rou ting-mark=emri ```