Tools for managing WireGuard VPN interfaces and peers on MikroTik devices (RouterOS v7+).
mikrotik_create_wireguard_interfaceCreates a WireGuard interface on MikroTik device.
name (required): Interface name (e.g. “wg0”)listen_port (optional): UDP port to listen on (default: 13231)private_key (optional): Base64-encoded private key. RouterOS auto-generates one if omitted.mtu (optional): MTU size (default: 1420)comment (optional): Descriptiondisabled (optional): Disable after creation (default: false)mikrotik_create_wireguard_interface(name="wg0", listen_port=13231)
mikrotik_list_wireguard_interfacesLists WireGuard interfaces on MikroTik device.
name_filter (optional): Filter by interface name (partial match)disabled_only (optional): Show only disabled interfacesrunning_only (optional): Show only running interfacesmikrotik_list_wireguard_interfaces()
mikrotik_get_wireguard_interfaceGets detailed information about a specific WireGuard interface, including the public key.
name (required): Interface namemikrotik_get_wireguard_interface(name="wg0")
mikrotik_update_wireguard_interfaceUpdates an existing WireGuard interface on MikroTik device.
name (required): Current interface namenew_name (optional): New name for the interfacelisten_port (optional): New UDP listen portprivate_key (optional): New Base64-encoded private keymtu (optional): New MTU sizecomment (optional): New descriptiondisabled (optional): Enable (false) or disable (true) the interfacemikrotik_update_wireguard_interface(name="wg0", listen_port=51820, mtu=1280)
mikrotik_remove_wireguard_interfaceRemoves a WireGuard interface from MikroTik device. All peers belonging to the interface are removed as well.
name (required): Interface name to removemikrotik_remove_wireguard_interface(name="wg0")
mikrotik_enable_wireguard_interfaceEnables a disabled WireGuard interface.
name (required): Interface namemikrotik_enable_wireguard_interface(name="wg0")
mikrotik_disable_wireguard_interfaceDisables a WireGuard interface without removing it.
name (required): Interface namemikrotik_disable_wireguard_interface(name="wg0")
mikrotik_add_wireguard_peerAdds a WireGuard peer to an interface on MikroTik device.
interface (required): WireGuard interface the peer belongs topublic_key (required): Base64-encoded public key of the remote peerallowed_address (required): Comma-separated allowed IP addresses/subnets (e.g. "10.0.0.2/32")endpoint_address (optional): Remote peer IP address or hostnameendpoint_port (optional): Remote peer UDP portpreshared_key (optional): Base64-encoded preshared key for extra securitypersistent_keepalive (optional): Keepalive interval (e.g. "25s")comment (optional): Descriptiondisabled (optional): Disable after creation (default: false)mikrotik_add_wireguard_peer(
interface="wg0",
public_key="base64pubkey==",
allowed_address="10.0.0.2/32",
endpoint_address="203.0.113.10",
endpoint_port=13231,
persistent_keepalive="25s"
)
mikrotik_list_wireguard_peersLists WireGuard peers on MikroTik device.
interface_filter (optional): Filter by WireGuard interface namedisabled_only (optional): Show only disabled peersmikrotik_list_wireguard_peers(interface_filter="wg0")
mikrotik_get_wireguard_peerGets detailed information about a specific WireGuard peer.
peer_id (required): Peer ID (e.g. "*1" from list output)mikrotik_get_wireguard_peer(peer_id="*1")
mikrotik_update_wireguard_peerUpdates an existing WireGuard peer on MikroTik device.
peer_id (required): Peer ID (e.g. "*1")allowed_address (optional): New comma-separated allowed IP addresses/subnetsendpoint_address (optional): New remote peer address (pass "" to remove)endpoint_port (optional): New remote peer UDP portpreshared_key (optional): New preshared key (pass "" to remove)persistent_keepalive (optional): New keepalive interval ("0s" to disable)comment (optional): New descriptiondisabled (optional): Enable (false) or disable (true) the peermikrotik_update_wireguard_peer(peer_id="*1", persistent_keepalive="25s", comment="laptop")
mikrotik_remove_wireguard_peerRemoves a WireGuard peer from MikroTik device.
peer_id (required): Peer ID (e.g. "*1")mikrotik_remove_wireguard_peer(peer_id="*1")
mikrotik_enable_wireguard_peerEnables a disabled WireGuard peer.
peer_id (required): Peer ID (e.g. "*1")mikrotik_enable_wireguard_peer(peer_id="*1")
mikrotik_disable_wireguard_peerDisables a WireGuard peer without removing it.
peer_id (required): Peer ID (e.g. "*1")mikrotik_disable_wireguard_peer(peer_id="*1")
mikrotik_generate_wireguard_client_configGenerates a WireGuard client configuration file (wg0.conf format). This tool only formats configuration text — it does not communicate with the router. Use mikrotik_get_wireguard_interface to obtain the server public key, and mikrotik_add_wireguard_peer to register the client’s public key on the server side.
client_private_key (required): Client’s Base64-encoded WireGuard private keyclient_address (required): IP address with prefix assigned to the client inside the VPN tunnel (e.g. "10.0.0.2/24")server_public_key (required): Server’s Base64-encoded WireGuard public key (visible in get_wireguard_interface output)server_endpoint (required): Public IP or hostname of the MikroTik router (e.g. "203.0.113.1")server_port (optional): UDP port the server listens on (default: 51820)allowed_ips (optional): Comma-separated destination CIDRs routed through the tunnel. Use "0.0.0.0/0, ::/0" for full-tunnel or a specific subnet like "10.0.0.0/24" for split-tunnel (default: "0.0.0.0/0")dns (optional): DNS server address(es) for the client while connected (e.g. "1.1.1.1")persistent_keepalive (optional): Seconds between keepalive packets. Recommended when the client is behind NAT (default: 25, use 0 to disable)mikrotik_generate_wireguard_client_config(
client_private_key="base64privatekey==",
client_address="10.0.0.2/24",
server_public_key="base64pubkey==",
server_endpoint="203.0.113.1",
server_port=51820,
allowed_ips="10.0.0.0/24",
dns="10.0.0.1"
)
To configure a complete WireGuard VPN server, use the individual single-responsibility tools in sequence:
mikrotik_create_wireguard_interface
mikrotik_create_wireguard_interface(name="wg0", listen_port=51820)
mikrotik_add_ip_address
mikrotik_add_ip_address(address="10.0.0.1/24", interface="wg0")
mikrotik_create_filter_rule
mikrotik_create_filter_rule(
chain="input",
action="accept",
protocol="udp",
dst_port="51820",
comment="WireGuard wg0 input"
)
mikrotik_create_nat_rule
mikrotik_create_nat_rule(
chain="srcnat",
action="masquerade",
out_interface="ether1",
comment="WireGuard wg0 masquerade"
)
mikrotik_get_wireguard_interface
mikrotik_get_wireguard_interface(name="wg0")
mikrotik_add_wireguard_peer
mikrotik_add_wireguard_peer(
interface="wg0",
public_key="client-base64pubkey==",
allowed_address="10.0.0.2/32"
)
mikrotik_generate_wireguard_client_config
mikrotik_generate_wireguard_client_config(
client_private_key="client-base64privkey==",
client_address="10.0.0.2/24",
server_public_key="server-base64pubkey==",
server_endpoint="203.0.113.1"
)