Tutorial

WireGuard VPN MikroTik Hotspot Setup Tutorial [2025] YesSpot

YesSpot Team
December 21, 2025
15 min read

WireGuard has revolutionized VPNs with its speed and simplicity. In this technical tutorial, we will show you how to configure a MikroTik router to tunnel hotspot traffic through WireGuard, enabling remote management and cloud RADIUS authentication without a public IP.

Prerequisites

  • A MikroTik router running RouterOS v7.1 or higher (WireGuard was introduced in v7).
  • A cloud VPS (Ubuntu 20.04/22.04) running WireGuard (Server side).
  • Or, simply use YesSpot Cloud Controller which handles the server side automatically.

The Topology

We will create a Layer 3 tunnel. The MikroTik router (Client) will connect to the Cloud Server (Peer).

  • Cloud Server IP: 10.10.10.1/24 (VPN Internal IP)
  • MikroTik Client IP: 10.10.10.2/24 (VPN Internal IP)
  • WireGuard Port: 13231 (UDP)

Step 1: Configure MikroTik WireGuard Interface

Open your MikroTik terminal and run the following commands to create the interface: 

/interface/wireguard/add name="wireguard-tunnel" listen-port=13231 mt=1420

# Get the public key to add to your server
/interface/wireguard/print
# Copy the 'public-key' shown

Step 2: Add the Cloud Peer

Now tell the MikroTik router where to connect. You will need the Server's Public Key. 

/interface/wireguard/peers/add \
  interface=wireguard-tunnel \
  public-key="" \
  endpoint-address=vpn.yesspot.in \
  endpoint-port=13231 \
  allowed-address=10.10.10.0/24 \
  persistent-keepalive=25s

Important Tip

The setting persistent-keepalive=25s is CRITICAL for NAT traversal. It sends a dummy packet every 25 seconds to keep the NAT mapping open on your ISP router. Without this, the connection will drop after a few minutes of inactivity.

Step 3: Assign IP Address

Assign the internal VPN IP address to the WireGuard interface: 

/ip/address/add address=10.10.10.2/24 interface=wireguard-tunnel

Step 4: Firewall & NAT

Ensure traffic can flow through the tunnel. If you are using this tunnel for Hotspot RADIUS traffic, you typically don't need NAT on the VPN interface itself, but you must ensure your firewall accepts input on this interface. 

/ip/firewall/filter/add \
  chain=input \
  action=accept \
  in-interface=wireguard-tunnel \
  comment="Allow access from VPN"

Step 5: Verification

Ping the server to verify connectivity: 

/ping 10.10.10.1 count=4

The Easier Way (Automated)

Configuring WireGuard manually requires managing keys, IPs, and server-side configs yourself.

YesSpot automates this entire process. When you add a router in YesSpot:

  • We generate the Server and Client Keys automatically.
  • We assign unique internal IPs automatically.
  • We provide a single Copy/Paste Script that does Steps 1-4 for you in one click.

Want the script?

Generate My Config Script Free

Share this article

Back to Blog

Related Articles

Ready to Get Started with YesSpot?

Join thousands of businesses worldwide using YesSpot to manage their WiFi hotspots. Start your FREE 14-day trial today - no credit card required!

Start Free Trial Chat on WhatsApp