WireGuard VPN between MikroTik RouterOS v7 and FRITZ!Box 7530

MikroTik routers are very flexible but are sometime complex to configure. FRITZ!Box routers take a different approach and have a simpler interface with wizards to setup connections.

FRITZ!Box routers use IKEv1 aggressive mode for IPSEC VPNs which can cause some interoperability challenges when connecting to another vendor's device. WireGuard VPNs are relatively easy to setup if you have different brands of devices or if you to deal with dynamic IP addresses.

Although FRITZ!Box routers use configuration files for WireGuard, it's possible to create a connection to a MikroTik device. You will need RouterOS v7 for this, as WireGuard is not available in v6. For the FRITZ!Box use FRITZ!OS 7.50 or later. Both vendors have their own dynamic DNS services which is useful if you don't have static IPs.

In this example, 192.168.7.0/24 is the FRITZ!Box network and 192.168.4.0/24 is the MiktroTik network.

1. Create a new WireGuard interface on the MikroTik. Set the MTU to 1412 (It appears the FRITZ!Box uses this, 40 byte for WireGuard with IPv6 + 8 byte PPPoE).
2. Don't set any IP address on the new WireGuard interface. Instead, add an IP route to the remote FRITZ!Box subnet and set the WireGuard interface as the gateway.
   
3. Add IPv4/IPv6 firewall rules to allow input UDP traffic on the chosen WireGuard port from the WAN along with any appropriate LAN <->VPN access via the new WireGuard interface.
4. Add a mangle rule to limit the MSS to 1352 on traffic to/from the new WireGuard interface.
   
   

   
5. On the FRITZ!Box, add a new WireGuard connection (Internet -> Permit Access -> WireGuard VPN).
   
   
6. Set as a manual connection
   

   
7. Enter the details from the MikroTik. Don't forget to add the port number to the host name, separated by a colon.

   
8. Download the settings to a safe place as you'll need these for the next step.

   
9. Open the downloaded file in a text editor.

   
10. Add a new WireGuard peer using the information from the configuration file.

    

    
    

    If everything is working you'll see the MikroTik show Rx/Tx bytes and a last handshake value. On the FRITZ!Box you'll see a green indicator against the connection.