On this page
Recently I had to configure my iPhone and Laptop to connect securely to my home LAN using WireGuard VPN. I wanted a solution that was:
- Secure (not just exposing random ports to the internet)
- Easy to use from my iPhone
- Lightweight and reliable
If you’re trying to do the same, follow the steps below.
Prerequisites
- A MikroTik router running RouterOS v7+
- An iPhone with the WireGuard app installed
- A public IP (static is easiest; if not, use a DDNS service)
Step 1: Create WireGuard Interface on MikroTik
Log into your MikroTik (Winbox or terminal) and create a WireGuard interface:
/interface wireguard add name=wg0 listen-port=51820
/ip address add address=10.10.10.1/24 interface=wg0
This sets up:
- Interface
wg0listening on UDP port 51820 - Router’s VPN IP = 10.10.10.1
Step 2: Generate Keys
When you created the interface, MikroTik auto-generated keys. View them with:
/interface wireguard print
You’ll see the server’s private/public key pair.
- Save the public key you’ll use it on the iPhone.
- Keep the private key safe, stays on the MikroTik.
Step 3: Add iPhone as a Peer
Later we’ll generate the iPhone’s public key. For now, here’s the peer command you’ll run on MikroTik once you have it:
/interface wireguard peers add interface=wg0 public-key=<IPHONE_PUBLIC_KEY> allowed-address=10.10.10.2/32
This tells MikroTik to trust your iPhone at VPN IP 10.10.10.2.
Step 4: Allow VPN Traffic in Firewall
On MikroTik, open UDP/51820 and allow VPN clients:
/ip firewall filter add chain=input action=accept protocol=udp dst-port=51820 comment="Allow WireGuard"
/ip firewall filter add chain=forward in-interface=wg0 action=accept comment="Allow WG clients"
/ip firewall nat add chain=srcnat src-address=10.10.10.0/24 action=masquerade comment="NAT for WG clients"
Step 5: Configure WireGuard on iPhone
- Open the WireGuard app -> tap Add Tunnel -> Create from Scratch
- Fill in the fields:
Interface (your iPhone)
- Private Key: tap once to auto-generate
- Public Key: copy this and add it as a peer on MikroTik
- Address:
10.10.10.2/24 - DNS Servers:
8.8.8.8(or your home router)
Peer (your MikroTik)
- Public Key - MikroTik server’s public key (from
/interface wireguard print) - Allowed IPs -
0.0.0.0/0(full tunnel, all traffic)- or
192.168.88.0/24(LAN-only access, adjust for your LAN range)
- Endpoint
203.0.113.10:51820 - Persistent Keepalive
25
Save the config.
Step 6: Add iPhone Peer on MikroTik
Now paste the iPhone’s public key into MikroTik:
/interface wireguard peers add interface=wg0 public-key=<IPHONE_PUBLIC_KEY> allowed-address=10.10.10.2/32
Copy/Paste MikroTik Command
If you just want the full configuration in one go, here’s a block of commands you can copy and paste into your MikroTik terminal.
Replace <IPHONE_PUBLIC_KEY> with your iPhone’s public key, and adjust 203.0.113.10 to your own public IP if needed.
# Create WireGuard interface
/interface wireguard add name=wg0 listen-port=51820
# Assign an internal VPN IP to the WG interface
/ip address add address=10.10.10.1/24 interface=wg0
# Add iPhone as a peer (replace with your iPhone’s public key)
/interface wireguard peers add interface=wg0 public-key=<IPHONE_PUBLIC_KEY> allowed-address=10.10.10.2/32
# Firewall rules to allow WireGuard traffic
/ip firewall filter add chain=input action=accept protocol=udp dst-port=51820 comment="Allow WireGuard"
/ip firewall filter add chain=forward in-interface=wg0 action=accept comment="Allow WG clients"
/ip firewall nat add chain=srcnat src-address=10.10.10.0/24 action=masquerade comment="NAT for WG clients"
Step 7: Test the VPN
- Turn on the tunnel in the iPhone WireGuard app
- You should see a VPN icon on the iPhone status bar
- Try pinging your router’s VPN IP (
10.10.10.1) or open a LAN service
Step 8: Use Wake-on-LAN (Optional)
Now that your iPhone is “inside” your home LAN:
- Open a Wake-on-LAN app
- Enter your PC’s MAC address and LAN IP
- Send a magic packet: your PC powers on from anywhere
Additionally connect in Windows/Linux
Windows
- Download WireGurad App
- Open WireGuard -> “Add Tunnel” -> “Add Empty Tunnel” -> it generates privatekey + publickey.
- Copy WINDOWS_PUBLIC_KEY to MikroTik.
Linux
Create config file /etc/wireguard/wg0.conf
[Interface]
PrivateKey = LINUX_PRIVATE_KEY
Address = 10.10.10.3/32
DNS = 1.1.1.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
- Install Wireguard
apt install wireguard - Generate keys:
wg genkey | tee privatekey | wg pubkey > publickey - Start/Stop WireGuard
wg-quick up wg0andwg-quick down wg0
Add peer to MikroTik
/interface/wireguard/peers/add interface=wg0 public-key="SZTTf5A4u5OuJj0jhu5GT9DSOAa54JbT66+i50MnRDU=" allowed-address=10.10.10.4/32
Now import into this config file:
[Interface]
PrivateKey = WINDOWS_PRIVATE_KEY
Address = 10.10.10.4/32
DNS = 1.1.1.1
[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR_PUBLIC_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25
Security Notes
- WireGuard only accepts traffic from peers you explicitly configure, attackers can’t just “guess” their way in
- The handshake is silent, if someone scans your IP, the router won’t reveal it’s WireGuard
- Keep your RouterOS firmware updated
Conclusion
That’s it! With WireGuard, I can now connect my iPhone to my home LAN from anywhere in the world, securely. It also gave me a safe way to use Wake-on-LAN without exposing insecure ports.
If you’re trying to set this up yourself, just follow the steps above — it takes about 10 minutes once you know the commands.
