JA Jobyer Ahmed

Connect iPhone to Home LAN with WireGuard on MikroTik

Oct 1, 2025 4 min read

On this page

Recently I had to configure my iPhone to connect securely to my home LAN using WireGuard VPN. I wanted a solution that was:

  • Secure (not just exposing random ports to the internet)
  • Easy to use from my iPhone
  • Lightweight and reliable

If you’re trying to do the same, follow the steps below.

Prerequisites

  • A MikroTik router running RouterOS v7+
  • An iPhone with the WireGuard app installed
  • A public IP (static is easiest; if not, use a DDNS service)

Step 1: Create WireGuard Interface on MikroTik

Log into your MikroTik (Winbox or terminal) and create a WireGuard interface:

/interface wireguard add name=wg0 listen-port=51820
/ip address add address=10.10.10.1/24 interface=wg0

This sets up:

  • Interface wg0 listening on UDP port 51820
  • Router’s VPN IP = 10.10.10.1

Step 2: Generate Keys

When you created the interface, MikroTik auto-generated keys. View them with:

/interface wireguard print

You’ll see the server’s private/public key pair.

  • Save the public key you’ll use it on the iPhone.
  • Keep the private key safe, stays on the MikroTik.

Step 3: Add iPhone as a Peer

Later we’ll generate the iPhone’s public key. For now, here’s the peer command you’ll run on MikroTik once you have it:

/interface wireguard peers add interface=wg0 public-key=<IPHONE_PUBLIC_KEY> allowed-address=10.10.10.2/32

This tells MikroTik to trust your iPhone at VPN IP 10.10.10.2.

Step 4: Allow VPN Traffic in Firewall

On MikroTik, open UDP/51820 and allow VPN clients:

/ip firewall filter add chain=input action=accept protocol=udp dst-port=51820 comment="Allow WireGuard"
/ip firewall filter add chain=forward in-interface=wg0 action=accept comment="Allow WG clients"
/ip firewall nat add chain=srcnat src-address=10.10.10.0/24 action=masquerade comment="NAT for WG clients"

Step 5: Configure WireGuard on iPhone

  1. Open the WireGuard app -> tap Add Tunnel -> Create from Scratch
  2. Fill in the fields:

Interface (your iPhone)

  • Private Key tap once to auto-generate
  • Public Key copy this and add it as a peer on MikroTik
  • Address 10.10.10.2/24
  • DNS Servers 8.8.8.8 (or your home router)

Peer (your MikroTik)

  • Public Key MikroTik server’s public key (from /interface wireguard print)
  • Allowed IPs
    • 0.0.0.0/0 (full tunnel, all traffic)
    • or 192.168.88.0/24 (LAN-only access, adjust for your LAN range)
  • Endpoint 203.0.113.10:51820
  • Persistent Keepalive 25

Save the config.

Step 6: Add iPhone Peer on MikroTik

Now paste the iPhone’s public key into MikroTik:

/interface wireguard peers add interface=wg0 public-key=<IPHONE_PUBLIC_KEY> allowed-address=10.10.10.2/32

Copy/Paste MikroTik Command

If you just want the full configuration in one go, here’s a block of commands you can copy and paste into your MikroTik terminal.

Replace <IPHONE_PUBLIC_KEY> with your iPhone’s public key, and adjust 203.0.113.10 to your own public IP if needed.

# Create WireGuard interface
/interface wireguard add name=wg0 listen-port=51820

# Assign an internal VPN IP to the WG interface
/ip address add address=10.10.10.1/24 interface=wg0

# Add iPhone as a peer (replace with your iPhone’s public key)
/interface wireguard peers add interface=wg0 public-key=<IPHONE_PUBLIC_KEY> allowed-address=10.10.10.2/32

# Firewall rules to allow WireGuard traffic
/ip firewall filter add chain=input action=accept protocol=udp dst-port=51820 comment="Allow WireGuard"
/ip firewall filter add chain=forward in-interface=wg0 action=accept comment="Allow WG clients"
/ip firewall nat add chain=srcnat src-address=10.10.10.0/24 action=masquerade comment="NAT for WG clients"

Step 7: Test the VPN

  1. Turn on the tunnel in the iPhone WireGuard app
  2. You should see a VPN icon on the iPhone status bar
  3. Try pinging your router’s VPN IP (10.10.10.1) or open a LAN service

Step 8: Use Wake-on-LAN (Optional)

Now that your iPhone is “inside” your home LAN:

  • Open a Wake-on-LAN app
  • Enter your PC’s MAC address and LAN IP
  • Send a magic packet: your PC powers on from anywhere

Security Notes

  • WireGuard only accepts traffic from peers you explicitly configure, attackers can’t just “guess” their way in
  • The handshake is silent, if someone scans your IP, the router won’t reveal it’s WireGuard
  • Keep your RouterOS firmware updated

Conclusion

That’s it! With WireGuard, I can now connect my iPhone to my home LAN from anywhere in the world, securely. It also gave me a safe way to use Wake-on-LAN without exposing insecure ports.

If you’re trying to set this up yourself, just follow the steps above — it takes about 10 minutes once you know the commands.

JA
Written by Jobyer Ahmed
Founder of Bytium, OSCE3-certified cybersecurity expert with deep experience in pentesting and vulnerability assessment.
PreviousStored xss in Perfex CRM 3.2.1 Contracts Module