Dmitry-Klymenko · January 3, 2025 10:12
diff --git a/mikrotik_generate_peer.rsc b/mikrotik_generate_peer.rsc
 #
 # A MikroTik script for RouterOS to create yet another peer for wireguard server interface
 #
 # For each peer, change peerName, peerIP and peerAllowedIPs
 # v20250103

 #using global to allow execution line by line
 :global tmpWGInterfaceName wg0tmp
 :global wgInterfaceName wireguardServer
 :global wgInterfacePort 13232
 :global wgServerIPNet 172.10.10.0/24
 :global peerName <NAME-OF-THE-PEER> #only shown in mikrotik interface
 :global peerAllowedIPs "172.10.10.2/32,::/0" #currrent peer IP
 :global peerIP "172.10.10.2/32"
 :global hostname "<MIKROTIK-HOST-NAME-OR-IP>"


 # Creating or re-using wireguard interface to be used by all peers
 :if ([/interface/wireguard find name=$wgInterfaceName] = "") do={
    /interface/wireguard add name=$wgInterfaceName listen-port=$wgInterfacePort
    
    #Create route for the interface
    /ip route add disabled=no dst-address=$wgServerIPNet gateway=$wgInterfaceName \
        routing-table=main scope=10 suppress-hw-offload=no target-scope=5
 }

 # Generating key pair for the peer
 # Should be done on the client's device, but can be done on mikrotik 
 # itself via creation of temporary wireguard interfaceand extracting values
 /interface/wireguard add name=$tmpWGInterfaceName
 :global peerPublicKey [/interface/wireguard get $tmpWGInterfaceName value-name=public-key]
 :global peerPrivateKey [/interface/wireguard get $tmpWGInterfaceName value-name=private-key]
 /interface/wireguard remove $tmpWGInterfaceName
 :put "Generated keys for peer\r\nPrivate: $peerPrivateKey\r\nPublic:  $peerPublicKey"

 # Extracting wireguard interface public key for peer wireguard config
 :global wgInterfacePublicKey [/interface/wireguard get $wgInterfaceName value-name=public-key]

 # Creating peer
 /interface/wireguard/peers/add name=$peerName\
    interface=$wgInterfaceName \
    public-key=$peerPublicKey \
    allowed-address=$peerAllowedIPs

 # Print Wireguard conf file
 :put "#Wireguard client configuration file\r\n\
 [Interface]\r\n\
 PrivateKey = $peerPrivateKey\r\n\
 Address = $peerIP\r\n\
 DNS = 1.1.1.1, 8.8.8.8, 9.9.9.9, 8.8.4.4\r\n\
 \r\n\
 [Peer]\r\n\
 PublicKey = $wgInterfacePublicKey\r\n\
 AllowedIPs = 0.0.0.0/0\r\n\
 Endpoint = $hostname:$wgInterfacePort\r\n\
 PersistentKeepalive = 25\r\n\
 "


 :set tmpWGInterfaceName nil
 :set peerPublicKey nil
 :set peerPrivateKey nil
 :set wgInterfaceName nil
 :set wgInterfacePort nil
 :set wgServerIPNet nil
 :set peerName nil
 :set peerAllowedIPs nil
 :set peerIP nil
 :set wgInterfacePublicKey nil



 #Wireguard conf file
 #
 #[Interface]
 #PrivateKey = <PRIVATE-KEY-OF-THE-CURRENT-PEER>
 #Address = <IP-ADDRESS-OF-THE-PEER-CIDR> #172.16.10.10/32
 #DNS = 1.1.1.1, 8.8.8.8, 9.9.9.9, 8.8.4.4 #preferred DNS servers
 #
 #[Peer]
 #PublicKey = <PUBLIC-KEY-MIKROTIK-WIREGUARD-INTERFACE>
 #AllowedIPs = 0.0.0.0/0 #to allow Internet access or use your subnet to limit access
 #Endpoint = <MIKROTIK-HOSTNAME-OR-IP>:<WIREGUARD-INTERFACE-PORT>
 #PersistentKeepalive = 25
	#
	# A MikroTik script for RouterOS to create yet another peer for wireguard server interface
	#
	# For each peer, change peerName, peerIP and peerAllowedIPs
	# v20250103

	#using global to allow execution line by line
	:global tmpWGInterfaceName wg0tmp
	:global wgInterfaceName wireguardServer
	:global wgInterfacePort 13232
	:global wgServerIPNet 172.10.10.0/24
	:global peerName <NAME-OF-THE-PEER> #only shown in mikrotik interface
	:global peerAllowedIPs "172.10.10.2/32,::/0" #currrent peer IP
	:global peerIP "172.10.10.2/32"
	:global hostname "<MIKROTIK-HOST-NAME-OR-IP>"


	# Creating or re-using wireguard interface to be used by all peers
	:if ([/interface/wireguard find name=$wgInterfaceName] = "") do={
	/interface/wireguard add name=$wgInterfaceName listen-port=$wgInterfacePort

	#Create route for the interface
	/ip route add disabled=no dst-address=$wgServerIPNet gateway=$wgInterfaceName \
	routing-table=main scope=10 suppress-hw-offload=no target-scope=5
	}

	# Generating key pair for the peer
	# Should be done on the client's device, but can be done on mikrotik
	# itself via creation of temporary wireguard interfaceand extracting values
	/interface/wireguard add name=$tmpWGInterfaceName
	:global peerPublicKey [/interface/wireguard get $tmpWGInterfaceName value-name=public-key]
	:global peerPrivateKey [/interface/wireguard get $tmpWGInterfaceName value-name=private-key]
	/interface/wireguard remove $tmpWGInterfaceName
	:put "Generated keys for peer\r\nPrivate: $peerPrivateKey\r\nPublic: $peerPublicKey"

	# Extracting wireguard interface public key for peer wireguard config
	:global wgInterfacePublicKey [/interface/wireguard get $wgInterfaceName value-name=public-key]

	# Creating peer
	/interface/wireguard/peers/add name=$peerName\
	interface=$wgInterfaceName \
	public-key=$peerPublicKey \
	allowed-address=$peerAllowedIPs

	# Print Wireguard conf file
	:put "#Wireguard client configuration file\r\n\
	[Interface]\r\n\
	PrivateKey = $peerPrivateKey\r\n\
	Address = $peerIP\r\n\
	DNS = 1.1.1.1, 8.8.8.8, 9.9.9.9, 8.8.4.4\r\n\
	\r\n\
	[Peer]\r\n\
	PublicKey = $wgInterfacePublicKey\r\n\
	AllowedIPs = 0.0.0.0/0\r\n\
	Endpoint = $hostname:$wgInterfacePort\r\n\
	PersistentKeepalive = 25\r\n\
	"


	:set tmpWGInterfaceName nil
	:set peerPublicKey nil
	:set peerPrivateKey nil
	:set wgInterfaceName nil
	:set wgInterfacePort nil
	:set wgServerIPNet nil
	:set peerName nil
	:set peerAllowedIPs nil
	:set peerIP nil
	:set wgInterfacePublicKey nil



	#Wireguard conf file
	#
	#[Interface]
	#PrivateKey = <PRIVATE-KEY-OF-THE-CURRENT-PEER>
	#Address = <IP-ADDRESS-OF-THE-PEER-CIDR> #172.16.10.10/32
	#DNS = 1.1.1.1, 8.8.8.8, 9.9.9.9, 8.8.4.4 #preferred DNS servers
	#
	#[Peer]
	#PublicKey = <PUBLIC-KEY-MIKROTIK-WIREGUARD-INTERFACE>
	#AllowedIPs = 0.0.0.0/0 #to allow Internet access or use your subnet to limit access
	#Endpoint = <MIKROTIK-HOSTNAME-OR-IP>:<WIREGUARD-INTERFACE-PORT>
	#PersistentKeepalive = 25