Kitonga|Documentation
Router Configuration

WireGuard VPN Router Setup

15 min read
Updated January 2026

Connect your MikroTik routers securely to Kitonga via WireGuard VPN for remote API access without exposing ports to the internet.

Overview

This guide explains how tenant routers (MikroTik) connect to the Kitonga VPS server via WireGuard VPN tunnel. This enables secure API communication from anywhere without port forwarding.

Architecture

[Internet]
    |
[VPS Server: YOUR_VPS_PUBLIC_IP]
    |
[WireGuard Interface: YOUR_VPN_SERVER_IP]
    |
    +---[Tenant Router 1: <VPN_NETWORK>.10]
    |
    +---[Tenant Router 2: <VPN_NETWORK>.20]
    |
    +---[Tenant Router N: <VPN_NETWORK>.N0]

VPS Server Information

WireGuard Server Details

Contact your Kitonga administrator to get the following connection details:

  • VPS Public IP: <PROVIDED_BY_ADMIN>
  • WireGuard Port: 51820/UDP
  • Server VPN IP: <PROVIDED_BY_ADMIN>
  • VPN Network: <PROVIDED_BY_ADMIN>

Adding a New Tenant Router

Use the admin command on the VPS to add a new tenant router:

sudo /opt/kitonga/add-tenant-router.sh tenant_name

This command will output the WireGuard peer configuration needed for the MikroTik router.

MikroTik Router Configuration

Step 1: Create WireGuard Interface

/interface wireguard add name=wg-kitonga \
    listen-port=51820 \
    private-key="<ROUTER_PRIVATE_KEY>"

Replace <ROUTER_PRIVATE_KEY> with the private key provided by the VPS script.

Step 2: Add WireGuard Peer (VPS Server)

/interface wireguard peers add interface=wg-kitonga \
    public-key="<VPS_SERVER_PUBLIC_KEY>" \
    endpoint-address=<VPS_PUBLIC_IP> \
    endpoint-port=51820 \
    allowed-address=<VPN_NETWORK>/24 \
    persistent-keepalive=25

Replace placeholders with values provided by your Kitonga administrator.

Step 3: Assign IP Address

/ip address add address=<YOUR_ASSIGNED_VPN_IP>/24 \
    interface=wg-kitonga

Use the VPN IP address assigned to your tenant by the administrator.

Step 4: Configure Firewall

# Allow WireGuard traffic
/ip firewall filter add chain=input \
    protocol=udp dst-port=51820 action=accept \
    comment="Allow WireGuard"

# Allow API access from VPN only
/ip firewall filter add chain=input \
    src-address=<VPN_SERVER_IP> \
    dst-port=8728 protocol=tcp action=accept \
    comment="Allow API from VPN"

# Optional: Block API from other sources
/ip firewall filter add chain=input \
    dst-port=8728 protocol=tcp action=drop \
    comment="Block API from non-VPN"

Replace <VPN_SERVER_IP> with the server VPN IP provided by your administrator.

Verification Steps

On VPS Server

# Check WireGuard status
sudo wg show

# Ping tenant router
ping <TENANT_VPN_IP>

On MikroTik Router

# Check WireGuard interface
/interface wireguard print

# Check peer status
/interface wireguard peers print

# Ping VPS
/ping <VPN_SERVER_IP>

IP Address Allocation

Your administrator will provide specific IP addresses. Below is a typical allocation pattern:

RoleIP Address Pattern
VPS Server<VPN_NETWORK>.1
Tenant 1 Router<VPN_NETWORK>.10
Tenant 2 Router<VPN_NETWORK>.20
Tenant 3 Router<VPN_NETWORK>.30
Tenant N Router<VPN_NETWORK>.N0

MikroTik API User Setup

After the VPN tunnel is established, configure an API user on the MikroTik router:

# Create API group
/user group add name=api-group policy=api,read,write,policy,test

# Create API user
/user add name=kitonga-api password=<STRONG_PASSWORD> \
    group=api-group

# Enable API service
/ip service set api disabled=no port=8728

Security Note

Use a strong, unique password for the API user. This password will be stored in Kitonga and used to communicate with your router.

Troubleshooting

❌ VPN Not Connecting

  • • Verify UDP port 51820 is open on both ends
  • • Check public key configuration (must match exactly)
  • • Ensure endpoint address and port are correct
  • • Check firewall rules on router

❌ Cannot Ping VPS

  • • Verify allowed-address includes your VPN network
  • • Check IP address assigned to WireGuard interface
  • • Ensure persistent-keepalive is set (25 seconds recommended)

❌ API Connection Failed

  • • Ensure API service is enabled on port 8728
  • • Verify API user credentials
  • • Check firewall allows API from VPN server IP
  • • Test connection: telnet <YOUR_VPN_IP> 8728

Security Best Practices

  • Unique Passwords: Use different API passwords for each tenant router
  • Restrict API Access: Only allow API connections from the VPN server IP
  • Use API-SSL: Consider enabling API-SSL for encrypted communication
  • Regular Key Rotation: Periodically rotate WireGuard keys for enhanced security
  • Monitor Connections: Regularly check WireGuard peer status

Setup Complete!

Once the VPN tunnel is established and API user is configured, add your router to Kitonga using your assigned VPN IP address and the API credentials.

Need more help?

Can't find what you're looking for? Our support team is here to help.