Setting Up a Hub-Spoke VPN with Ubuntu 22.04 and MikroTik Routers Using WireGuard

A hub-spoke VPN architecture is an excellent solution for businesses looking to securely connect remote branches (spokes) to a central office (hub) over the internet. This guide will walk you through setting up a hub-spoke VPN using Ubuntu 22.04 as the hub, two MikroTik routers as the clients, and WireGuard as the VPN protocol. Additionally, we'll configure DNS forwarding to enhance security and content filtering using dnsmasq on the Ubuntu server, effectively blocking malware and adult content for connected users.


  • An Ubuntu 22.04 server, for this guide, we'll assume it's hosted on DigitalOcean.
  • Two MikroTik routers running RouterOS v7.
  • Basic understanding of network configuration and terminal usage.

Step 1: Configuring the Ubuntu Server (Hub)

First, we'll set up the Ubuntu server to act as our VPN hub. Ensure your server has WireGuard installed; if not, install it using:

sudo apt update && sudo apt install wireguard dnsmasq -y

Generate WireGuard Keys

Use the WireGuard Config website ( to generate a private and public key pair for the server and each MikroTik router.

Configure WireGuard Interface

Create a new WireGuard configuration file:

sudo nano /etc/wireguard/wg0.conf

Add the following configuration, replacing YOUR_SERVER_PRIVATE_KEY with your server's private key and adding the public keys of your MikroTik routers:

Address =
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# MikroTik Router 1
AllowedIPs =

# MikroTik Router 2
AllowedIPs =

Activate the interface:

sudo wg-quick up wg0

Enable IP Forwarding

Edit /etc/sysctl.conf and uncomment the following line:


Apply the changes:

sudo sysctl -p

Configure dnsmasq for DNS Forwarding

Edit /etc/dnsmasq.conf, adding:


Restart dnsmasq to apply the changes:

sudo systemctl restart dnsmasq

Step 2: Configuring MikroTik Routers (Spokes)

On each MikroTik router, perform the following steps. Replace YOUR_ROUTER_PRIVATE_KEY with the router's private key and adjust IP addresses accordingly.

Configure WireGuard Interface

Access your MikroTik router via Winbox or SSH and enter the following commands:

/interface wireguard add name=wg0 listen-port=51820 private-key=YOUR_ROUTER_PRIVATE_KEY address=

For the second router, use address=

Set Up WireGuard Peers

Configure the WireGuard peer (the Ubuntu server) on each router:

/interface wireguard peers add public-key=UBUNTU_SERVER_PUBLIC_KEY allowed-address= endpoint-address=SERVER_PUBLIC_IP endpoint-port=51820 interface=wg0

Configure IP Routes

Add a route to direct traffic through the WireGuard interface:

/ip route add dst-address= gateway=

Forward DNS Requests to the VPN Server

Direct all DNS requests from users behind the MikroTik routers to the Ubuntu server:

/ip dns set servers= allow-remote-requests=yes

Testing and Verification

After configuring both the Ubuntu server and MikroTik routers, test the VPN connection by attempting to access the internet from a device connected behind one of the MikroTik routers. You should also be able to ping between devices across the VPN.

To verify DNS filtering, try accessing a known malware or adult content site; the request should be blocked or fail to resolve.


You've now set up a hub-spoke VPN architecture using Ubuntu 22.04 as the hub, MikroTik routers as spokes, and WireGuard as the VPN protocol. This setup not only secures your network traffic but also provides an additional layer of content filtering through dnsmasq, enhancing the overall security posture of your network. Whether for a small business or a larger enterprise, this guide offers a solid foundation for secure, efficient network communication and management.

Was this page helpful?