I am trying to setup wireguard on the mikrotik so other devices can connect to it, replacing openvpn. Client connects to the mikrotik and the connections seems to be up and running since I can see keep alive packets in the statistics, but nothing else gets through, I cannot ping the router from the client, and the router cannot ping the client, both give me timeouts, so, both know that someone exists.

The client ip is in the 192.168.121.0/24 subnet, the wireguard ip is 192.168.3.0 and my own network is 192.168.1.0

This is the client configuration, I only want to be able to connect to the localhost.

[Interface]
PrivateKey = <private>
Address = 192.168.3.2/32

[Peer]
PublicKey = SMNrkfa3EEcBULtfXhZSCOrsjiXtp0fDrQ6QAwx2ew0=
AllowedIPs = 192.168.0.0/16, fc00::/7 , 127.0.0.1/32
Endpoint = silajim.duckdns.org:13231
PersistentKeepalive = 10

Can anybody help?

First would state
a. check to ensure keys are setup correctly
b. there is no firewall on the remote device blocking traffic

1. This indicates some sort of error... Which indeed is probably true as you never defined vlan100 so not sure what you are doing here??? You are no using bridge vlan filtering so this whole entry should be removed.
/interface bridge vlan
add bridge=*C vlan-ids=100

2. You have extra noise in your PEER settings for the remote user REMOVE IT, has no business being there.
/interface wireguard peers
add allowed-address=192.168.3.2/32 client-address=192.168.3.2/32 \
client-endpoint=silajim.duckdns.org client-keepalive=25s interface=\
wireguard1 private-key="XXXXXX" \
public-key="SGXFpLSxG6kkmZAKuFutCannk1SJ4HMLDlGicMwQCzg="

should look like:
/interface wireguard peers
add allowed-address=192.168.3.2/32 interface=wireguard1 \
public-key="---------------="

3. Remove this old default entry
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

4. What is the purpose of this rule?? You only have one subnet........... they are already connected at Layer2 ???
add action=accept chain=forward dst-address=192.168.0.0/16 src-address=\
192.168.0.0/16

5. What is the purpose of these rules....... Did you find them somwhere or did you just make them up??
add action=accept chain=input comment="INPUT Allow UPnP port 1900 udp" \
dst-port=1900 in-interface=bridge log-prefix=UPnP protocol=udp
add action=accept chain=input comment="INPUT Allow UPnP port 2828 tcp" \
dst-port=2828 in-interface=bridge log-prefix=UPnP protocol=tcp

6. Why are all your port forwarding rules in the Forward Chain vice DSTNAT ??

7. Not sure why you are mangling or using UPNP for that matter. I would remove it and use the normal sourcenat hairpin rule.
add chain=srcnat action=masquerade src-adddress=192.168.1.0/24 dst-address=192.168.1.0/24

Edit; Ahh I see you already have it in place, then why bother with mangling anything.......just trying to understand the logic.

8. good use of FW address list for ppoe interface on DSTNAT rules, but use it for all rules........

9. You started with organized default firewall rules and have turned into a disorganized mess. Ensure you reorganize them for clarity.

Thanks for the quick answer!
yes the keys are proper and there is no firewall, well the client is behind a firewall and a NAT, but it should not mater.

1) removed it, I don't know what was going on there.
2) The newer RouterOS versions can create a wireguard config file, for the clients to connect, including a QR code, those are for that, well except the client address.
3) removed

4) just trying things, see if there was the need, but it does not.

5) I do not remember ,they have been disabled, maybe something breaks.

6) What do you mean?

7) the mangling was to mark packets comming from a specific ip. to limit the bandwidth. But it's not used anymore

add chain=srcnat action=masquerade src-adddress=192.168.1.0/24 dst-address=192.168.1.0/24

What's the point of even this?

8 ) Again, what do you mean? What should I change?

After some deliberation, I managed to get ping working across subnets, but I can't ssh into the other machine from a lan (behind the mikrotik) client, but only from the router itself. When running the packet sniffer, I don't see any traffic going into or out the wireguard interface except for the icmp packets.

To make it more clear My MT can access the services on PC B, can SSH, but PC A cannot, it can only ping

I am starting to think that WG is not meant for this


EDIT: I made it work!! Turns out I had all the blocks allready, the issue was the OpenVPN running on the computer I was testing if it was working (PC A), seems that the vpn profile does some things with ip routing