Access to Mikrotik LAN via Wireguard on VPS

RouterOS General
1

Hi, I have VPS with public IP server with running Wireguard server installed via https://github.com/Nyr/wireguard-install. To this server are connecting clients (my phone, Mikrotik)
Wireguard network: 10.7.0.0/24; WG Phone IP: 10.7.0.3; WG Mikrotik IP 10.7.0.2; WG server IP: 10.7.0.1
On VPS server i have another network 10.8.0.0/24 and VPS server has 10.8.0.1 IP
On my Mikrotik is running LAN network 10.6.0.0/24

I want to connect to 10.6.0.0/24 network via my phone which is connected to the VPN, but all types of configuration which i try doesn’t work. The most promising config too https://www.laroberto.com/remote-lan-access-with-wireguard/

So now I can ping:
from my phone connected to VPN:

  • IPs from 10.7.0.0/24
  • IPs from 10.8.0.0/24
    (all network traffic is routed by VPN WG on phone AllowedIPs: 0.0.0.0/0)

from PCs in Mikrotik LAN network and Mikrotik console:

  • IPs from 10.6.0.0/24
  • IPs from 10.7.0.0/24
  • IPs from 10.8.0.0/24

Now i roll back all buged configuration and:
VPS WG server config /etc/wireguard/wg0.conf

[Interface]
Address = 10.7.0.1/24, fddd:2c4:2c4:2c4::1/64
PrivateKey = XXXXXXXXX
ListenPort = 51820

# BEGIN_PEER MikroTik_hAPlite
[Peer]
PublicKey = XXXXXXXXX
PresharedKey = XXXXXXXXX
AllowedIPs = 10.7.0.2/32, fddd:2c4:2c4:2c4::2/128
# END_PEER MikroTik_hAPlite
# BEGIN_PEER phone
[Peer]
PublicKey = XXXXXXXXX
PresharedKey = XXXXXXXXX
AllowedIPs = 10.7.0.3/32, fddd:2c4:2c4:2c4::3/128
# END_PEER phone

Mikrotik config, and Mikrotik routing:
Zrzut ekranu 2023-05-23 o 16.52.45.png
Zrzut ekranu 2023-05-23 o 16.53.49.png
Can someone help me with this problem, please?

2

On the VPS, the peer for the MT should include 10.0.6.0/24

# BEGIN_PEER MikroTik_hAPlite
[Peer]
PublicKey = XXXXXXXXX
PresharedKey = XXXXXXXXX
AllowedIPs = 10.7.0.2/32,10.0.6.0/24 fddd:2c4:2c4:2c4::2/128.

The reason being is that its not a contiguous tunnel.
The phone connects peer to peer to the VPS and exits the tunnel.
Then in re-enters the tunnel from the VPS to MT segment and thus the peer setting has to included the destination IP of 10.0.6.0/24.

THe other thing you have to ensure on the VPS, are the firewall rules and routing rules since I am only conversant in MT lingo I will put the equivalents.

VPS Firewall rule
add chain=forward action=accept in-interface=wireguard out-interface=wireguard

We are using VPS as a relay, so traffic exiting the tunnel should be able to re-enter the tunnel, and of course we need routing to do that as well.
So we have to ensure that the phone after exiting the tunnel at VPS has a path to the subnet on MT, SAME AS LOCAL USERS at VPS would need.
add dst-address=10.0.6.0/24 gateway=wireguard table=main

3

I added 10.6.0.0/24 to wg0 conf and this rules:

iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
ip route add 10.0.6.0/24 dev wg0

the last one (route) was added by WG config automatically

but after this I can’t still ping 10.6.0.0/24 network [screen from VPS] and from device connected to VPN (phone)
Zrzut ekranu 2023-05-23 o 18.56.55.png

4

Sorry cant help, not an MT issue I dont think. Why dont you add an MT virtual router vice this VPS garbage.
Dont mind me, just frustrated I cannot help further.