Accessing PC behind NAT'd network with wireguard.

RouterOS Forwarding Protocols
1

Hello,
First time poster so bare with me a little. Recently took over as our network admin, due to circumstances long before I was ready. I have no formal training so my verbiage may be off but here goes.

This is the setup I am going for.
WGStSport.png
I need to be able to from our DDNS URL website.net:60112 access a PC at the main site behind a NAT’d ISP. This was in the past done with IKEV2 and an IPIP tunnel. I was put in charge of doing this over wireguard. So far I can ping across the network to the server in question, it seems though I cant get the port forwarded over the wireguard interface and I’m not sure if I’m missing something.
So far I can,
Ping the 10.112.0.60 address from main site and site 1.
I have accept rules for both LAN’s on both devices, Chain=forward, src= lan site1, dst= lan main, action=accept, and vice versa
A Chain=input, protocol=tcp, dst port=60112 action=accept to accept the port not sure this is needed.
A input rule for the WG port to be accepted
I added routes for the 10.112.0.0/22 pointed to the WG tunnel for gateway

I have tried a bunch of port forwarding to different interfaces and IP’s to try and get the connection to work to no avail. I am thinking i need the port (60112) forwarded to the WG tunnel interface and then from wireguard interface on the other end to the server. Is this correct?
I don’t think I am forwarding the port correctly across the WG tunnel, and one thing i was thinking was maybe some pre-routing is needed. I can try to upload the config, just need to trim all extra stuff out the config and for now I’m just wondering if I’m missing some basic concept that is preventing the port from passing traffic.

2

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
Assumes site1 and Main site are mikrotik routers, aka need config of both.

What is the purpose of site1 in this picture, it seems to be a distraction, unless its acting as the WIREGUARD server for handshake??
I would assume then that the main site does not have a public IP address but the question is can ports be forwarded by the upstream ISP router/modem??

Guessing, the plan is for any normal user ( who cannot access the main site directly via port forwarding as its not publicly accessible, will connect with Site1, and that traffic will be pushed into a wireguard tunnel for the Main site and specifically at the PC. Very doable. If this is a small number of users that you know/trust, then why not simply use wireguard for them to connect to site1 directly and then through the wg tunnel access the server on main site. In other words no open ports ( no port forwarding) and more secure than port forwarding.

Can you describe the users that require access??