Back To Home VPN not tunneling traffic to outside network on iPhone

This problem is very similar to Back to home works without Internet and No wan access using back to home , however, the given solutions did not work for me.

I have a Mikrotik device that has BTH set up. Wireguard interface and peers get created correctly, the iPhone connects correctly, but has no access to the outside world. I can access devices on the local network, but anything that would require more hops just does not work. However, having copied the config to a Windows PC, it’s working properly, if a bit sluggish, which leads me to the conclusion that it is not a routing issue. And at that point I’m feeling lost, and I’m not sure where to go from here.

Config attached below with some identifying details removed:

# 2026-02-05 09:20:13 by RouterOS 7.20.6
# software id = 131W-YZIA
#
# model = RB4011iGS+
# serial number = ###########
/interface pptp-client
add connect-to=5.185.129.131 disabled=no name=pptp-out-xxxxx user=xxxxx
/interface bridge
add name=bridge-guest
add name=bridge1
/interface l2tp-server
add name=l2tp-xxxxx user=""
add name=l2tp-xxxxxx user=xxxxxx
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe \
    use-peer-dns=yes user=xxxxxxxxxxxxxxxx
/interface eoip
add allow-fast-path=no local-address=192.168.23.2 mac-address=\
    02:69:AF:05:F6:80 mtu=1500 name=eoip-tunnel1 remote-address=192.168.23.1 \
    tunnel-id=1
add allow-fast-path=no local-address=192.168.87.1 mac-address=\
    02:D2:F6:7B:B7:54 mtu=1500 name=eoip-tunnel2 remote-address=192.168.87.2 \
    tunnel-id=9
/interface wireguard
add listen-port=47009 mtu=1420 name=XXXXX
add comment=back-to-home-vpn listen-port=24286 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=ether10 name=vlan99-guest vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.50-192.168.88.254
add name=pool-guest ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=1d name=dhcp1
add address-pool=pool-guest interface=bridge-guest name=dhcp-guest
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 comment="####" interface=eoip-tunnel1
add bridge=bridge1 comment="####" interface=eoip-tunnel2
add bridge=bridge-guest interface=vlan99-guest
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set certificate=Certyfikat enabled=yes
/interface wireguard peers
add allowed-address=172.31.95.2/32 interface=xxxxx name=peer-xxxxx \
    persistent-keepalive=30s preshared-key=\
    "############################################" public-key=\
    "############################################"
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=192.168.99.1/24 interface=bridge-guest network=192.168.99.0
add address=172.31.95.1 comment="WG #####" interface=xxxxx network=\
    172.31.95.1
add address=192.168.85.1 interface=l2tp-xxxxx network=192.168.85.24
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-user
add allow-lan=yes comment=BTH_Name name=iPhone18,1 private-key=\
    "############################################" public-key=\
    "############################################"
/ip dhcp-server lease
add address=192.168.88.50 client-id=1:2e:66:99:d8:56:d9 mac-address=\
    2E:66:99:D8:56:D9 server=dhcp1
add address=192.168.88.100 client-id=1:9e:ae:17:5d:f7:37 mac-address=\
    9E:AE:17:5D:F7:37 server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
add address=192.168.99.0/24 dns-server=8.8.8.8 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=87.204.204.204,62.233.233.233
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.0.0.0/8 list=private-networks
add address=172.16.0.0/12 list=private-networks
add address=192.168.0.0/16 list=private-networks
/ip firewall filter
add action=accept chain=input comment="WireGuard #####" dst-port=47009 \
    in-interface=pppoe protocol=udp
add action=accept chain=input in-interface=pppoe
add action=accept chain=input comment=SSTP dst-port=443 in-interface=pppoe \
    protocol=tcp
add action=accept chain=input comment=IPsec in-interface=pppoe protocol=\
    ipsec-esp
add action=accept chain=input comment=L2TP dst-port=4500 in-interface=pppoe \
    protocol=udp
add action=accept chain=input comment=L2TP dst-port=500 in-interface=pppoe \
    protocol=udp
add action=accept chain=input comment=L2TP dst-port=1701 in-interface=pppoe \
    protocol=udp
add action=accept chain=input comment=GRE in-interface=pptp-out-xxxxx \
    protocol=gre
# no interface
# no interface
add action=accept chain=input in-interface=*F00E5B protocol=gre
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid protocol=!gre
add action=accept chain=input comment=PPTP dst-port=1723 in-interface=pppoe \
    protocol=tcp
add action=drop chain=forward out-interface=pppoe src-address=192.168.88.75
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface=!bridge1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="Block guest to ALL private networks" \
    dst-address-list=private-networks src-address=192.168.99.0/24
add action=accept chain=input comment="WireGuard #####" dst-port=31043 \
    protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=pppoe
add action=dst-nat chain=dstnat comment="QNAP OVPN" dst-port=1194 \
    in-interface=pppoe protocol=udp to-addresses=192.168.88.12 to-ports=1194
add action=masquerade chain=srcnat comment="NAT ##### -> Internet" \
    out-interface=pppoe src-address=10.0.8.0/24
/ip route
add disabled=no dst-address=192.168.1.0/24 gateway=192.168.85.2 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add distance=1 dst-address=192.168.2.0/24 gateway=192.168.85.5
add distance=1 dst-address=192.168.19.0/24 gateway=192.168.85.9
add disabled=no distance=1 dst-address=10.0.3.0/24 gateway=192.168.85.10 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.0.20.0/24 gateway=192.168.85.10 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add distance=1 dst-address=10.0.1.0/24 gateway=192.168.85.13
add distance=1 dst-address=10.0.2.0/24 gateway=192.168.85.11
add distance=1 dst-address=10.0.0.0/24 gateway=192.168.85.12
add distance=1 dst-address=192.168.15.0/24 gateway=192.168.85.14
add distance=1 dst-address=10.0.81.0/24 gateway=192.168.85.15
add distance=1 dst-address=10.0.82.0/24 gateway=192.168.85.15
add disabled=no dst-address=10.0.4.0/24 gateway=192.168.85.19 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.3.0/24 gateway=192.168.85.20 \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.12.0/24 gateway=192.168.85.21 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=192.168.4.0/24 gateway=192.168.85.23 \
    routing-table=main suppress-hw-offload=no
add disabled=no dst-address=192.168.14.0/24 gateway=192.168.85.25 \
    routing-table=main suppress-hw-offload=no
add comment=MZKOZC distance=1 dst-address=192.168.10.0/24 gateway=\
    192.168.85.26
add dst-address=10.0.8.0/24 gateway=""
add dst-address=10.0.8.0/24 gateway=""
add dst-address=10.0.8.0/24 gateway=192.168.85.24
/ip service
set ftp address=192.168.88.0/24,192.168.85.0/24
set ssh address=192.168.88.0/24,192.168.85.0/24
set telnet address=192.168.88.0/24,192.168.85.0/24
set www address=192.168.88.0/24,192.168.85.0/24
set www-ssl address=192.168.88.0/24,192.168.85.0/24
set winbox address=192.168.88.0/24,192.168.85.0/24
set api address=192.168.88.0/24,192.168.85.0/24
set api-ssl address=192.168.88.0/24,192.168.85.0/24
/ppp secret
# Secrets have been removed entirely for privacy reasons
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=ROUTER_SZAFA
/system ntp client
set enabled=yes
/system ntp client servers
add address=tempus1.gum.gov.pl
add address=tempus2.gum.gov.pl
/system routerboard settings
set enter-setup-on=delete-key

Anytime I see two bridges, I know I wont like the config, LOL but in any case you probably have good reason for it.

My only comment is why do you have BTH?? You seem to have a public IP address, otherwise you would not already have a functioning normal WIREGUARD already. In other words you have no need for BTH. In fact, all users will get routed directly to the router bypassing the BTH MT server seeing as you have a public WANIP.

Complicated by the fact that you manually added a rule for the BTH on input chain? but have none for the regular wireguard?? Or what as the listen port is for regular wireguard but you put text “# BTH Wireguard…
Then the only client you have has what looks like a setup for a single client peer (for handshake) with its /32 address, but then are using a persistent keep alive which is contraindicated.

So in summary, why BTH, and your config is confused.

That config was not done by me. There are two bridges due to there being two WiFi networks on the same hardware, one for guests, with both being on different subnets and having internet access with no routing between them. BTH was set up as a one click solution, since it all goes through the app, but as far as I can tell, there have been many many more clicks involved by now.

The comment on the firewall rule, however, was a mistake I made while censoring the config and I will update the post accordingly. The keepalive is mostly a force of habit at this point, as I’ve dealt with NATs ending the connection after a while with no communication. It seems to work well enough, and doesn’t cause any issues so it stuck around.

If the config was not done by you, then suggest write down all the requirements first.
A. identify all the users and devices and groups, including you the admin
B. identify the traffic required for all.

Then start thinking about modifying the config. Instead of trying to work your way through a mess.
I would certainly trash the one you have and start clean or at least modify the existing one based on the requirements.