Cannot access LAN using wireguard

Here is my network diagram:

Internet via DSL Modem
^
|
OpenWrt router
^
| 192.168.1.0/24
| -- LAN1 devices
|
|
Mikrotik router with wireguard server --> LTE Modem
^
| 192.168.2.0/24
|
LAN2 Devices

So LAN1 gets internet from DSL and LAN2 gets internet from LTE.
The problem is that I cannot even access MT router web admin page or LTE modem web admin page using wireguard server let alone OpenWrt or LAN1 devices.
Here is MT router config:

# jun/28/2023 14:20:16 by RouterOS 7.9.2
/interface wireguard
add listen-port=6060 mtu=1420 name=wg1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=ether3 name=dhcp1
/interface wireguard peers
add allowed-address=192.168.5.2/32 interface=wg1 public-key=\
    "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
/ip address
add address=10.0.0.1/24 interface=ether3 network=10.0.0.0
add address=192.168.5.1/24 interface=wg1 network=192.168.5.0
/ip dhcp-client
add add-default-route=no interface=ether2 use-peer-dns=no use-peer-ntp=no
add interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.0/24 out-interface=\
    ether2
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add disabled=no distance=1 dst-address=192.168.9.0/24 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=10.0.100.0/24 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

No clue as to your network, both from the config and that thing, no idea.
Dont see anyone getting public IPs, nothing makes sense including sourcenats.

Try making a real diagram options here… Lots of apps for drawing…
https://forum.mikrotik.com/viewtopic.php?p=908118

I am terrible at sketching lol
I did my best. I hope this diagram can help. let me know if you have any other question.
Thanks in advance

Okay its clearer now.

You have ISP1 - private IP via upstream router
You have ISP2 - a private IP IP from LTE modem.

What you are doing is port forwarding the Wireguard listening port from the openWRT router to 192.168.1.193 the mikrotik.
The WG server is on the MT.

The MT local LAN is 10.0.0.0/24
The MT wg server address is 192.168.5.1/24

you wish to be able to access MT from a Road Warrior device ( laptop, smartphone ) to config the MT or to reach devices on ether3 or reach the LTE webpage.
+++++++++++++++++++++++++++++

Do you even even get a good handshake? The input chain rule on MT for listening port counter goes up by one??

(1) Sourcenat rules…should be
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether1

(2) Ip routes look strange… expecting
/ip route
add checkgateway=ping distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
add distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main

All traffic goes out openwrt/dsl unless down and then traffic goes out LTE2.

(3) You have no firewall rules to speak of???

You have ISP1 - private IP via upstream router

ISP1 (DSL modem) is in bridge mode. So OpenWrt connects directly to internet.

You have ISP2 - a private IP IP from LTE modem.

Yes that’s correct.

What you are doing is port forwarding the Wireguard listening port from the openWRT router to 192.168.1.193 the mikrotik.
The WG server is on the MT.

I have 2 wg servers. One is on MT and one is on Openwrt. With public ips from ISP2 and ISP1, respectively.
On MT, I forwarded wg listetning port from LTE router to MT.
There is no forwarding port on OpenWrt because it is connected to internet directly (DSL modem is on bridge mode)

The MT local LAN is 10.0.0.0/24
The MT wg server address is 192.168.5.1/24

Yes. Plus:
OpenWrt local LAN is 192.168.1.0/24
The OpenWrt wg server address is 192.168.9.1/24

you wish to be able to access MT from a Road Warrior device ( laptop, smartphone ) to config the MT or to reach devices on ether3 or reach the LTE webpage.

I wish to be able to access MT and OpenWrt from the wg server on MT to config the MT or OpenWrt or to reach any device on OpenWrt or MT and also reach the LTE webpage.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

(1) Sourcenat rules…should be
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=ether1

Ok I set sourcenat rules as what you said. just a question, I need that all of connected devices to MT get internet just from LTE router. Is is consistent with the mentioned sourcenats?

(2) Ip routes look strange… expecting
/ip route
add checkgateway=ping distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main
add distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main

Ok let me explain all of route rules.

add disabled=no distance=1 dst-address=192.168.9.0/24 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    10

When a device connected to wg server on OpenWrt wants to connect MT router or one of devices connected to MT router, I need this route so the MT router will know it should send response packet to OpenWrt.

add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 pref-src="" \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10

All devices that are connected to MT router should access to internet only through LTE modem.

add disabled=no distance=1 dst-address=10.0.100.0/24 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=\
    10

When a device connected to openvpn server on OpenWrt wants to connect MT router or one of devices connected to MT router, I need this route so the MT router will know it should send response packet to OpenWrt.

All traffic goes out openwrt/dsl unless down and then traffic goes out LTE2.

All traffic on MT router should goes out LTE.

(3) You have no firewall rules to speak of???

No I don’t have any firewall rules.

Unless you can port forward the l listening port from the LTE modem/router to the MT, the MT cannot be a wireguard server.
I would put firweall rules in play at least for the wireguard so you can confirm handshake etc… and to allow on certain parties to config routers

Unless you can port forward the l listening port from the LTE modem/router to the MT, the MT cannot be a wireguard server.

Sorry I didn’t understand that. Actually right now port 6060 is forwarded to MT and MT has a running wireguard server on port 6060. I didn’t catch what you mean.

However, I have some problems with handshaking. handshake occurs but the speed is very low.

By I know, all LTE connections are NATed by ISP internally, so, you can’t control that. You can “open” ports on Mikortik, but your ISP will block these connections for obviously security reasons by I know.

You need a completely bridged public IP directly on your MK interface without any NAT working to run Wiregards VPN’s.

If I’m wrong, sorry for that and I will test it on my LtAP with 2 LTE connections.

Regards.