Can't Access MikroTik via Winbox Over Wireguard VPN

RouterOS
1

Hello My friends.
I have the following network setup:

  • A TP-Link router is connected to the internet (WAN) and has a public IP address.
  • The LAN of the TP-Link router is in the 192.168.15.1/24 range.
  • A MikroTik router is connected to the TP-Link’s LAN through ether1 and receives the IP 192.168.15.60, which is treated as the MikroTik’s WAN interface (note: this IP is assigned manually from the TP-Link’s LAN, so it’s not A DHCP).
  • The other ports of the MikroTik are unused, so the only WAN connection is through ether1.
  • The LAN of the MikroTik is in the 10.10.10.0/24 range. Any devices connect to the MikroTik can access the internet normally.

I created a WireGuard VPN server on the MikroTik and configured port forwarding rules on both the TP-Link and MikroTik firewalls to allow the WireGuard traffic. The VPN works correctly — when I connect from outside the network, I get internet access using the TP-Link’s public IP, and I can ping devices in the 192.168.15.0/24 network, including the MikroTik router at 192.168.15.60. and at 10.10.10.1

However, the problem is:

I cannot access the MikroTik router using Winbox when connected through the VPN, even though I can ping both 192.168.15.60 and 10.10.10.1.

I tried connecting with both IP addresses (192.168.15.60 and 10.10.10.1), but both attempts failed.
d to use the public ip after I created a port forwarding rules for 8291 (winbox port) but also I field.
Also I trie

Sorry I can’t send a config file for Mikrotik because I am out of my office.

2

And did you create an input/accept rule for that Winbox port coming from that VPN interface ?
Should be placed before any input/drop rule.

3

Hello @holvoetn
No, because I thought it was open by default in MikroTik.
I mean in IP service the winbox port is open, so do i need to create a rule inside firewall for it also?

4

All of this without seeing anything from your config …

If you start from default firewall (which is pretty decent) by default everything NOT coming from your LAN side is being dropped for access into your router. In the trash can and done.
Also any VPN interface you may use.

So you need to allow it, otherwise it gets dropped.

Alternative, add that VPN interface to LAN interface list.
But lately I prefer to keep it in a separate rule so it’s more clear what rule applies to what.
(also, I use a “drop all” rule, without any restriction. I allow what has to be allowed, all the rest gets dropped without any exception)

5

I am using the default firewall rules. I only created a rule for the WireGuard port, but I didn’t realize I needed to create a separate rule for Winbox as well, since I’m connected through the tunnel (inside the LAN), and I can access the tunnel normally.
when i came back to my office I will provide the config.

6

Hey My friend @holvoetn
Thank you for your support.
I solved the problem.
it turns out that I didn’t put the wireguard interface that i am using in the LAN (inside the interface list).
Thank you very much.