Hi, sorry to ask this again! I had to reconfigure my router because I've locked myself out, and despite me having asked & solved the very same question in below linked thread, I cannot get it running again.

If I import the config into the Desktop Wireguard client, my single machine is connected to the VPN successfully.
But if I try to apply the same config in RouterOS, it does not perform the handshake. I went through the answer from Anav, to no avail.
So I think something is wrong with my routing.
Here is the full config.

Another thing I did not understand from Anavs last answer is how the nat rules are affected by adding wireguard_internet to the WAN list, maybe that is related to the problem.

[admin@MikroTik] > /export hide-sensitive

2023-09-09 22:52:42 by RouterOS 7.11.2

software id = xxxx-xxxx

model = RB760iGS

serial number = asdfsadfaasdf

/interface bridge
add admin-mac=ab:cd:ef:...... auto-mac=no comment=defconf name=bridge
/interface wireguard
add comment="Home Internet" listen-port=51820 mtu=1420 name=wireguard_internet
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing table
add disabled=no fib name=via-wg
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard_internet list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=mysuperdomainname endpoint-port=51820 interface=
wireguard_internet public-key="+X9y+AW/ci/BmGFKA5KETmGrBeF1OFWNOUA5JkmWMWo="
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
add address=172.30.0.4/24 interface=wireguard_internet network=172.30.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input comment="Allow incoming traffic to the wireguard service" dst-port=51820 protocol=udp
add action=accept chain=input comment="admin remote access" in-interface=wireguard_internet
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=ether1 src-address=172.30.0.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard_internet routing-table=via-wg scope=30
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp
src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.0.0/24 table=via-wg
/system clock
set time-zone-name=Europe/Budapest
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
[admin@MikroTik] >

Greetings
Thoru

Thoru,

1. Are you connecting to a third party VPN provider and going out internet and if so all subnets, one subnet, some users ???
   OR
2. Are you simply wanting to connect an external mobile remote user to your router
   a. as admin to config router while away?
   b. to access LAN resources while away?
   c. to access Routers internet while away?

Based on your config its not clearl as you have conflicting bits of config that point to both and is probably the issue.

3. you can remove all the ipv6 rules seeing as the interface is disabled…

4. If you have remote client what are the settings???

Same target as in the linked post for now. The router is in my house, all devices in the house shall connect to the extern VPN server which I am hosting on my private VPS. All or nothing for the sake of simplicity, but I can imagine a split tunnel in the future.
Also, later I want to also add the remote access to my house's lans, but that task I never had problems with setting up so I think I will manage this (out of scope for this thread).

Here is the VPN server's wg0.conf file:

mylogin@wireguard-de-ubuntu-2gb-nbg1-2:~# nano /etc/wireguard/wg0.conf
GNU nano 6.2 /etc/wireguard/wg0.conf

This file was generated using wireguard-ui (GitHub - ngoduykhanh/wireguard-ui: Wireguard web interface)

Please don't modify it manually, otherwise your change might get replaced.

Address updated at: 2023-07-14 18:59:59.626000529 +0000 UTC

Private Key updated at: 2023-05-12 18:35:45.517870562 +0000 UTC

[Interface]
Address = 2a01:4f8:c0c:ec76:ac1e::1/120,172.30.0.1/24
ListenPort = 51820
PrivateKey = xxxxxxxxxxxxxxxxxxx
MTU = 1420
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Table =

\

ID: chf8eqmfr3ic01if8vkg

Name: PC

Email:

Created at: 2023-05-12 18:37:30.506729779 +0000 UTC

Update at: 2023-05-12 18:37:30.506729779 +0000 UTC

[Peer]
PublicKey = QMSrBAeAl10VFilSVbHicaRbrhd0NuIdcXL8tU2pUyA=
PresharedKey = xxxxxxxxxxxxxxxxxxx
AllowedIPs = 172.30.0.2/32,2a01:4f8:c0c:ec76:ac1e::2/128

ID: cic479efr3ic01if8vo0

Name: Smartphone

Email:

Created at: 2023-06-25 13:39:49.873996915 +0000 UTC

Update at: 2023-06-25 13:39:49.873996915 +0000 UTC

[Peer]
PublicKey = RFwTcgvrbdWXkaqLDOKHjnRGoGWxWHdelABkdXgRyRs=
PresharedKey = xxxxxxxxxxxxxxxxxxx
AllowedIPs = 172.30.0.5/32,2a01:4f8:c0c:ec76:ac1e::5/128

ID: cjub8gmfr3ic01if904g

Name: Mikrotik

Email:

Created at: 2023-09-09 18:06:58.674855437 +0000 UTC

Update at: 2023-09-09 18:06:58.674855437 +0000 UTC

[Peer]
PublicKey = gZPJN1R6CYrM9vAzD54B41Xd/MGsAqr1c04ta39rZDo=
PresharedKey = xxxxxxxxxxxxxxxxxxx
AllowedIPs = 2a01:4f8:c0c:ec76:ac1e::4/128,172.30.0.4/32

If you add wireguard to WAN, it is filtered with your firewall.

To prevent this I add wireguard to LAN or I change rule
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN

to
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=WAN

Also, I keep separate masqarade

instead of this:
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN

I have 2 separate masqarade for ether1 and for wireguard

(1) If your router is handshaking TO VPS, then you are missing the keep alive in MT settings.
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=mysuperdomainname endpoint-port=51820 interface=
wireguard_internet public-key=“+X9y+AW/ci/BmGFKA5KETmGrBeF1OFWNOUA5JkmWMWo=” persistent keep alive???

(2) If the router is not the server and VPS is the server then you DONT need this rule in the input chain.
add action=accept chain=input comment=“Allow incoming traffic to the wireguard service” dst-port=51820 protocol=udp

(3) Would modify your forward chain rules, you still didnt get it quite right.
from:
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface=wireguard_internet
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

(4) Only need the default sourcenat rule. The second rule adds nothing to the config and should be removed.
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=ether1 src-address=172.30.0.0/24 ???

Discussion: Since we added the wireguard interface to the WAN interface list, all LAN traffic will follow the generic source nat rule → all outgoing traffic from the LAN through the tunnel will be assigned the WANIP of your wireguard interface 172.30.0.4 and that is all the VPS will see. It will return all traffic to the MT and the MT will change it back to LANIPs.

(5) Assuming you have default route selected in the IP DHCP client settings, if not you will need to add one manually.

(6) Your MT firewall rules on the input chain allow all users access whereas they should be limited to the services they require typically only DNS and sometimes to NTP (to smart devices that need time).
Modify following:
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
TO:
add action=accept chain=input comment=“admin access” src-address-list**=Authorized**
add action=accept chain=input comment=“router services” protocol=udp dst-port=53 in-interface-list=LAN
add action=accept chain=input comment=“router services” protocol=tcp dst-port=53 in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
WHERE
/ip firewall address-list { mostly locoal static leases "}
add address=admin-IP1 list=Authorized comment=“admin desktop”
add address=admin-IP2 list=Authorized comment=“admin laptop”
add address=admin-IP3 list=Authorized comment=“admin smartphone”
add address=172.30.0.X list=Authorized comment=“admin remote wireguard- laptop”

WrongO…

You want the wireguard interface to be part of the WAN list.
a. the main reason is that you automatically are included in the default WAN list and DO NOT NEED a separate sourcenat rule.
b. Wireguard traffic to a third party provider always dictates the use of sourcenatting all LAN traffic to the IP of wireguard.
c. Wireguard traffic to your OWN MT etc, gives one the OPTION, of either sourcenatting the traffic to the wireguard IP, which makes config less complex!,
OR
one does not do so on the MT router but that means more work on the VPS side:
(i) adding the subnets to allowed IPs on VPS peer settings for the router.
(ii) adding the subents to IP routes on VPS routes as they are not local to the VPS and it would need to know where to send the return traffic from the internet.
d. there is no conflict with any firewall rules ( firewall rules do not direct the flow of traffic they either allow it or not ). IP routes direct the flow of traffic.

Thus one should see that sourcenatting the local LAN traffic out the Wireguard IP has its advantages ( or mandatory to third party provider ), even if you control both sides of the tunnel.
I prefer, myself to only use sourcenatting when required but that is an individual choice mostly bound by the individual scenario.

Tried to implement your tips. It still doesn't work. I have some basic questions for WG/Mikrotik:

1. How do I know what is the "server" in a wireguard config?

2. Not sure why you shall guess the IP DHCP setting. I mean yes it is not in my export, but why? /export hide-sensitive... why is it not exporting my full config?
   2.1) Also some of the rules where deactivated. Not possible to see via /export. Only via 'print', but then again I cannot print everything

Here I tried to print all (?) interesting configurations one by one

/interface/wireguard> pr
Flags: X - disabled; R - running
0 R ;;; Home Internet
name="wireguard_internet" mtu=1420 listen-port=51820 private-key="xxxxxxxxxxxxxxxxxxxxxxxx"
public-key="gZPJN1R6CYrM9vAzD54B41Xd/MGsAqr1c04ta39rZDo="


/interface/wireguard/peers> pr

INTERFACE PUBLIC-KEY ENDPOINT-ADDRESS ENDPO ALLOWED-ADDRESS PER

0 wireguard_internet +X9y+AW/ci/BmGFKA5KETmGrBeF1OFWNOUA5JkmWMWo= My.own.VPS.IP 51820 0.0.0.0/0 30s


/ip/dhcp-client> /ip/route pr
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP

DST-ADDRESS GATEWAY DISTANCE

DAd 0.0.0.0/0 My.ISP.ip 1
DAc My.ISP.ip ether1 0
DAc 172.30.0.0/24 wireguard_internet 0
DAc 192.168.0.0/24 bridge 0
0 As 0.0.0.0/0 wireguard_internet 1

/ip/dhcp-client> print

INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS

;;; defconf
0 ether1 yes yes bound My.ISP.ip

/routing/table> pr
Flags: D - dynamic; X - disabled, I - invalid; U - used
0 D name="main" fib
1 name="via-wg" fib

As soon as I try to switch on WG by activating below rule, my internet is gone.
If internet is gone (wg should be active), ping to 172.30.0.1 (VPS WG IP) should work? but does time out.
/routing/rule> pr
Flags: X - disabled, I - inactive
0 X src-address=192.168.0.0/24 action=lookup-only-in-table table=via-wg


/ip/dhcp-server> print
Columns: NAME, INTERFACE, ADDRESS-POOL, LEASE-TIME

NAME INTERFACE ADDRESS-POOL LEASE-TIME

0 defconf bridge dhcp 10m



/ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

(Comment: deactivating this rule did not help neither)
1 ;;; Allow incoming traffic to the wireguard service
chain=input action=accept protocol=udp in-interface=wireguard_internet dst-port=51820 log=no log-prefix=""

2 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

3 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

4 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

5 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1

6 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

7 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

8 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

9 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related

10 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

11 ;;; defconf: drop invalid
12 ;;; internet traffic
chain=forward action=accept in-interface-list=LAN out-interface-list=WAN log=no log-prefix=""

13 chain=forward action=accept out-interface=wireguard_internet in-interface-list=LAN log=no log-prefix=""

14 ;;; allow port forwarding
chain=forward action=accept connection-nat-state=dstnat log=no log-prefix=""

15 X ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no
log-prefix=""

16 ;;; drop all else
chain=forward action=drop log=no log-prefix=""

/export file=anynameyouwish should be all you need to show, ( minus router serial number, any public WANIP info, keys etc.).

Please publish your latest config for me to review…
If you get a public IP or can forward a port to your router from the ISP router/modem then the MT can act as a server.

You have many choices being a client with the MT router.
a. client to third party VPN
b. client to your own MT somewhere else
c. client to your VPS in the cloud (linux)
AT THE SAME TIME
you can be a server to remote mobile warriors if you wish as long as you have a public IP etc., although they could access the MT through the other end server in b. and c., so technically not required…

Here is my export. I marked in red just for hightlighting the deactivated firewall rules.
Also, my latest change that got it working is not even visible in the A/B comparison of the exports: I re-added the peer preshared key. Before this solution, after playing around, it was empty. But in the beginning of this thread, it was filled, so there must have been another area that messed it up. The missing keep-alive setting is not the root-cause, I tested it.
Thanks for pointing out that I only need the UDP port rule if my home's mikrotik is the server, e.g. connecting via phone from outside.
I think my next challenge will be to create a split tunnel, e.g. excluding some devices with fixed local IP from the wireguard tunnel.
Or, maybe adding a script to the custom hardware button to toggle my VPN on/off.
Or, reflecting how I locked me out before, that I could not access my Winbox via IP after connecting to VPN (at the time, I had Winbox MAC server deactivated) - so I should make an exception that target IPs to my local 192.168.0.0 network are excluded from wireguard, I suppose. (which is also just another split tunnel, probably)
Thank you!

2023-09-11 21:18:28 by RouterOS 7.11.2

software id = K72K-8LQ6

model = RB760iGS

serial number = xxxxxxxx

/interface bridge
add admin-mac=xxxxxxxxxxxxxx auto-mac=no comment=defconf name=bridge
/interface wireguard
add comment="Home Internet" listen-port=51820 mtu=1420 name=
wireguard_internet
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing table
add disabled=no fib name=via-wg
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard_internet list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=My.VPS.ip
endpoint-port=51820 interface=wireguard_internet persistent-keepalive=30s
public-key="+X9y+AW/ci/BmGFKA5KETmGrBeF1OFWNOUA5JkmWMWo="
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=
192.168.0.0
add address=172.30.0.4/24 interface=wireguard_internet network=172.30.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=
192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.0.1
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"Allow incoming traffic to the wireguard service" disabled=yes dst-port=
51820 in-interface=wireguard_internet protocol=udp
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=
LAN out-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface=
wireguard_internet
add action=accept chain=forward comment="allow port forwarding"
connection-nat-state=dstnat
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard_internet
routing-table=via-wg scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=
33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.0.0/24
table=via-wg
/system clock
set time-zone-name=Europe/Budapest
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

1. you should disable this fasttrack for tests.

if it helps, later replace this with 2 rules for better speed:

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related in-interface=bridge out-interface=ether1
add action=fasttrack-connection chain=forward connection-state=established,related in-interface=ether1 out-interface=bridge

2. Also, I would propose increase distance for dhcp client at ether1 to 2. IMHO this value needs to be greater then distance 1 for wireguard.
   You can see dynamic routing with shorter distance, since its dynamic, its not in the config above.
   Go to IP-DHCP Client, unselect "Add Default Route" , add Special Classless + specify Default Route Distance = 2 at the Advanced tab
   (you already have distance 1 for routing wireguard at your config)

3. your routing rule for via-wg disabled. Add at least mangle:
   /ip firewall mangle
   add action=mark-routing chain=prerouting dst-address=!192.168.0.0/24 new-routing-mark=via-wg passthrough=yes src-address=192.168.0.0/24
   
   \

4. At the remote wps there are 2 or more wireguard peer configs.
   Server config resides /etc/wireguard. Do not use it!!!
   Your file above: /etc/wireguard/wg0.conf
   For each client section like this:

_# ID: cjub8gmfr3ic01if904g

Name: Mikrotik

Email:

Created at: 2023-09-09 18:06:58.674855437 +0000 UTC

Update at: 2023-09-09 18:06:58.674855437 +0000 UTC

[Peer]
PublicKey = gZPJN1R6CYrM9vAzD54B41Xd/MGsAqr1c04ta39rZDo=
PresharedKey = xxxxxxxxxxxxxxxxxxx
AllowedIPs = 2a01:4f8:c0c:ec76:ac1e::4/128,172.30.0.4/32_

there somewhere corresponding client config file!

Client config resides usually resides inside user dir (in my case /root).
You shoul use this client file to configure mikrotik as a client !!!
Client Config looks like:

[Interface]
Address = 10.7.0.2/24, ipv6**
DNS = 8.8.8.8, 8.8.4.4
PrivateKey = **key=

[Peer]
PublicKey = *public key=
PresharedKey = preshared
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = real internet ip of VPS:51820
PersistentKeepalive = 25


You can notice, 10.7.0.2/24 - I configure here:
/ip address
add address=10.7.0.2 interface=wireguard1 network=10.7.0.0

your config above:
add address=172.30.0.4/24 interface=wireguard_internet network=172.30.0.0

Double check this

(1) If at all possible, try not to split up users within the same subnet in terms of where they go for internet. That introduces mangling as the only solution.
Working with whole subnets is easier as one can use routing rules ( or if its just a few users as well ).
Another option on the wifi side is to dedicate a subnet to a specific SSID/WLAN and thus when you want to go out either local WAN or WIREGUARD setup that subnet appropriatley and thus one just has to connect to that WLAN to get the desired result.

As an aside this is easily accomplished by dedicating a port to a different subnet aka off the bridge, or learning to use vlans.

(2) Everything else looks fine except for the Routing Rule… why is it disabled ??
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.0.0/24
table=via-wg

(3) Get rid of all the ipv6 firewall rules…delete.

(4) No need to get rid of fastrack unless you introduce functionality that interferes with it.

(5) There is no relationship with distance between the route for Ether1 and Wireguard this is bogus information… Both are defaulted to 1 and in this scenario will not conflict.

(6) The address configuration on the MT is fine, no need to change.

(7) Cannot speak to LinUX VPS but correct for the server each peer should have a separate line for its credentials, key and allowed IPs…
For the MT [peer on VPS, all one needs there is the allowed IP=172.30.0.4/32 as that is the only IP address the VPS will see coming from the router due to the fact that we are sourenatting all subnet traffic to that single IP.

Responding to anav:

1. Thanks for those learnings I will think about it!

2. Disabled just for the moment, I do not always need the VPN, only if I want to have access to country-level restricted websites/videos

3. IPV6 rules are the default ones, did not touch them. I feel like keeping them does not hurt, if by any chances one day my ISP would assing me an IPv6, I wouldn’t have any firewall rules, and that would be bad, wouldn’t it?

4. Also a default rule… to be honest, no clue what it is, so I thought I just keep it

5. Well, also an automatic setting I did not tamper with

6. Nice

7. Thanks for the explanation

Responding to sas2k:

Again a comment about fasttrack. I will try to figure out what is behind.

I use mikrotik with wireguard\l2tp for the same.
I import country ip list:

E.g. lets assume your country is Hungary.

/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/HU
import file-name=HU

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/24
dst-address-list=!HU new-routing-mark=ipsec passthrough=yes src-address=
192.168.0.0/24

This works excellent.
Local country sites - directly.
All the rest - via VPN\VPS.
No need to enable\disable. 24x7 solution.

If you need daily update, see :
https://mrnonaki.net/mikrotik-free-country-ip-address-lists-daily-updates-cidr-7e654eb659c9

760igs speed 90\90 mbit, 4011 speed 180\180 mbit