[Desperate] hAP Wireguard -> no internet

Hi all,

I am now getting desperate because I just can’t get Wireguard to work properly.
I use the following network configuration at home:

Raspberry Pi ========== hAP ax 3 ========== ISP Router in Modem mode ========== ISP (Internet)

I followed mducharme`s tutorial(http://forum.mikrotik.com/t/mikrotik-wireguard-server-with-road-warrior-clients/148392/1) for the Wireguard setup, in order to access via VPN devices in my home network like the Raspberry Pi and to use my internet connection at home, when I am on the road.

Unfortunately, I can access the devices like the Raspberry Pi from my VPN client (Android smartphone) via the established VPN connection, but I can’t browse any websites like forum.mikrotik.com.
This means that I have general access to my home network and its devices, but unfortunately I cannot use its Internet as well.

Can you help me please?
I have already read and tried countless video, tutorials and other tips, unfortunately all unsuccessful.

Here the hAP´s config:

# oct/10/2023 11:55:12 by RouterOS 7.9.2
# software id = AEQQ-3H22
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=ether1-WAN mtu=1492 name=vlan-pppoe vlan-id=7
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-pppoe max-mru=1492 max-mtu=1492 name=pppoe-telekom use-peer-dns=yes user=123456789@t-online.de
/interface list
add name=LAN
/interface wifiwave2 channel
add band=2ghz-ax frequency=2417,2442,2467 name=2.4ghz-channels width=20mhz
add band=5ghz-ax frequency=5270-5290,5290-5310,5310-5330 name=5ghz-channels width=20/40/80mhz
/interface wifiwave2 security
add authentication-types=wpa2-psk name=2.4ghz-sec
add authentication-types=wpa2-psk,wpa3-psk name=5ghz-sec
/interface wifiwave2 configuration
add channel=2.4ghz-channels country=Germany mode=ap name=cfg-2.4ghz security=2.4ghz-sec ssid="SSID1"
add channel=5ghz-channels country=Germany mode=ap name=cfg-5ghz security=5ghz-sec ssid="SSID2"
/interface wifiwave2
set [ find default-name=wifi2 ] channel=2.4ghz-channels configuration=cfg-2.4ghz configuration.mode=ap disabled=no name=Wifi-2.4Ghz security=2.4ghz-sec
set [ find default-name=wifi1 ] configuration=cfg-5ghz configuration.mode=ap disabled=no name=Wifi-5Ghz security.authentication-types=wpa2-psk,wpa3-psk .encryption=""
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=10m name=dhcp1
/port
set 0 name=serial0
/queue type
add cake-diffserv=besteffort cake-nat=yes kind=cake name=cake
add fq-codel-memlimit=64.0MiB kind=fq-codel name=fq-codel
add cake-autorate-ingress=yes cake-diffserv=besteffort cake-flowmode=dual-dsthost cake-rtt-scheme=internet kind=cake name=cake_down
add cake-autorate-ingress=yes cake-diffserv=besteffort cake-flowmode=dual-srchost cake-rtt-scheme=internet kind=cake name=cake_up
/queue simple
add max-limit=100M/40M name=queue-fq-codel priority=1/1 queue=fq-codel/fq-codel target=pppoe-telekom total-queue=fq-codel
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=Wifi-5Ghz
add bridge=bridge1 interface=Wifi-2.4Ghz
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface wireguard peers
add allowed-address=192.168.66.2/32 interface=wireguard1 public-key="PUBLIC_KEY"
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.66.1/24 interface=wireguard1 network=192.168.66.0
/ip dhcp-server lease
add address=192.168.1.207 client-id=1:dc:a6:32:7f:cf:40 mac-address=DC:A6:32:7F:CF:40 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip firewall nat
add action=masquerade chain=srcnat dst-address-list="" out-interface=pppoe-telekom src-address=192.168.1.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no

VPN Client config:

[Interface]
Address = 192.168.66.2/32
DNS = 192.168.1.1
PrivateKey = PRIVATE_KEY

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = dyndns:13231
PublicKey = PUBLIC_KEY

Error on client’s browser when I open a website is:
DNS address could not be found (DNS_PROBE_POSSIBLE)

In addition I added the dynamic dns servers, which are added automatically because of the PPPoE connection.

Hello!

I believe you are missing this:

/ip dns
set allow-remote-requests=yes

Hi,

thanks for your help!
By allowing remote DNS requests, I got rid of the DNS error.

Unfortunately, I receive a new error: Your connection was interrupted. A network change was detected.
So still no internet.

But apparently, a small step in the right direction, yaay

Holy moly, I solved it.

/ip dns set allow-remote-requests=yes
/ip firewall nat add action=masquerade chain=srcnat src-address=192.168.66.0/24 out-interface=pppoe-telekom

I just needed to add an additional NAT rule for my wireguard subnet.

Thanks a lot @monkez. Without your help, I would still tear my hear out