Mikrotik as OpenVPN client routing all VPN connection through wlan

RouterOS Beginner Basics
1

Hey guys,
since few days im trying to configure my Mikrotik RB941-2nD as OpenVPN wifi client. I successfully created OpenVPN server behind ISP router, i can access lan network of this server from anywhere (tested on OpenVPN connect on Windows and Android), even when i “import .ovpn” file to my fresh/factory reset send MT RB941-2nD it can establish connection with that first MT OpenVPN Server but i dont know how to follow with configuration that second MT will route all VPN connection through wlan1.
Basically what i want to achieve is to connect to my second MT OVPN Client through wifi and obtain Public IP from my first MT OVP Server.
Here is how i imagine how it looks or should look like
router (2).png
Here is my mikrotik client config

[admin@MikroTik] > export compact hide-sensitive

1970-01-02 00:13:11 by RouterOS 7.16.1

software id = B2U4-RC51

model = RB941-2nD

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik
/interface ovpn-client
add auth=null certificate=client cipher=aes256-gcm connect-to=name.duckdns.org mac-address=FE:21:4F:0B:E8:E8 name=ovpn-import86527 user=wire
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge filter
add action=drop chain=input dst-port=68 in-interface=wlan1 ip-protocol=udp mac-protocol=ip
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface list member
add interface=wlan1 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
/ip dhcp-client
add interface=bridge1
/system note
set show-at-login=no
[admin@MikroTik] > ip address/
[admin@MikroTik] /ip/address> print
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE

ADDRESS NETWORK INTERFACE

0 D 192.168.1.17/24 192.168.1.0 bridge1
1 D 10.110.1.240/24 10.110.1.0 ovpn-import86527
[admin@MikroTik] /ip/address> ..
[admin@MikroTik] /ip> route/
[admin@MikroTik] /ip/route> print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP, v - VPN
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd 0.0.0.0/0 192.168.1.1 1
DAv 0.0.0.0/1 10.110.1.1 0
DAc 10.110.1.0/24 ovpn-import86527 0
DAv 95.49.185.167/32 192.168.1.1 0
DAv 128.0.0.0/1 10.110.1.1 0
DAc 192.168.1.0/24 bridge1 0

>

I really appreciate any help. Thanks!
2

As long as one of the MT devices gets a public IP, or an ISP router its attached to can
a. get a public IP
b. forward a port to the MT device,
Its doable.
However I only know how to do so using wireguard.

3

Yeah, my second client MT is able to obtain public IP from my first MT OVPN server, its this line under /ip route print

Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE

DAv 95.49.185.167/32 192.168.1.1 0

>

Therefore im not sure if its gets that 95.49.185.167 but i guess it take it by checking ip of providaded domain from my .ovpn file. As well i dont know if the gateway 192.168.1.1 is the gateway from my ovpn server or my local network my MT VPN Client is connected to, since both networks use that same.

Nonetheless, can you provide some more information how to do it with wireguard? I have no reason to stick with OpenVPN, might check different solutions.
4

What I meant is that for MOST VPNs, one end must have access to a public IP at least at one end of the connection. The purpose of this is so that the peer SERVER can be reached by all users, be they from individual devices (laptop/smartphone) or from individuals behind another remote router. A static public IP is easy to reach, a dynamic one, means you need some dyndns type service to resolve the current WANIP address ( MT devices have one internally which can be used ).

So the question reframed is do either of the upstream Routers, that are connected to the internet get a public IP.
If yes, is either them under your control such that you could forward a port from the upstream router to the MT router.

In your case both upstream devices are ISP Routers…thus can you at least access the admin page or basic control page on the ISP router to forward a port, assuming the ISP router gets a public IP? Both MT routers will get private IPs as WANIPS, from the ISP Router LAN subnet.

Also would need FULL config of both MT devices. ( i see no firewall rules for example)

/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys etc. )