in a road warrior setup, where i use Mirkotik IOS app to connect to home network over wireguard (using wireguard app on-demand setup to include homelan network as part of allowed address) , i see that i cannot login (webfig login works). when allowed address is changed to 0.0.0.0/0. it works fine. any pointers?
The login works fine from the app when I use it.
Are you attempting winbox or something else.
On the Router you need to allow the wireguard IP to the input chain.
For address just use MT wireguard IP**:**winboxport
- not winbox. mikrotik IOS app
- wireguard on RouterOS is not a problem. as mentioned, mikrotik ios app can connect perfectly fine when allowedip of wireguard IOS ‘client’ is set to 0.0.0.0/0 . (firewall input chain have all been fine and working)
if i set to homeLAN, it cannot connect. note: that webfig, lan clients are accessible via IOS browser over cellular/on-demand wireguard connection (unifi app also works fine)
Do not follow.
Okay so the Wireguard connects fine.
The IOS app is to connect to Winbox, as I stated you can do that using most interfaces be it the wireguard interface, the homelan interface etc..
The app is not to connect to home lan devices.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
explanation of setup:
a) wireguard ‘server’ on home router(mikrotik) setup fine.
b) wireguard IOS app(allowed ip=0.0.0.0/0) can connect to the wireguard ‘server’(peer allowedip=wireguard ios client interface ip).
checked accessing lan devices and internet using Iphone IOS browser. everything works fine from Phone(IOS cellular).
Opened ‘Mikrotik IOS App’ and selected ip as one of interface ip’s and was able to login.
till now everything if great!.
here is the problem:
my goal of using wireguard IOS app is to use it on-demand when on cellular. meaning, when there is a request for certain home lan private ip address, then it needs to use the wireguard tunnel. rest of the time it can use gateway of cellular connection.
so, to accomplish that changed IOS wireguard allowedip to lan address and removed 0.0.0.0/0.
checked accessing lan devices and internet using Iphone browser. everything works fine from Phone(IOS cellular).
BUT Mikrotik IOS app is stuck at Login after pressing ‘connect’. hope the explanation was helpful
You are mixing apples and Oranges, what is controllable is whether or not your traffic can be split. The answer is NO.
On my iphone, if I connect to wireguard, ALL my traffic goes through wireguard.
You can leave wireguard UP all the time, (ON DEMAND selection at very bottom) and it basically comes on when not on home WIFI but on public WIFI or cellular.
Choice of route has nothing to do with the MT IOS APP or what you select in your browser.
Disagree. once you put only homelan address in allowedipaddress-while on cellular, goto ip.me . you should see your wireless ISP details there.
got to some homelan URL. you should see that works too proving that tunnel is bypassed for non homelan requests.
On my iphone, if I connect to wireguard, ALL my traffic goes through wireguard.
Disagree. depends on what you have configured in allowedip address in wireguard IOS app
You can leave wireguard UP all the time, (ON DEMAND selection at very bottom) and it basically comes on when not on home WIFI but on public WIFI or cellular.
Choice of route has nothing to do with the MT IOS APP or what you select in your browser.
mention of MT IOS APP and homelan browser request was to highlight that tunnel was working fine(over cellular) for browser requests,Unifi App but not Mikrotik IOS app
Well to be honest I have always ONLY stuck in 0.0.0.0/0 for allowed IPs on my iphone wg setup, as being the admin I have many subnets I may wish to access, and perhaps even the internet.
So you are saying that If only put a LAN that exists on the router in my allowed IPs and then I try to reach an internet address, the wireguard on the phone will let that traffic go outside the VPN tunnel and hit my cellular WAN.???
Would be an additional apple IOS quirk if it did. The function of allowed IPs outbound is simply a matching/filtering process. The software checks if the requested IP fits any peer allowed IPs setup on the wireguard interface and if so, then sends the traffic down the tunnel to that peer. If there is no match traffic is normally dropped.
that’s what i have observed and also what chatgpt tells me 
. acts like a routing rule where ONLY traffic destined for that LAN network will be routed via wireguard . rest via cellular WAN ISP. please check for yourself .
Sounds like a routing issue. Maybe check your WireGuard config to ensure the correct routes are being pushed. Allowing 0.0.0.0/0 might be overkill and less secure. Try specifying only the necessary subnets for your home network instead.
here is solution:
IOS needs hostname resolution to an IP to determine whether to send traffic via tunnel's allowedip address when a subset of traffic(non 0.0.0.0/0 scenarios) is passed to tunnel (in certain quirky scenarios).
provide a DNS resolution of hostname that resolves to an address that is part of wireguard allowedip's when you connect using mikrotik app (do not put in ip address in the app).
the way i was able to resolve it is: make my mikrotik wireguard server address(in its subnet) also part of allowedip (while including it as dns server also in wireguard ios app). then have a static ip on my mikrotik router that resolves to the mikrotik router private ip. Now, when i connect using mikrotik app, i provide the name configured for static ip. the name is resolved using the Tunnel DNS and it connects/ works !!!
overall ios dns behavior:
a) DNS of connected network (wifi/cellular) -ON
b) DNS app configured on device (under vpn and device management) - ON
c) VPN app with dns configuration and partial or full ipv4 allowedip -ON
in above scenario tunnel DNS (c) is used for all queries.
a) DNS of connected network (wifi/cellular) -ON
b) DNS app configured on device (under vpn and device management) - ON
c) VPN app with dns configuration and partial allowedip -OFF
in above scenario DNS app config (b) is used for all queries.