MT as a Wireguard client: problem with routing or/and firewall

Hi All
I’ve been trying to setup a WG VPN for almost a week following mainly this topic https://forum.mikrotik.com/viewtopic.php?t=182340 but I really need some expert’s help.

My use case:

• I’ve successfully set up a WG Interface on an Ubuntu instance on Lightsail. I can connect my phone and 2 PC, they can ping each other and I can access the webserver between them. 10.8.0.1 is the IP I choose for the WG on Ubuntu.
• I know need to use the WG tunnel to access devices at home through a web browser (I can access them via browser when on local LAN)
• At home I have a MT (HAP AX3) connected to Eth1 to my ISP provider (MT is working correctly and provide Wifi access). MT have a 192.168.88.1 address while 192.168.1.1 is the ISP modem.
  I also created a static route

I know it’s not an issue with WG but with firewall and/or routing. Please help me or point me in the right direction.
Thanks in advance!

Current situation as per below OS Config:
a) I can ping WG MT IP from other peer and I can ping other WG IP clients (in and out seem to be working)
b) From remote peer I cannot ping devices within MT LAN using their IP. I can only ping MT Interface IP.

My RouterOS configuration:

RouterOS 7.11.2

/interface bridge
add admin-mac=XXXXXXX auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-BAE354 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-BAE355 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add comment="WG Interface" listen-port=51820 mtu=1420 name=wgM
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/routing table
add disabled=no fib name=useWG
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="WG Interface to WAN" interface=wgM list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="wg Peer MT" endpoint-address=\
    XX.XXX.XXX.XXX endpoint-port=51820 interface=wgM persistent-keepalive=25s \
    public-key="MYPUBLICKEY"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.8.0.5/24 comment="wg MT Address" interface=wgM network=\
    10.8.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.8.0.5/32 comment=LAN-4-WG dns-server=8.8.8.8 gateway=10.8.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="WG - Allow UDP" dst-port=51820 \
    protocol=udp
add action=accept chain=forward comment="WG Fwd Local traffic to WG Tunnel" \
    out-interface=wgM src-address=192.168.1.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup disabled=no src-address=192.168.88.0/24 table=useWG
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Not a clue from your description what you are trying to do?

Network diagram showing all the moving pieces will be a good start..

Hi Anav,
below a diagram. I’m not a network guy so please forgive the errors.

• I use A) -Ubuntu Server- as a sort of a gateway because at home (B,C) I don’t have public static IP and port fwd is not reliable.
• I want from D) to connect to devices on (C). I think that by calling local IP devices on C I should get the content from them but in reality this is not working. I can get them only calling WG address ie 10.8.0.2

Hope this helps to clarify the scope.
Thanks again.

(1) Why is this rule on the input chain?
add action=accept chain=input comment=“WG - Allow UDP” dst-port=51820
protocol=udp

(2) Just to be sure… when you say MY PUBLIC KEY in your MT client peer settings, you actually mean the PUBLIC KEY generated by UBUNTU correct?
Your public KEY generated by the MT is used at the UBUNTU device, (for its peer settings to you).

Note: the public key the Ubuntu generates is used by all clients on the same interface ( hence its not my, its more like the generic interface public key )

(3) Why did you create this rule ???
/ip dhcp-server network
add address=10.8.0.5/32 comment=LAN-4-WG dns-server=8.8.8.8 gateway=10.8.0.1
OR
this rule
/ip dhcp-server network
add address=10.8.0.5/32 comment=LAN-4-WG dns-server=8.8.8.8 gateway=10.8.0.1

THe router does not have anything to do with DHCP for the wireguard network. There is no DCHP at all anyways!!

(4) The FORWARD CHAIN RULE you have is useless. The local subnet on your MT router is 192.168.88.0/24 so what is the purpose of letting
a non-existent subnet access to the wireguard interface?? ( besides the fact the rule is not in the ideal location for forward cahin rules ( rules should be grouped together for easy readability and spotting errors)
add action=accept chain=forward comment=“WG Fwd Local traffic to WG Tunnel”
out-interface=wgM src-address=192.168**.1.**0/24

(5) You have a routing rule forcing local users out wireguard which is fine along with the table.
What is missing is the ip route to go with it.
/ip route
add dst-address=0.0.0.0/0 gateway=wgM routing-table=useWG

(6) Ensure on the ubuntu, that there is a route on that device that points any traffic to the 10.8.0.0/24 subnet into the tunnel.

(7) Once you have tidied up the rest, lets hit the nub of the question, YOu want remote clients to be able to reach your subnet on the MT, assuming.
A. the config for admin access
B. the subnet for admin/user access.

Case A.

Remote user connects to tunnel
Remote user types in winbox 10.8.0.5 ( note if winbox port is not default then it would be 10.8.0.5**:**# )
+++++++++++++++++++++++++++++++++

Remote user allowed IPs set to 0.0.0.0/0 and thus traffic is allowed to enter the tunnel
It reaches the Ubuntu and since its source address is a known peer it should exit the tunnel and land on the ubuntu.

1. the ubuntu needs firewall rule to allow remote traffic back into the tunnel
2. the ubuntu needs a route for 10.8.0.5 AND THIS IT SHOULD ALREADY HAVE.

If I was to do this on an MT server (relay rule)
add action=accept chain=forward in-interface=wg-interface out-interface=wg-interface.

The ubunut has a match of a peer at that address and sends it down the tunnel to the MT device.
The MT device allowed IPs allow the remote users to exit the tunnel and hit the LAN.

Thus we need to ensure we have a firewall rule allowing the remote user to the input chain.
add chain=input action=accept in-interface=wgM { use an additional source-address or src-address-list if not all remote users need this access }

Return traffic has a path all the way back…

Case B
Remote user starts tunnel
Remote user wants to access 192.168.88.10 on the MT router and enters that in the browser
+++++++++++++++++++++++++++

Allowed IPs 0.0.0.0/0 means the traffic is allowed to enter the tunnel and lands on the ubuntu.
The ubuntut recognizes the source address of the remote peer so the traffic is allowed to exit the tunnel and hit the LAN

PROBLEM: Now we are stuck, the dstination 192.168.88.5 is not local to the UBUNTU and since it doest know about it, it wil be dropped.
SOL/N: Create a path so the UBUNTU knows what to do with that dst address.

If it was MT would write like
/ip route
add dst-addresss=192.168.88.0/24 gateway=wireguard-interface routing-table=main.

Now the ubuntu says Okay I know where to send that traffic which is back into the wireguard tunnel GOOD.
Do I have a firewall rule?
YES remember we made add action=accept chain=forward in-interface=wg-interface out-interface=wg-interface
The traffic comeing out of the tunnel is allowed back into the tunnel.

Now, the crypto code says let me match 192.168.88.5 with one of my existing peers…
PROBLEM;. None of the peers has that subnet CLUE → Subnets not local needing to traverse a tunnel require A. ROUTE. B. ALLOWED IP entery.
SOL/N : Add 192.168.88.0.24 as an allowed IP to the MT.( in addition to the existing entry 10.8.0.5/32 )

Now the ubuntu has the firewall route allowing relay traffic, a route where to send the traffic, and the crypto code has allowed IP to match to a peer too send the traffic into the tunnel to the right peer.

All good. The return traffic will have no issues.

Hi Anav,
first of all thanks a lot for your precious feedback and guidance.
I’ve had time just to check and implement point 1-6. Tomorrow I’ll try to read and understand the other points.
I’ve fixed points 1,3,4,5. 2 is ok, I actually meant the pub key generated by Ubuntu and used by peers.
First stopper: when I implement your suggestion “/ip route
add dst-address=0.0.0.0/0 gateway=wgM routing-table=useWG” I get MT router to loose connection and cannot access it. Fortunately I use Safe
Any idea about this?

Thanks again.

Anytime you make changes, you have to post a new config, I only work from facts…

Fair enough
Below the export.
My notes:

• applying this /routing rule
  add action=lookup disabled=no src-address=192.168.88.0/24 table=useWG I cannot browse the internet from the PC connected to MT (192.168.88.243)
• when I implement “/ip route
  add dst-address=0.0.0.0/0 gateway=wgM routing-table=useWG” I get MT router to loose connection and cannot access it back.

With this config:

• cannot ping 10.8.0.1 (Request timeout for icmp_seq 1
  92 bytes from router.lan (192.168.88.1): Destination Host Unreachable
  Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
  4 5 00 5400 c088 0 0000 3f 01 a70b 192.168.88.254 10.8.0.1
• cannot ping from outside to 10.8.0.5
• can ping 10.8.0.1 from 10.8.0.4 (ios or pc outside the MT).
• using WG client can ping 10.8.0.3 but cannot call direct IP (192.168.1.108)

Thnx!

# 2023-11-10 12:02:13 by RouterOS 7.11.2
# software id = A9YP-3NHI
#
# model = XXXXX
# serial number = XXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-BAE354 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-BAE355 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add comment="wg Interface" listen-port=51820 mtu=1420 name=wgM
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/routing table
add disabled=no fib name=useWG
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="WG Interface to WAN" interface=wgM list=WAN
/interface wireguard peers
add comment="wg Peer MT" endpoint-address=XX.XXX.XXX.XXX endpoint-port=51820 \
    interface=wgM persistent-keepalive=25s public-key=\
    "UBUNTU PUB KEY"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.8.0.5/24 comment="wg MT Address" interface=wgM network=\
    10.8.0.0
add address=192.168.88.0/24 comment="WG - Allowed Ip" disabled=yes interface=\
    wgM network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="WG - Allow UDP" dst-port=51820 \
    protocol=udp
add action=accept chain=forward comment="WG - Allow traffic to tunnel" \
    in-interface=wgM out-interface=wgM
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup disabled=no src-address=192.168.88.0/24 table=useWG
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

(1) THIRD RULE WRONG ON TWO COUNTS, bad format & duplicate. besides being nonsensical … learn to review your work

/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.8.0.5/24 comment=“wg MT Address” interface=wgM network=
10.8.0.0
add address=192.168.88.0/24 comment=“WG - Allowed Ip” disabled=yes interface=
wgM network=192.168.88.0

Get rid of rule 3 here.

(2) What is the purpose of this rule in the forward chain???
add action=accept chain=forward comment=“WG - Allow UDP” dst-port=51820
protocol=udp
get rid of it…

If you want remote user/admin capability to access the MT router for config purposes its an input chain rule.
add chain=input action=accept comment=“admin remote access” in-interface=wgM

(3) This forward chain rule has NOTHING i repeat NOTHING to do with the mikrotik router. I told you this rule has to be on the uBUNTU and I provided this ONLY as an example of what I meant by relay firewall rule.
add action=accept chain=forward comment=“WG - Allow traffic to tunnel”
in-interface=wgM out-interface=wgM
Get rid of it.

(4) What you do need is a forward chain rule placed here…

add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add chain=forward action=accept src-address=192.168.88.0/24 out-interface=wgM
_add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat _

(5) Missing…
/ip route
add dst-address=0.0.0.0/0 gateway=wgM routing-table=useWG

Look familiar, its the last point on my first point with input its also funnily enough numbered 5. However I am not amused.

++++++++++++++++++++++++++++++++++++++++

The config should work, the rest is ubuntu, good luck!!

Hi Anav
I took some time to clean up the configurations on MT and on Ubuntu following your directions. A good way to learn something new.
I am attaching updated configuration of MT router (I disabled rules or IP LIST that I’ve tested not useful).

# 2023-11-15 12:24:13 by RouterOS 7.11.2
#
# model = modelNr
# serial number = serialNr
/interface bridge
add admin-mac=48:A9:8A:BA:E3:50 auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik-BAE354 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-BAE355 \
    disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add comment="wg Interface" listen-port=51820 mtu=1420 name=wgM
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/routing table
add disabled=no fib name=useWG
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment="WG Interface to WAN" interface=wgM list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment="wg Peer MT" endpoint-address=\
    PUBLIC IP endpoint-port=51820 interface=wgM persistent-keepalive=25s \
    public-key="PUBKEY"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.8.0.4/24 comment="wg MT Address" interface=wgM network=\
    10.8.0.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=PUBIP comment="WG Endpoint on Ubuntu" list="From Ubuntu"
add address=172.26.14.0/24 comment="Server Ubuntu" list="From Ubuntu"
add address=172.26.0.2 comment="DNS Ubuntu" list="From Ubuntu"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="WG - Fwd to Ubuntu DNS" disabled=yes \
    dst-address=172.26.0.2 out-interface=wgM
add action=accept chain=forward comment="WG - Fwd traffic out" out-interface=\
    wgM src-address=192.168.88.0/24
add action=drop chain=forward comment="default drop" disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="WG " disabled=yes out-interface=\
    wgM src-address=192.168.88.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 \
    pref-src="" routing-table=main suppress-hw-offload=no
add comment="WG DNS Server in Ubuntu" disabled=yes distance=1 dst-address=\
    172.26.0.2/32 gateway=wgM pref-src="" routing-table=useWG scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=172.26.14.0/24 gateway=wgM pref-src="" \
    routing-table=useWG scope=30 suppress-hw-offload=no target-scope=10
add comment="WG Out Lan traffic" disabled=yes distance=1 dst-address=\
    0.0.0.0/0 gateway=wgM pref-src="" routing-table=useWG scope=30 \
    suppress-hw-offload=no target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing rule
add action=lookup disabled=no interface=wgM src-address=192.168.88.0/24 \
    table=useWG
add action=lookup disabled=yes dst-address=172.26.0.0/24 table=useWG
add action=lookup disabled=no dst-address=172.26.14.0/24 table=useWG
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

With these changes I can:

• access from remote devices on LAN (192.168.88.0/24).
• from LAN access remote peers: laptop, Ubuntu etc.
  Remaining doubts:
  1- I see that my IP from LAN MT to the Internet is always that of the ISP. If I use a remote peer instead (ie a laptop with WG app) the public IP is correctly that of Ubuntu.
  2- I think related to problem 1: I can’t use on MT router the Ubuntu DNS that works correctly on other peers (laptop, iOS etc.) For now I’m using the google DNS IP.
  3- if I add as last rule to MT FW add action=drop chain=forward comment=“default drop” I can’t reach LAN from remot anymore

Thanks in advance.

(1) Set internet detect to NONE,having it up sometimes causes issues…

(2) Yes all the users from the MT router going out WG to the ubuntu server will have as source address the wireguard IP address allocated to the MT router.
There is nothing wrong with this as the MT router upon return traffic ensures it goes back to the correct local user.
This approach is mandatory for any third party VPN servers as their allowed IPs only except the one IP and thus this is a normal setup.

However if you have control of the SERVER side, you an add the subnet 192.168.88.0/24 as allowed IPs, and then you dont have to masquerade the traffic out the MT to the UBUNTU.
(either remove the srnat rule if you have one for the wg interface, or remove the WG interface from the WAN interface list.

(3) mac-server by itself is not a secure access method so change to NONE.
/tool mac-server
set allowed-interface-list=LAN

(4) Firewall rules need work.
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input in-interface=wgM src-address=10.8.0.X comment=“remote admin access”
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“allow internet” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow access to tunnel” in-interface-list=LAN out-interface=wgM
add action=accept chain=forward comment" allow access from tunnel" dst-address=192.168.88.0/24 in-interface=wgM
add action=drop chain=forward comment=“default drop” disabled=NO

(5) IP ROUTE is incorrect.
from:
add comment=“WG DNS Server in Ubuntu” disabled=yes distance=1 dst-address=
172.26.0.2/32 gateway=wgM pref-src=“” routing-table=useWG scope=30
suppress-hw-offload=no target-scope=10
TO:
add comment=“WG DNS Server in Ubuntu” dst-address=172.26.0.2/32
gateway=wgM routing-table=main

(6) IP ROUTE is incorrect
from:
add disabled=no distance=1 dst-address=172.26.14.0/24 gateway=wgM pref-src=“”
routing-table=useWG scope=30 suppress-hw-offload=no target-scope=10
TO:
add disabled=no distance=1 dst-address=172.26.14.0/24 gateway=wgM pref-src=“”
routing-table=main scope=30 suppress-hw-offload=no target-scope=10

(7) Dont need source address,
add action=masquerade chain=srcnat comment="WG " disabled=yes out-interface=
wgM src-address=192.168.88.0/24

(8) ROUTING RULES::::::: ONLY FIRST RULE REQUIRED> interface not required.
/routing rule
add action=lookup src-address=192.168.88.0/24 table=useWG