Office setup in workspace using VPN - DNS not working

I have some tech background but was never much in the networking space. I have a new office in a coworking space and would like to use ProtonVPN on my hEX S 2025 box so that all my traffic gets routed through the VPN.

Here is my hardware setup:

My Laptop => hEX S box => Wired connection in coworking space => Internet

I will also have a wired printer with fax capability, and maybe later an IP Phone all wired through my hEX S box.

I have tried to setup my hEX S as best I can but for some reason, VPN DNS (at 10.2.0.1) is not working and as a result no outbound requests seem to be getting anywhere so it looks like I have no internet. If I use the coworking space VPN the internet is fully accessible though. I am using the values that ProtonVPN gave me to set up WireGuard.

How do I get this to work?

Here are my settings:

# 2025-10-15 00:19:52 by RouterOS 7.20.1

# software id = ABCD-1234

# 

# model = E60iUGS

# serial number = ABCDEF1234

/interface bridge
add admin-mac=05:F3:7C:18:C7:4E auto-mac=no comment=defconf name=bridge-lan
/interface ethernet
set \[ find default-name=sfp1 \] disabled=yes
/interface wireguard
add listen-port=51820 mtu=1420 name=wg-proton
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp-pool ranges=192.168.99.10-192.168.99.100
/ip dhcp-server
add address-pool=dhcp-pool interface=bridge-lan lease-time=1d name=dhcp1
/disk settings
set auto-media-interface=bridge-lan auto-media-sharing=yes auto-smb-sharing=
yes
/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether2
add bridge=bridge-lan comment=defconf interface=ether3
add bridge=bridge-lan comment=defconf interface=ether4
add bridge=bridge-lan comment=defconf interface=ether5
add bridge=bridge-lan comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=dhcp1 interface=bridge-lan list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wg-proton list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0,::/0 endpoint-address=149.159.51.178 
endpoint-port=51820 interface=wg-proton name=peer1 persistent-keepalive=
25s public-key="STtovcJk/wqDgciSMoTgDAwS9b5bS1lch2eOlBdPL2E="
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge-lan 
network=192.168.88.0
add address=192.168.99.1/24 interface=bridge-lan network=192.168.99.0
add address=10.2.0.2 interface=wg-proton network=10.2.0.2
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=10.2.0.1 domain=local gateway=
192.168.99.1
/ip dns
set allow-remote-requests=yes servers=10.2.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="Allow WireGuard UDP" dst-port=51820 
protocol=udp
add action=accept chain=forward comment="Allow VPN traffic" in-interface=
wg-proton
add action=accept chain=forward comment="Allow VPN traffic" out-interface=
wg-proton
add action=drop chain=input comment="Drop Invalid Early" connection-state=
invalid
add action=drop chain=forward comment="Drop Invalid Early" connection-state=
invalid
add action=accept chain=input comment="Allow Established/Related" 
connection-state=established,related
add action=accept chain=forward comment="Allow Established/Related" 
connection-state=established,related
add action=drop chain=input comment="Drop all input from WAN" 
in-interface-list=WAN
add action=accept chain=forward comment="Allow LAN to everything" 
in-interface-list=LAN
add action=drop chain=forward comment="Drop all else in forward"
add action=accept chain=forward disabled=yes dst-port=5060 in-interface=
wg-proton protocol=udp
add action=accept chain=forward disabled=yes dst-port=5060 in-interface=
wg-proton protocol=tcp
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes 
protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes 
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" 
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" 
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" 
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" 
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" 
connection-state=invalid disabled=yes
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat 
connection-state=new disabled=yes in-interface-list=WAN
add action=add-src-to-address-list address-list=port-scanners 
address-list-timeout=1w3d chain=input comment="Port Scanner" protocol=tcp 
psd=21,3s,3,1
add action=drop chain=input src-address-list=port-scanners
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes 
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wg-proton
add action=dst-nat chain=dstnat dst-port=8080 in-interface=wg-proton 
protocol=tcp to-addresses=192.168.99.50 to-ports=80
add action=dst-nat chain=dstnat dst-port=5060 in-interface=wg-proton 
protocol=udp to-addresses=192.168.99.60 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5060 in-interface=wg-proton 
protocol=tcp to-addresses=192.168.99.60 to-ports=5060
/ipv6 route
add distance=1 dst-address=::/0 gateway=wg-proton
/ip ssh
set strong-crypto=yes
/ipv6 address
add address=fd00::2/128 advertise=no interface=wg-proton
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" 
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" 
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" 
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" 
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system clock
set time-zone-name=US/Pacific
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Change this IP -> Address entry:

/ip address
add address=10.2.0.2 interface=wg-proton network=10.2.0.2

to

/ip address
add address=10.2.0.2 interface=wg-proton network=10.2.0.1

(notice the network address change), and you'll get access to the DNS server running at 10.2.0.1.

I would still recommend that you reverted back to the defconf configuration, then add the WG interface, add the interface to the WAN list, not LAN, allow port 51820 UDP on chain input, and refrain from the other firewall hacks (like the useless port scanner checks).

If you add the WG interface to WAN and keep the normal defconf firewall, you won't even need to add the extra masquerade rule for wg-proton.

Not that I doubt you, @CGGXANNX, can you explain how it works with setting network instead of providing a netmask?

Like:

/ip address
add address=10.2.0.2/30 interface=wg-proton

Totally agree on the firewall feedback, it is both a mess and contains unnecessary rules currently.

The /32 addressing on broadcast is a Linuxism, although adopted by others. It’s a special case.

It means to add the specified address to the “local” table as usual,

but when constructing the appropriate route (which would normally be something like “192.168.88.0 via ether1 (on-link)”), it adds “(whatever the ip specified in network)/32 via ether1 (on-link)”

It’s like /31, but this doesn’t even have an RFC. Btw, it’s not an accident that Proton chose addresses this way so /30, /31 and /32 all work.

Another btw: OP will also need a lot more.

When you assign /ip address entries to interface, you can use the usual way of putting the address in a real subnet, like you did with /30 (and the network address will be calculated by RouterOS automatically); or alternatively, you can assign a point-to-point like address, if you only need to talk to only a single host on the other side of the "link".

For that you just specify a /32 address for the address field and the IP address of the other "peer" in network. Then don't have to be in the same "subnet" at all (technically a /32 is only in the same subnet as itself). So you can do this and it's perfectly fine:

/ip address
add address=10.20.30.40 interface=ether2 network=192.168.15.59

or even this:

/ip address
add address=10.20.30.40 interface=bridge network=10.20.30.40

What /ip address add does is:

• Set an IP address for the router on the specified interface. The router may use this IP address as source when you send packet out of this interface if not other addresses are added to that interface.

• Add a route to the routing table (normally main, but if the interface is in a VRF then the routing table of the VRF is used) with destination being network_address/prefix_length, with the gateway being the interface. network_address is the value of the network property, and prefix_length is what you put behind the address in the address field above.

So doing this:

/ip address
add address=10.20.30.40 interface=ether2 network=192.168.15.59

assigns the IP address 10.20.30.40 to the router on ether2, and adds a dynamic connected (flag D and C) route to the main routing table with dst-address=192.168.15.59/32 and gateway=ether2.

And this:

/ip address
add address=10.20.30.40 interface=bridge network=10.20.30.40

assigns the IP address 10.20.30.40 to the router on bridge, and adds a dynamic connected (flag D and C) route to the main routing table with dst-address=10.20.30.40/32 and gateway=bridge.

What we usually do:

/ip address
add address=192.168.88.1/24 interface=bridge

Does exactly the same. Here RouterOS automatically calculates network=192.168.88.0. Then the router has the 192.168.88.1 on bridge and the routing table has a route with dst-address=192.168.88.0/24 (combines prefix length and network) with gateway=bridge.

Back to OP original issue. He added the address like this:

/ip address
add address=10.2.0.2 interface=wg-proton network=10.2.0.2

So there is only a route to 10.2.0.2/32, no matchin routes to 10.2.0.1 exist except for the default 0.0.0.0/0 route.

With the fix:

/ip address
add address=10.2.0.2 interface=wg-proton network=10.2.0.1

a correct route with dst-address=10.2.0.1/32 gateway=wg-proton appears and the router knows how to reach 10.2.0.1.

Thank you so much for the help! I used your input and managed to get everything working the way I wanted.

Now to think about getting a similar setup for the home.

Hence why I always suggest, to avoid any issues............. covers all cases usually ( assuming not an odd ip address)
/ip address
add address=10.2.0.2/24 interface=wg-proton network=10.2.0.0

In your original post hoping you didnt provide the actual IP address and actual keys as those should false numbers or simply x.x.x.x.x

Concur, just make wG interface part of WAN interface list not LAN,

For allowed address on router simply use 0.0.0.0/0

For wg interface the port does not have to match what proton has at their end it can be any number.

Wrong, there is no need for any input chain rule for the proton wg port, this is outgoing traffic connecting to proton server.

I would approach the DNS service slightly differently.
/ip dhcp-client
add comment=defconf interface=ether1 use isp dns = yes comment="dns for router"
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=10.2.0.1 gateway=192.168.99.1
/ip dns
set allow-remote requests
/ip dns static
disabled
/ip nat
add chain=dstnat action=dst-nat in-interface-list=LAN dst-port=53 protocol=udp
to-address=10.2.0.1
add chain=dstnat action=dst-nat in-interface-list=LAN dst-port=53 protocol=tcp
to-address=10.2.0.1

MODIFIED
/ip firewall address-list
add address=192.168.99.X list=Authorized comment="admin device1"
add address=192.168.99.Y list=Authorized comment="admin device1"
/ip firewall filter
add action=accept chain=input comment="Allow Established/Related/untracked"
connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid Early" connection-state=
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input "defconf: accept to local loopback (for CAPsMAN)"
dst-address=127.0.0.1
add action=accept chain=input src-address-list=Authorized
add action=drop chain=input comment="Drop all else"
+++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="Allow Established/Related"
connection-state=established
add action=accept chain=forward comment="Allow Established/Related"
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid Early" connection-state=
invalid
add action=accept chain=forward comment="Allow VPN traffic" src-address=192.168.99.0/24 out-interface=wg-proton
add action=drop chain=forward comment="Drop all else in forward"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=wg-proton
add chain=dstnat action=dst-nat in-interface-list=LAN dst-port=53 protocol=udp
to-address=10.2.0.1
add chain=dstnat action=dst-nat in-interface-list=LAN dst-port=53 protocol=tcp
to-address=10.2.0.1

and finally what is needed to access proton
/routing table add fib name=useWG
/ip route
add dst-address=0.0.0.0/0 gateway=wg-proton routing-table=useWG
/routing rule add min-prefix=0 action=lookup-only-in-table routing-table=main
/routing rule add src-address=192.168.99.0/24 action=lookup-only-in-table routing-table=useWG