Removing dynamic route so that wireguard can route traffic

Hi All,

I am brand new to Mikrotik, stepping up from OpenWRT. My new router works well out of the box and I want to add a commercial Wireguard VPN that I use to force all outgoing traffic over. So Mikrotik will act as the VPN client. I am running RouterOS v 7.20.1.

I carefully followed a YouTube tutorial online by someone who really knew what they were doing (The Network Berg). I added the public/private wireguard keys, set up a Peer, and the DNS. When I got to the Routing Table, there was something different that I could not do as the tutorial had.

The IP address of my ISP's modem/router is 192.168.1.254 and serves are the gateway for all Mikrotik traffic (destination address 0.0.0.0/0) headed for the internet. In the tutorial, they simply deleted that route (0.0.0.0 to 192.168.1.254) so they could assign (0.0.0.0/0) to wireguard. However, in my case, when I try and remove the connection between 0.0.0.0/0 to 192.168.1.254, it tells me that it "cannot remove dynamic route created by a different owner 0.0.0.0/0->192.168.1.254". Additionally, for this route, I cannot make any changes at all including changing the distance, disabling it, etc. So now I have 0.0.0.0/0 as the destination address for 2 separate records, which doesn't look right to me.

None of my traffic is going through the wireguard VPN. In the Peer record, Tx packet and Rx packet both read 0. I've tried poking around a bunch, and I don't know what to do. There are some posts similar to mine, either the problems are a bit different or the answers are way over my head. I'm hoping that there's a relatively simple solution that someone can see.

The wireguard endpoint is 206.217.206.16 and the wireguard IP address is 10.70.155.225. I can see that my wireguard is a static connection.

Here is the routing table as it's set up:

[admin@MikroTik] /interface/list> /routing/route print
Flags: A - ACTIVE; c - CONNECT, s - STATIC, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, AFI, ROUTING-TABLE, DISTANCE, SCOPE, TARGET-SCOPE, IMMEDIATE-GW
    DST-ADDRESS        GATEWAY        AFI   ROUTING-TABLE  DISTANCE  SCOPE  TARGET-SCOPE  IMMEDIATE-GW        
As+ 0.0.0.0/0          wireguard      ip    main                  1     30            10  wireguard       
Ad+ 0.0.0.0/0          192.168.1.254  ip    main                  1     30            10  192.168.1.254%ether1
Ac  10.70.155.225/32   wireguard      ip    main                  0     10             5  wireguard       
Ac  192.168.1.0/24     ether1         ip    main                  0     10             5  ether1              
Ac  192.168.88.0/24    bridge         ip    main                  0     10             5  bridge              
As  206.217.206.16/32  192.168.1.254  ip    main                  1     30            10  192.168.1.254%ether1
Ac  ::1/128            lo             ipv6  main                  0     10             5  lo                  
Ac  fe80::/64          bridge         ipv6  main                  0     10             5  bridge              
Ac  fe80::/64          wireguard      ipv6  main                  0     10             5  us-dal-wg-507       
Ac  fe80::/64          ether1         ipv6  main                  0     10             5  ether1              
A   lo                                link  main                  0                                           
A   ether1                            link  main                  0                                           
A   ether4                            link  main                  0                                           
A   bridge                            link  main                  0                                           
A   wireguard                         link  main                  0  

If your dynamic route is from DCHP you should be able to add a statement like

default-route-distance=2

to your DHCP config to raise the administrative distance above your WireGuard route. Not sure that is what you want though.

Hi, I think that this is the setting you need

image678×691 15.8 KB

It is in IP -> DHCP Client. You can't remove the original default gateway, because the WireGuard tunnel must establish. So the idea is that you use your default gateway given by the DHCP server with administrative Distance 2 or anything higher than 1, so this gateway has lower priority than the WireGuard's default gateway. After the tunnel is established, you will have a gateway with Distance = 1 and that will be used because of higher priority (lower Distance number).

Also if you need, you can use the Script field to run RouterOS script when the DHCP Client changes its state - it gets the IP configuration or it renews the configuration, etc.

If you want help.
a. complete export of config
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys

b. assuming vpn site gave you.
a. private key to use when creating the interface ( so it already as your device generated public iP )
b. ip address
c. public key ( to put on peer settings for remote end )
d. endpoint IP
e. endpoint port
f. maybe also the DNS address which was ??????

You will need to add persistent-keep alive to your allowed addresses as well.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now do you need one subnet to go out vpn, out of how many subnets?
Do you need some users that maintain local WANIP vice VPN etc.

In other words better detail if available on actual requirements.

Thanks very much @michaldo That gave wireguard priority. But now there’s no internet, so wireguard may not be connecting, so the problem must be something different. I’m posting more information below.

Thanks . I gave the connection straight to the ISP distance 2 (wireguard has distance 1). Once that was done, I had no internet, which makes me think the VPN isn’t working. At the moment, I’m not dealing with subnets. I’ll do that later after I learn more. For now, everything will be on the same subnet. I want to make sure I can get VPN running for 100% of WAN traffic before my return date for the device comes up. Then I’ll start of subnets in a month or two.

[admin@MikroTik] > file read file=wireguard_troubleshooting.rsc chunk-size=10009
  data: # 2025-10-19 16:23:25 by RouterOS 7.20.1                                       
        # software id = ****                                                      
        #                                                                              
        # model = RB5009UPr+S+                                                         
        # serial number = ****                                                  
        /interface bridge                                                              
        add admin-mac=D4:01:C3:AA:2F:F4 auto-mac=no comment=defconf name=bridge        
        /interface wireguard                                                           
        add listen-port=13231 mtu=1420 name=wireguard                                  
        /interface list                                                                
        add comment=defconf name=WAN                                                   
        add comment=defconf name=LAN                                                   
        /ip pool                                                                       
        add name=default-dhcp ranges=192.168.88.10-192.168.88.254                      
        /ip dhcp-server                                                                
        add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf     
        /interface bridge port                                                         
        add bridge=bridge comment=defconf interface=ether2                             
        add bridge=bridge comment=defconf interface=ether3                             
        add bridge=bridge comment=defconf interface=ether4                             
        add bridge=bridge comment=defconf interface=ether5                             
        add bridge=bridge comment=defconf interface=ether6                             
        add bridge=bridge comment=defconf interface=ether7                             
        add bridge=bridge comment=defconf interface=ether8                             
        add bridge=bridge comment=defconf interface=sfp-sfpplus1                       
        /ip neighbor discovery-settings                                                
        set discover-interface-list=LAN                                                
        /interface list member                                                         
        add comment=defconf interface=bridge list=LAN                                  
        add comment=defconf interface=ether1 list=WAN                                  
        /interface ovpn-server server                                                  
        add mac-address=FE:A9:81:F4:03:5E name=ovpn-server1                            
        /interface wireguard peers                                                     
        add allowed-address=0.0.0.0/0 endpoint-address=206.**.**.** endpoint-port=\  
            51820 interface=wireguard name=peer2 private-key=\                         
            "***" public-key=\                
            "X+7I8c72fUvhq8ybiTlSzczubwn3mL86eL/fC0F6tBE=" responder=yes               
        /ip address                                                                    
        add address=192.168.88.1/24 comment=defconf interface=bridge network=\         
            192.168.88.0                                                               
        add address=10.70.155.225 interface=wireguard network=10.70.155.225            
        /ip dhcp-client                                                                
        add comment=defconf default-route-distance=2 interface=ether1                  
        /ip dhcp-server network                                                        
        add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\  
            192.168.88.1                                                               
        /ip dns                                                                        
        set allow-remote-requests=yes servers=100.**.**.**                              
        /ip dns static                                                                 
        add address=192.168.88.1 comment=defconf name=router.lan type=A                
        /ip firewall filter                                                            
        add action=accept chain=forward dst-address=206.**.**.** dst-port=51820 \    
            protocol=udp                                                               
        add action=accept chain=input comment=\                                        
            "defconf: accept established,related,untracked" connection-state=\         
            established,related,untracked                                              
        add action=drop chain=input comment="defconf: drop invalid" connection-state=\ 
            invalid                                                                    
        add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp     
        add action=accept chain=input comment=\                                        
            "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1    
        add action=drop chain=input comment="defconf: drop all not coming from LAN" \  
            in-interface-list=!LAN                                                     
        add action=accept chain=forward comment="defconf: accept in ipsec policy" \    
            ipsec-policy=in,ipsec                                                      
        add action=accept chain=forward comment="defconf: accept out ipsec policy" \   
            ipsec-policy=out,ipsec                                                     
        add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \   
            connection-state=established,related hw-offload=yes                        
        add action=accept chain=forward comment=\                                      
            "defconf: accept established,related, untracked" connection-state=\        
            established,related,untracked                                              
        add action=drop chain=forward comment="defconf: drop invalid" \                
            connection-state=invalid                                                   
        add action=drop chain=forward comment=\                                        
            "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \   
            connection-state=new in-interface-list=WAN                                 
        /ip firewall nat                                                               
        add action=masquerade chain=srcnat comment="defconf: masquerade" \             
            ipsec-policy=out,none out-interface-list=WAN                               
        /ip ipsec profile                                                              
        set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5                
        /ip route                                                                      
        add disabled=no distance=1 dst-address=206.xx.**.**/32 gateway=\             
            192.168.1.254 routing-table=main scope=30 suppress-hw-offload=no \         
            target-scope=10                                                            
        add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard \           
            routing-table=main scope=30 suppress-hw-offload=no target-scope=10         
        /ipv6 firewall address-list                                                    
        add address=::/128 comment="defconf: unspecified address" list=bad_ipv6        
        add address=::1/128 comment="defconf: lo" list=bad_ipv6                        
        add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6              
        add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6     
        add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6                 
        add address=100::/64 comment="defconf: discard only " list=bad_ipv6            
        add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6       
        add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6               
        add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6                   
        /ipv6 firewall filter                                                          
        add action=accept chain=input comment=\                                        
            "defconf: accept established,related,untracked" connection-state=\         
            established,related,untracked                                              
        add action=drop chain=input comment="defconf: drop invalid" connection-state=\ 
            invalid                                                                    
        add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\      
            icmpv6                                                                     
        add action=accept chain=input comment="defconf: accept UDP traceroute" \       
            dst-port=33434-33534 protocol=udp                                          
        add action=accept chain=input comment=\                                        
            "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ 
            udp src-address=fe80::/10                                                  
        add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
            protocol=udp                                                               
        add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\    
            ipsec-ah                                                                   
        add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\   
            ipsec-esp                                                                  
        add action=accept chain=input comment=\                                        
            "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec      
        add action=drop chain=input comment=\                                          
            "defconf: drop everything else not coming from LAN" in-interface-list=\    
            !LAN                                                                       
        add action=accept chain=forward comment=\                                      
            "defconf: accept established,related,untracked" connection-state=\         
            established,related,untracked                                              
        add action=drop chain=forward comment="defconf: drop invalid" \                
            connection-state=invalid                                                   
        add action=drop chain=forward comment=\                                        
            "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6        
        add action=drop chain=forward comment=\                                        
            "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6        
        add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \    
            hop-limit=equal:1 protocol=icmpv6                                          
        add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\    
            icmpv6                                                                     
        add action=accept chain=forward comment="defconf: accept HIP" protocol=139     
        add action=accept chain=forward comment="defconf: accept IKE" dst-port=\       
            500,4500 protocol=udp                                                      
        add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\  
            ipsec-ah                                                                   
        add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ 
            ipsec-esp                                                                  
        add action=accept chain=forward comment=\                                      
            "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec      
        add action=drop chain=forward comment=\                                        
            "defconf: drop everything else not coming from LAN" in-interface-list=\    
            !LAN                                                                       
        /system clock                                                                  
        set time-zone-name=America/Denver                                         
        /tool mac-server                                                               
        set allowed-interface-list=LAN                                                 
        /tool mac-server mac-winbox                                                    
        set allowed-interface-list=LAN 

Please edit your post and censor the sensitive informations (serial, software id, WireGuard private key!!!, public IP addresses).

As for the problem. Run /ip route print and see what is the gateway address on the route with destination 0.0.0.0/0 and distance 2. If the gateway is not 192.168.1.254, then you need to adjust your static route to the WG server address (the 206.x.x.x destination) to use the same gateway instead of 192.168.1.254 that you currently have.

Also, turn off responder on the peer property sheet! If you leave that on, the router will not initiate handshake to the commercial VPN!

Change your WireGuard configuration to use 0.0.0.0/1 + 128.0.0.0/1 instead of 0.0.0.0/0.

Thanks everyone for the replies.

1. The /ip route print indicates that the gateway address on the route with destination 0.0.0.0/0 and distance 2 is the same as the gateway for the WG server address (206.x.x.x).

2. The responder has been turned off on the peer property sheet

3. In the peer property sheet I changed the allowed addresses to 0.0.0.0/1 and 128.0.0.0/1.

4. In the route list, if I change the wireguard destination address to 0.0.0.0/1, then I have internet but without VPN. If I change the wireguard destination address to 0.0.0.0/0, then I have no internet at all.

5. Another curious thing is that my PC can ping www.google.com successfully but when pinging 1.1.1.1 or 8.8.8.8 it cannot connect. If I plug straight into my ISP modem/router, then it works as expected.

6. Although all VPN related data were copied directly from a configuation file created a day ago, perhaps I should test these out using the linux command line.

   Does anyone else see something obvious that I’m doing wrong?

[admin@MikroTik] > file read file=wireguard_troubleshooting.rsc chunk-size=10000
  data: # 2025-10-20 09:52:12 by RouterOS 7.20.1                                       
        # software id =                                                       
        #                                                                              
        # model = RB5009UPr+S+                                                         
        # serial number =                                                  
        /interface bridge                                                              
        add admin-mac=D4:01:C3:AA:2F:F4 auto-mac=no comment=defconf name=bridge        
        /interface wireguard                                                           
        add listen-port=13231 mtu=1420 name=wireguard                                  
        /interface list                                                                
        add comment=defconf name=WAN                                                   
        add comment=defconf name=LAN                                                   
        /ip pool                                                                       
        add name=default-dhcp ranges=192.168.88.10-192.168.88.254                      
        /ip dhcp-server                                                                
        add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf     
        /interface bridge port                                                         
        add bridge=bridge comment=defconf interface=ether2                             
        add bridge=bridge comment=defconf interface=ether3                             
        add bridge=bridge comment=defconf interface=ether4                             
        add bridge=bridge comment=defconf interface=ether5                             
        add bridge=bridge comment=defconf interface=ether6                             
        add bridge=bridge comment=defconf interface=ether7                             
        add bridge=bridge comment=defconf interface=ether8                             
        add bridge=bridge comment=defconf interface=sfp-sfpplus1                       
        /ip neighbor discovery-settings                                                
        set discover-interface-list=LAN                                                
        /interface list member                                                         
        add comment=defconf interface=bridge list=LAN                                  
        add comment=defconf interface=ether1 list=WAN                                  
        /interface ovpn-server server                                                  
        add mac-address=FE:A9:81:F4:03:5E name=ovpn-server1                            
        /interface wireguard peers                                                     
        add allowed-address=0.0.0.0/1,128.0.0.0/1 client-keepalive=30s \               
            endpoint-address=206.xx.xx.xx endpoint-port=51820 interface=wireguard \  
            name=peer2 persistent-keepalive=25s private-key=\                          
            "*******" public-key=\                
            "X+7I8c72fUvhq8ybiTlSzczubwn3mL86eL/fC0F6tBE="                             
        /ip address                                                                    
        add address=192.168.88.1/24 comment=defconf interface=bridge network=\         
            192.168.88.0                                                               
        add address=10.70.155.225 interface=wireguard network=10.70.155.225            
        /ip dhcp-client                                                                
        add comment=defconf default-route-distance=2 interface=ether1                  
        /ip dhcp-server network                                                        
        add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\  
            192.168.88.1                                                               
        /ip dns                                                                        
        set allow-remote-requests=yes servers=100.xx.xx.xx                              
        /ip dns static                                                                 
        add address=192.168.88.1 comment=defconf name=router.lan type=A                
        /ip firewall filter                                                            
        add action=accept chain=forward dst-address=206.xx.xx.xx dst-port=51820 \    
            protocol=udp                                                               
        add action=accept chain=input comment=\                                        
            "defconf: accept established,related,untracked" connection-state=\         
            established,related,untracked                                              
        add action=drop chain=input comment="defconf: drop invalid" connection-state=\ 
            invalid                                                                    
        add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp     
        add action=accept chain=input comment=\                                        
            "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1    
        add action=drop chain=input comment="defconf: drop all not coming from LAN" \  
            in-interface-list=!LAN                                                     
        add action=accept chain=forward comment="defconf: accept in ipsec policy" \    
            ipsec-policy=in,ipsec                                                      
        add action=accept chain=forward comment="defconf: accept out ipsec policy" \   
            ipsec-policy=out,ipsec                                                     
        add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \   
            connection-state=established,related hw-offload=yes                        
        add action=accept chain=forward comment=\                                      
            "defconf: accept established,related, untracked" connection-state=\        
            established,related,untracked                                              
        add action=drop chain=forward comment="defconf: drop invalid" \                
            connection-state=invalid                                                   
        add action=drop chain=forward comment=\                                        
            "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \   
            connection-state=new in-interface-list=WAN                                 
        /ip firewall nat                                                               
        add action=masquerade chain=srcnat comment="defconf: masquerade" \             
            ipsec-policy=out,none out-interface-list=WAN                               
        /ip ipsec profile                                                              
        set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5                
        /ip route                                                                      
        add disabled=no distance=1 dst-address=206.xx.xx.xx/32 gateway=\             
            192.168.1.254 routing-table=main scope=30 suppress-hw-offload=no \         
            target-scope=10                                                            
        add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=wireguard \           
            routing-table=main scope=30 suppress-hw-offload=yes target-scope=10        
        /ipv6 firewall address-list                                                    
        add address=::/128 comment="defconf: unspecified address" list=bad_ipv6        
        add address=::1/128 comment="defconf: lo" list=bad_ipv6                        
        add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6              
        add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6     
        add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6                 
        add address=100::/64 comment="defconf: discard only " list=bad_ipv6            
        add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6       
        add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6               
        add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6                   
        /ipv6 firewall filter                                                          
        add action=accept chain=input comment=\                                        
            "defconf: accept established,related,untracked" connection-state=\         
            established,related,untracked                                              
        add action=drop chain=input comment="defconf: drop invalid" connection-state=\ 
            invalid                                                                    
        add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\      
            icmpv6                                                                     
        add action=accept chain=input comment="defconf: accept UDP traceroute" \       
            dst-port=33434-33534 protocol=udp                                          
        add action=accept chain=input comment=\                                        
            "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ 
            udp src-address=fe80::/10                                                  
        add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
            protocol=udp                                                               
        add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\    
            ipsec-ah                                                                   
        add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\   
            ipsec-esp                                                                  
        add action=accept chain=input comment=\                                        
            "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec      
        add action=drop chain=input comment=\                                          
            "defconf: drop everything else not coming from LAN" in-interface-list=\    
            !LAN                                                                       
        add action=accept chain=forward comment=\                                      
            "defconf: accept established,related,untracked" connection-state=\         
            established,related,untracked                                              
        add action=drop chain=forward comment="defconf: drop invalid" \                
            connection-state=invalid                                                   
        add action=drop chain=forward comment=\                                        
            "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6        
        add action=drop chain=forward comment=\                                        
            "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6        
        add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \    
            hop-limit=equal:1 protocol=icmpv6                                          
        add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\    
            icmpv6                                                                     
        add action=accept chain=forward comment="defconf: accept HIP" protocol=139     
        add action=accept chain=forward comment="defconf: accept IKE" dst-port=\       
            500,4500 protocol=udp                                                      
        add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\  
            ipsec-ah                                                                   
        add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ 
            ipsec-esp                                                                  
        add action=accept chain=forward comment=\                                      
            "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec      
        add action=drop chain=forward comment=\                                        
            "defconf: drop everything else not coming from LAN" in-interface-list=\    
            !LAN                                                                       
        /system clock                                                                  
        set time-zone-name=America/Denver                                         
        /tool mac-server                                                               
        set allowed-interface-list=LAN                                                 
        /tool mac-server mac-winbox                                                    
        set allowed-interface-list=LAN  

# model = RB5009UPr+S+                                                         
        # serial number =                                                  
        /interface bridge                                                              
        add admin-mac=D4:01:C3:AA:2F:F4 auto-mac=no comment=defconf name=bridge 
		/interface ethernet
		set [ find default-name=ether8 ] name=OffBridge8
        /interface wireguard                                                           
        add listen-port=13231 mtu=1420 name=wireguard                                  
        /interface list                                                                
        add comment=defconf name=WAN                                                   
        add comment=defconf name=LAN 
        /ip pool                                                                       
        add name=default-dhcp ranges=192.168.88.10-192.168.88.254
		/routing table
		add fib name=useWG
        /ip dhcp-server                                                                
        add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf     
        /interface bridge port                                                         
        add bridge=bridge comment=defconf interface=ether2                             
        add bridge=bridge comment=defconf interface=ether3                             
        add bridge=bridge comment=defconf interface=ether4                             
        add bridge=bridge comment=defconf interface=ether5                             
        add bridge=bridge comment=defconf interface=ether6                             
        add bridge=bridge comment=defconf interface=ether7                                                          
        add bridge=bridge comment=defconf interface=sfp-sfpplus1                       
        /ip neighbor discovery-settings                                                
        set discover-interface-list=LAN                                              
        /interface list member                                                         
        add comment=defconf interface=bridge list=LAN 
		add interface=OffBridge8  list=LAN
        add comment=defconf interface=ether1 list=WAN		
        /interface ovpn-server server                                                  
        add mac-address=FE:A9:81:F4:03:5E name=ovpn-server1                            
        /interface wireguard peers                                                     
        add allowed-address=0.0.0.0.0/0 endpoint-address=206.xx.xx.xx \
		endpoint-port=51820 interface=wireguard persistent-keepalive=25s \
		public-key=+-----+                                        
        /ip address                                                                    
        add address=192.168.88.1/24 comment=defconf interface=bridge network=\         
            192.168.88.0                                                               
        add address=10.70.155.225/24 interface=wireguard network=10.70.155.0  
         add address=192.168.58.1/30 interface=OffBridge8 network=192.168.58.0
        /ip dhcp-client                                                                
        add comment=defconf default-route-distance=1 interface=ether1                  
        /ip dhcp-server network                                                        
        add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\  
            192.168.88.1                                                               
        /ip dns                                                                        
        set allow-remote-requests=yes servers=100.xx.xx.xx 
		/ip firewall address-list
		add address=192.168.88.XX  list=NormalWAN  comment="device1 reserved for local WAN"
		add address=192.168.88.YY  list=NormalWAN  comment="device2 reserved for local WAN"
		add address=192.168.58.2  list=NormalWAN  comment="offbridge port
		add address=192.168.88.AA list=TRUSTED  comment="admin device1"
		add address=192.168.88.BB list=TRUSTED  comment="admin device2"
		add address=192.168.58.2  list=TRUSTED comment="admin on Offbridge8"
        /ip firewall filter                                                                                                                         
        add action=accept chain=input comment=\                                        
            "defconf: accept established,related,untracked" connection-state=\         
            established,related,untracked                                              
        add action=drop chain=input comment="defconf: drop invalid" connection-state=\ 
            invalid                                                                    
        add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp     
        add action=accept chain=input comment=\                                        
            "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
		add action=accept chain=input in-interface-list=LAN src-address-list=TRUSTED
		add action=accept chain=input interface-list=LAN dst-port=53 protocol=udp
		add action=accept chain=input interface-list=LAN dst-port=53 protocol=tcp
        add action=drop chain=input comment="drop all else" 
		++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
        add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \   
            connection-state=established,related hw-offload=yes                        
        add action=accept chain=forward comment=\                                      
            "defconf: accept established,related, untracked" connection-state=\        
            established,related,untracked                                              
        add action=drop chain=forward comment="defconf: drop invalid" \                
            connection-state=invalid                                                   
        add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN src-address-list=NormalWAN out-interface-list=WAN
		add action=accept chain=forward comment="internet traffic"  in-interface-list=LAN out-interface-list=wireguard
		add action=accept chain=forward comment="offbridge to lan"  in-interface=OffBridge8  out-interface-list=LAN
        add action=drop chain=forward comment="drop all else"                                
        /ip firewall nat                                                               
        add action=masquerade chain=srcnat comment="defconf: masquerade" \             
            ipsec-policy=out,none out-interface-list=WAN  
		add action=masquerade chain=srcnat out-interface=wireguard comment="So vpn site sees one incoming source address"
		add action=dst-nat chain=dstnat  in-interface-list=LAN dst-port=53 protocol=udp to-address=10.x.x.x
		add action=dst-nat chain=dstnat  in-interface-list=LAN dst-port=53 protocol=tcp to-address=10.x.x.x
        /ip ipsec profile                                                              
        set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5                
        /ip route                                                                      
        add dst-address=0.0.0.0/0 gateway=wireguard routing-table=useWG      
        add dst-address=100.x.x.x  gateway=wireguard routing-table=main 
         /routing rules
        add min-prefix=0 action=lookup-only-in-table  table=main
        add src-address=192.168.88.XX action=lookup-only-in-table table=main
        add src-address=192.168.88.YY action=lookup-only-in-table table=main
        add src-address=192.168.88.0/24  action=lookup-only-in-table table=useWG
        /ipv6 firewall filter                                                          
        add action=drop chain=input	
		add action=drop chain=forward
        /system clock                                                                  
        set time-zone-name=America/Denver                                         
        /tool mac-server                                                               
        set allowed-interface-list=NONE                                                
        /tool mac-server mac-winbox                                                    
        set allowed-interface-list=LAN 

Plug laptop into ether8 change ipv4 settings to 192.168.58.2 and you will have access to router even if you kick yourself out of the router by frigging with bridge or later vlans etc....

I have set it up such that
a. you can add users to use normal wan if required.
b. you identify only a few users to access router for config purposes,