Hello,
I Cant figure out how to pass a WireGuard tunnel for my MT to a Mikrotik WG peer. My use case is to bypass the ISP firewall.
My MT has two WG interfaces WG STS and VIA WG, WG STS is a Site to Site with a different peer. I’m not sure if that is related to the issue at hand or not.
I tried different netmask #4 in the Route list with “VIA WG” gateway. I’m not sure what I have to set there.
Server Peer & IPs
MT Client Peer & IPs
MT Client Firewall - Interface list
MT Client Mangle
MT Client Route
Torch
Found this somewhere in the forum, still cant. The connection is one way I don’t know. the route is wrong, IP/subnet, or combination.
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=WG pref-src="" routing-table=via-wg suppress-hw-offload=no
/routing rule add action=lookup-only-in-table disabled=no dst-address=10.10.12.0/24 src-address=10.10.12.0/24 table=main
/routing rule add action=lookup-only-in-table disabled=no dst-address=0.0.0.0/0 src-address=10.10.12.0/24 table=via-wg
Done. :d
Thanks for the help. <3
So this is an update.
As I was Missed the PMTUD I also Needed to use DOH to bypass the DNS filtering and as CF does not have any AS in this region the latency was F up. so I decided to not use the DOH in the Client MT and move the DNS queries to the WG peer.
mangle
/ip firewall mangle
add action=mark-connection chain=prerouting comment="VIA WG DNS" dst-port=53 new-connection-mark=via-wg-dns passthrough=yes protocol=tcp src-address-list=VPN
add action=mark-connection chain=prerouting dst-port=53 new-connection-mark=via-wg-dns passthrough=yes protocol=udp src-address-list=VPN
add action=mark-routing chain=prerouting connection-mark=via-wg-dns new-routing-mark=via-wg passthrough=no
add action=mark-connection chain=prerouting comment="VIA WG Route" dst-address-list=!LOCO new-connection-mark=via-wg passthrough=yes src-address-list=VPN
add action=mark-routing chain=prerouting connection-mark=via-wg new-routing-mark=via-wg passthrough=no src-address-list=VPN
add action=change-mss chain=forward connection-mark=via-wg new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="M VIA WAN" ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment="SRC-NAT Modem" dst-address=192.168.1.1 out-interface-list=DSL to-addresses=192.168.1.2
add action=src-nat chain=srcnat comment="SRC-NAT VPN - VIA WG" out-interface-list=WG to-addresses=10.10.12.240
add action=dst-nat chain=dstnat comment="DST-NAT VIA WG" connection-mark=via-wg-dns src-address-list=VPN to-addresses=10.10.12.1
address-list
/ip firewall address-list
add address=192.168.88.3 list=VPN
add address=192.168.88.2 disabled=yes list=VPN
add address=192.168.88.0/24 list=LOCO
export.txt (17.8 KB)
Thanks own3r1138 for sharing. I’ll post the solution, if successful. 
Without a network diagram and a clearer description of what was being done, I have no clue what the thread is about.
For example, I accessed Router A, with a wireguard tunnel from the iphone, I then entered a different tunnel to Router B for internet.
( One might say, why not just Tunnel from iphone direct to Router B, but what if Router B cannot act as a server - and thus Router B connects to Router A, and then is available for access )
…
Thanks for the diagram!
Q1: so you want the Iphone to go out the SERVER WANIP for internet??
Q2: Is the wireguard interface the same one for both iphone and Server - from the perspective of the MT router (two peers)
( one wg interface in use or two?, either way there is a solution so its up to you)
A1
so incoming traffic that the destination is not 192.168.88.0/24 from the source address, address-list=VPN will pass through the WG tunnel. any DNS traffic from address-list=VPN will pass through the WG tunnel.
A2
There is only one WG peer at the Client MT for this tunnel. The interface/Peer name is VIA WG.
There is another WG peer for another site-to-site Tunnel, WG STS is not related to this topic.
Your speaking a foreign language. I can never understand people who try to mix requirements and config.
I could care less about source and address lists.
See how I put into clear simple terms. Iphone user needs access to internet via WG interface at MT device.
Now you try… what are the user requirements.…
Hello, first of all, thank you for your post!
I think you did similar thing I’m trying to achieve, but few question, if you don’t mind.
I have wireguard (wirehole with DNS) server running on VDS with private IP.
I want to connect my Mikrotik to it, but only want 1-2 internal IPs connect through it.
WG_config
[Interface]
Address = 10.6.0.1
ListenPort = 51820
PrivateKey = Pr_key
[Peer]
# peer3
PublicKey = Pu_key
AllowedIPs = 10.6.0.4/32
I’ve adapted parts of your config, but it doesn’t work 
If you don’t mind looking over my config, i’d appreciate it.
I’m using different port for WireGuard, and have Firewall list disabled for one IP, as its not working.
Thank you
help1.txt (5.61 KB)
sure let me take a look.
what is the CIDR for the 10.6.0.0 network?
are these refer to what you want to passthrough ? if yes why not the same ?
/ip dhcp-server lease
add address=10.0.0.38
/ip firewall address-list
add address=10.0.0.46 comment=TV list=VPN
i believe its
255.255.255.255
i also cleaned config of WG SPS that you have. not sure if you opened my first attachment or updated.
10.0.0.38 is just one i set static - not needed in forwarding
10.0.0.46 is the one i want to go through WG tunnel. Will set it to static.
I downloaded the config one more time
I want to be sure about what you are saying so you are saying the WG peer at the VDS IP is 10.6.0.1 the MT peer is 10.6.0.4 and the hole subnet is /32 ?
[quote=“own3r1138”]
I downloaded the config one more time
I want to be sure about what you are saying so you are saying the WG peer at the VDS IP is 10.6.0.1 the MT peer is 10.6.0.4 and the hole subnet is /32 ?
[/quote]
correct.
I used WireHolehttps://github.com/IAmStoxe/wirehole script to setup WG on VDS, and it works just fine with wg software client on laptop and mobile.
So I don’t know the exact process to run this script but the WG config is very simple in fact.
MY problem
It should not work as it is right now or you could miss lead me cuz I have no info about the VDS peer.
Let’s say you have a VDS one public IP 2.2.2.2
you have WG with a network of 10.0.6.1/? as the address for the WG interface
then you have an MT peer with an IP of 10.0.6.4/?
you are saying the subnet mask for the VDS WG interface network is 255.255.255.255 so it’s a /32 CIDR, this means that it only has one valid IP now how can it connect to anything other than itself?
add address=10.6.0.4/32 comment="WG VPN" interface="VIA WG" network=10.6.0.4
should be
add address=10.6.0.4/24 comment="WG VPN" interface="VIA WG" network=10.6.0.0
this network should change on both sides of the tunnel.
MY config.
Remove the first line.
/routing rule
add action=lookup-only-in-table disabled=no src-address=10.0.0.46/32 table=via-wg
add action=lookup-only-in-table disabled=no dst-address=10.6.0.0/24 src-address=10.6.0.0/24 table=main
add action=lookup-only-in-table disabled=no dst-address=10.6.0.0/24 src-address=0.0.0.0/0 table=via-wg
This will not affect the WG but still. ( Cloudflare has a limited DNS query so as you already have a DOH let the local MT DNS server be the DNS for your DHCP )
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1 gateway=10.0.0.1
However, do you have fast-track enabled?
No, i do not have fasttrack.
Changed DNS server in DHCP to MT IP, and lost connection
Do i understand you correctly, since MT DNS is already set to CloudFare, i can just give out MT IP as DNS in DHCP?
Removed first routing rule, i think it was left over from from my previous trials.
Changed DNS server in DHCP to MT IP, and lost connection >
This should not be the result. unless you have firewall rules.
Do i understand you correctly
Correct.
No, i do not have fasttrack.
It’s okay if you don’t but you will get less throughput
Hello, got overworked and couldn’t reply. Wanted to thank you for taking your time to reply.
I reconfigured my router. Fixed that DNS issue. looks like if you just leave IP/DHCP Server DNS setting active but blank, it would not use router’s DNS settings.
ALso added fasttrack
Still didn’t get to wireguard configuration. Will try again and post here.
Thank you again!