If you want to use the CHR as the gateway to the internet then:
-
On the CHR:
-
In the peer setting associated with your MikroTik router, set
allowed-address=192.168.2.2/32, don't setpersistent-keepalive. -
In the peer setting associated with your Laptop, set
allowed-address=192.168.2.3/32, don't setpersistent-keepalive. Normally you have to avoid giving overlapping address ranges between different peers of one WireGuard interface. Both peers havingallowed-address=0.0.0.0/0won't work. -
You should apply proper firewall rules to protect your CHR. You can use the 7.21 defconf rules from this post of @rextended Buying - RB1100AHx4 Dude Edition - Questions about Firewall - #4 by rextended. Currently you have
allow-remote-requests=yesfor DNS on the CHR, so without proper firewall configuration your CHR will be abused to perform DNS amplification attacks for example. -
Once you have the firewall in place, enable WAN connection on
ether1(you currently have DHCP client disabled and no static IP address & gateway configuration).
-
-
On your RB5009:
-
This NAT rule is wrong:
/ip firewall nat add action=masquerade chain=srcnat in-interface=WG_VPSIt should be
out-interface=WG_VPSinstead. But better is to remove the rule and addWG_VPSto the interface listWAN. Currently you have that interface in the listLAN! Having the interface in theWANlist will automatically apply themasqueradefor you (by using the defconf: masquerade rule).You should treat
WG_VPSlike you treatedProtonVPN-IL50andProtonVPN-IL530with regard to address list membership. -
Also apply the two
change-mssmangle rule toout-interface=WG_VPS.
-