WireGuard AzireVPN - misbehavior

Hello,

I've already tried Mikrotik support, but they suggest to ask here...

I was trying to enable / add my WireGuard VPN provider AzireVPN, but is not working properly seems like

After finishing bellow steps, VPN is connected but devices working strange, some pages are not able to open - timeout , some are opening fine.
WhatIsMyIP pages - some are showing im in Sweden (VPN locaion), some shows local country IP

I assume it has something to do IPv4 vs IPv6 setting

1. Could you please suggest what / where to setup to be working correctly?
2. Next step i would like to WhiteList/select few devices / IPs to be on VPN (has PublicIP) and open few ports for those devices
3. Rest devices should be under Local IP.

Thanks!

Here is what i did following multiple guides and wiki sources:

# Adding interface with correct private key works well
/interface/wireguard/add listen-port=13231 private-key="PrivateKey1" name=wg-az-se-sto comment="AzireVPN SE-STO interface"
# Over here i've added IPs from az-se-sto.conf file, but not able to add IPv6 address or doing it wrongly
/ip/address add address=10.0.15.53/32,2a0e:1c80:1337:1:10:0:15:53/128 interface=wg-az-se-sto
# it worked only without IPv6
/ip/address add address=10.0.15.53/32 interface=wg-az-se-sto
# This was added fine
/interface/wireguard/peers/add endpoint-address=se-sto.azirevpn.net endpoint-port=51820 public-key="PublicKey1" allowed-address=0.0.0.0/0, ::/0 interface=wg-az-se-sto
# here it surprisingly accepted also IPv6 DNS
/ip dns set servers=91.231.153.2,192.211.0.2,2a0e:1c80:1337:1:10:0:0:1 allow-remote-requests=yes
# both added fine
/ip/route add dst-address=0.0.0.0/0 gateway=wg-az-se-sto
# except " se-sto.azirevpn.net " can't be added seems like, even VPN provider strongy suggest to use hostname , as IP might change with the time. So i had to do "ping se-sto.azirevpn.net " to get IP 45.15.16.52
/ip/route add dst-address=45.15.16.52 gateway=10.38.166.65
# adding rule to FW
/ip firewall nat add chain=srcnat action=masquerade out-interface=wg-az-se-sto
# adding rule to FW to allow WG traffic
/ip firewall filter add action=accept chain=output comment="allow WireGuard" dst-address=45.15.16.52 dst-port=51820 protocol=udp place-before=1

[Interface]
PrivateKey = PrivateKey1
Address = 10.0.15.53/32, 2a0e:1c80:1337:1:10:0:15:53/128
DNS = 91.231.153.2, 192.211.0.2, 2a0e:1c80:1337:1:10:0:0:1

[Peer]
PublicKey = PublicKey1
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = se-sto.azirevpn.net:51820

se-sto.azirevpn.net = 45.15.16.52

Is your network ipv6? if so cannot help as not fluent in such language.

Hi,

No i have mostly IPv4, but IPv6 is not disabled (yet)

When ready to not use ipv6, as stated can help troubleshoot.
In the meantime checkout PARA 7 and PARA 9 (D) – https://forum.mikrotik.com/viewtopic.php?t=182340

Hi, I went finally through the guide, but probably i have still something wrong.
If someone would be that kind and check it, suggest what to change…over 2 month reading and not going any much furter

1. Some pages stopped to load (eg. duckduckgo.com) , google.com loads fine, not sure if DNS, something cached or FW problems is causing it…
2. After applying suggested settings, Can’t connect to MT via IP now , only via MAC
3. Soon as is working normally - I would like to WhiteList/select few devices / IPs to be on VPN (has PublicIP) and open few ports for those devices
   Rest devices should be under Local Provider IP.

I’m using 3rd party VPN provider

This is the “former” code to add VPN WG

# Adding interface with correct private key works well
/interface/wireguard/add listen-port=13231 private-key="PrivateKey1" name=wg-az-se-sto comment="AzireVPN SE-STO interface"
# Over here i've added IPs from az-se-sto.conf file, but not able to add IPv6 address or doing it wrongly
/ip/address add address=10.0.15.53/32,2a0e:1c80:1337:1:10:0:15:53/128 interface=wg-az-se-sto
# it worked only without IPv6
/ip/address add address=10.0.15.53/32 interface=wg-az-se-sto
# This was added fine
/interface/wireguard/peers/add endpoint-address=se-sto.azirevpn.net endpoint-port=51820 public-key="PublicKey1" allowed-address=0.0.0.0/0, ::/0 interface=wg-az-se-sto
# here it surprisingly accepted also IPv6 DNS
/ip dns set servers=91.231.153.2,192.211.0.2,2a0e:1c80:1337:1:10:0:0:1 allow-remote-requests=yes
# both added fine
/ip/route add dst-address=0.0.0.0/0 gateway=wg-az-se-sto
# except " se-sto.azirevpn.net " can't be added seems like, even VPN provider strongy suggest to use hostname , as IP might change with the time. So i had to do "ping se-sto.azirevpn.net " to get IP 45.15.16.52
/ip/route add dst-address=45.15.16.52 gateway=10.38.166.65
# adding rule to FW
/ip firewall nat add chain=srcnat action=masquerade out-interface=wg-az-se-sto
# adding rule to FW to allow WG traffic
/ip firewall filter add action=accept chain=output comment="allow WireGuard" dst-address=45.15.16.52 dst-port=51820 protocol=udp place-before=1

Config from VPN provider

[Interface]
PrivateKey = PrivateKey1
Address = 10.0.15.53/32, 2a0e:1c80:1337:1:10:0:15:53/128
DNS = 91.231.153.2, 192.211.0.2, 2a0e:1c80:1337:1:10:0:0:1

[Peer]
PublicKey = PublicKey1
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = se-sto.azirevpn.net:51820

#had to find real IP in order to use it in Mikrotik
ping se-sto.azirevpn.net = 45.15.16.52

Then i’ve added

/routing table
add disabled=no fib name=useWG

/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=se-sto.azirevpn.net \
    endpoint-port=51820 interface=wg-az-se-sto persistent-keepalive=40s \
    public-key="PublicKey1"

/ip address
add address=10.0.15.53/24 interface=wg-az-se-sto network=10.0.15.0

/ip firewall filter
add action=accept chain=forward in-interface=bridge out-interface=\
    wg-az-se-sto
add action=accept chain=output comment="allow WireGuard" disabled=yes \
    dst-address=45.15.16.52 dst-port=51820 protocol=udp
    
    /routing rule
add action=lookup disabled=no src-address=192.168.10.0/24 table=useWG

added also whole export “anonymized”

Thanks
VPN.rsc (7.91 KB)

(1) REMOVE THIS RULE, no need for it.
add action=accept chain=output comment=“allow WireGuard” disabled=yes
dst-address=45.15.16.52 dst-port=51820 protocol=udp

(2) Add persistent keep alive to your peer settings lets say 35 seconds. ( oops I see you have one already, all good )

(3) For endpoint use se-sto.azirevpn.net

GO TO FIREWALL ADDRESS LIST and create one call it 3rdPartyVPN, so that you can see the resolve at any time
The address may change so using a fixed IP is not the best solution.

aka DO NOT USE the number!! The config you posted seems fine as it uses the address…

(4) Modify your DNS rules …
From:
/ip dhcp-server network
add address=192.168.10.0/24 comment=“VPN DNS Servers” dns-server=192.168.10.1
gateway=192.168.10.1

TO:
/ip dns
set allow-remote-requests=yes servers=
1.1.1.1, 9.9.9.9 { or whatever public DNS you prefer }

AND
From:
/ip dhcp-server network
add address=192.168.10.0/24 comment=“VPN DNS Servers” dns-server=192.168.10.1
gateway=192.168.10.1
TO:
/ip dhcp-server network
add address=192.168.10.0/24 comment=“VPN DNS Servers” dns-server= 91.231.153.2,192.211.0.2
gateway=192.168.10.1

NOTE: The router itself needs a proper DNS setting and we only need to ensure bridge entries use the DNS in question.

(5) FIXED FIREWALL RULES. Note, ORDER is important within a chain!!!
INPUT CHAIN
( got rid of output rule, not required , you had handshake input rule disabled??, block dns rules were redundant and removed, → allow all traffic from LAN then drop all else!! )
( your input rules for SSH and winbox were dangerous and removed, and also not required as LAN access is already available.)
FORWARD CHAIN
( added bridge to wan access, a proper separated allow port forwarding rule and then drop all else rule)

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input disabled=no dst-port=51820 in-interface=\
    ether1-WAN protocol=udp
add action=accept chain=input comment="defconf: allow all coming from LAN" \
   in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface=bridge out-interface=\
    WAN
add action=accept chain=forward in-interface=bridge out-interface=\
    wg-az-se-sto
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat 
add action=drop  chain=forward comment="drop all else"

…

(6) NO MANGLING REQUIRED, remove all mangling rules concerning the connection, it seems like they are for other bogus reasons.
In order to troubleshoot your wireguard, disable mangling rules for now !!

(7) CLEANING UP NAT ( remove rule in orange )
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“Google DNS Force” disabled=yes
dst-port=53 protocol=udp to-addresses=8.8.8.8 to-ports=53
add action=masquerade chain=srcnat out-interface=wg-az-se-sto

Okay I see you do have the critical rule, put it at the top so its visible. aka for nothing else organize the view of your config!!

(8) WHAT are these port forwarding rules for ???
add action=dst-nat chain=dstnat comment=Lox dst-port=6789 in-interface=
ether1-WAN log=yes log-prefix=Lox protocol=tcp to-addresses=
192.168.10.100 to-ports=6789
add action=dst-nat chain=dstnat comment=“Transmission BT” dst-port=
6665 in-interface=ether1-WAN log=yes protocol=tcp to-addresses=
192.168.10.101 to-ports=9911

Remember, if you have incoming traffic on the WAN, you are FORCING TRAFFIC into the TUNNEL.
Thus how do you expect the return traffic from bridge devices will then go back out WAN ??? See 12.


(9) WHERE IS WAN IP route. It will not be visible if you have selected default route in IP DHCP Client. So will assume you have, otherwise you need a manual IP route.
AND GET RID OF BOGUS ROUTE.
add dst-address=45.15.16.52 gateway=10.38.166.65

/ip route
add dst-address=0.0.0.0/0 gwy=ISP_gwy_IP routing-table=main { ex of manual route, probably not necessary if route already exists }
add dst-address=0.0.0.0/0 gwy=wg-az-se-sto routing-table=useWG

(11 ) ROUTING RULE IS WRONG
From:
add action=lookup disabled=no src-address=192.168.20.0/24 table=useWG
TO:
add action=lookup disabled=no src-address=192.168.10.0/24 table=useWG

(12)
Need two additional routing rules for your port fowarding to work… ORDER is key.

/routing rule
add action=lookup-only-in-table src-address=192.168.10.100 table=main
add action=lookup-only-in-table src-address=192.168.10.101 table=main
add action=lookup src-address=192.168.10.0/24 table=useWG

Hello,

Thanks for helping out, i tried to put all modifications as you suggested.

duckduckgo.com, mail.proton.me still not loading
PortFWD doesnt work now
All devices are on VPN Sweden location and most of pages working so far except few


Here are some details:

1. removed

2. 35s set

3. used se-sto.azirevpn.net and seems like it’s resolving it’s IP , does it somehow read / add into the WG settings? As provider is using only “se-sto.azirevpn.net”
   This way i’ll add later other Locations
   

4. Done, used Google DNS for test 8.8.8.8 and 8.8.4.4
   Formerly i had VPN DNS servers as default for all traffic

5. Used your FW rules, removed mine

6. Mangling disabled - i guess i added them follow some guide to identify type of traffic

7. removed

8. Those are local servers which i want to access from Internet, those rules were working fine.
   Plan is to add few more with WG and it’s WG Public IP , add few servers to be reachable via duckdns.org address
   So some stay on Provider Public IP and some will be on WG VPN Public IP

9. Done

/ip route
add dst-address=0.0.0.0/0 gwy=ISP_gwy_IP routing-table=main { ex of manual route, probably not necessary if route already exists }
add dst-address=0.0.0.0/0 gwy=wg-az-se-sto routing-table=useWG

[admin@MikroTik_Ax3] > /ip route
[admin@MikroTik_Ax3] /ip/route> add dst-address=0.0.0.0/0 gateway=wg-az-se-sto routing-table=useWG
[admin@MikroTik_Ax3] /ip/route>

11. Yeah realized that later that day also

12. Without WG VPN enabled PortFWD were working,
    but added them as suggested, seems like not working now, just tried
    31-03-23-VPN.rsc (7.51 KB)

(1) Remove the static entry
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan

(2) Check out the copy job, If I drop all traffic at the end how is any traffic going to out out your own WAN (aka the return traffic from external users).
So using logic as well as attention to detail.

Your config
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input dst-port=51820 in-interface=ether1-WAN
protocol=udp
add action=accept chain=input comment=“defconf: allow all coming from LAN”
in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward in-interface=bridge out-interface=
wg-az-se-sto
add action=accept chain=forward comment=“port forwarding”
connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

My CONFIG recommendation:
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input disabled=no dst-port=51820 in-interface=
ether1-WAN protocol=udp
add action=accept chain=input comment=“defconf: allow all coming from LAN”
in-interface-list=LAN
add action=drop chain=input comment=“drop all else”
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward in-interface=bridge out-interface=
WAN
add action=accept chain=forward in-interface=bridge out-interface=
wg-az-se-sto
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”

(3) I dont get it, you clearly are not reading or thinking. I stated that ORDER is critical in routing rules.
I stated that for the return traffic from servers to reach back to the WAN they would need to be PRIOR to the rule forceing ALL bridge traffic out the WAN so what did you do???

/routing rule
add action=lookup disabled=no src-address=192.168.10.0/24 table=useWG
add action=lookup-only-in-table src-address=192.168.10.100 table=main { WRONG this will never be used all traffic goes out wg }
add action=lookup-only-in-table src-address=192.168.10.101 table=main { WRONG this rule will never be used all traffic goes out wg }

What I had provided:
/routing rule
add action=lookup-only-in-table src-address=192.168.10.100 table=main { server traffic gets out local WAN as required }
add action=lookup-only-in-table src-address=192.168.10.101 table=main { server traffic gets out local WAN as required }
add action=lookup src-address=192.168.10.0/24 table=useWG { rest of bridge traffic goes out wg }

EDIT: PortFWD working agian
Just some of the webpages are still issue

1. removed completely

2. Seems like this was mistake i had to modify:
   FROM:
   add action=accept chain=forward in-interface=bridge out-interface=WAN
   TO:
   add action=accept chain=forward in-interface=bridge out-interface=ether1-WAN

Hopefully now correct all

3. I entered those commands , but seem like the order is not right. How to change order? As in FW rules i’m able to change order in WinBox - mouse drag & drop
Or i need to remove them a re-add in specific order?

Removed & re-added

[admin@MikroTik_Ax3] > /routing rule
[admin@MikroTik_Ax3] /routing/rule> add action=lookup-only-in-table src-address=192.168.10.100 table=m
ain
[admin@MikroTik_Ax3] /routing/rule> add action=lookup-only-in-table src-address=192.168.10.101 table=m
ain
[admin@MikroTik_Ax3] /routing/rule> add action=lookup src-address=192.168.10.0/24 table=useWG

YOu are quite correct, the config I was supposed to type is
add chain=forward action=accept in-interface=bridge out-interface**-list**=WAN

( your fix is equally as valid !! )

The yolk is on my face for that one!!

++++++++++++++++++++++++++++++++++

Yes the second attempt worked, the clue is looking at the rule numbers at the left hand column 0,1,2 etc…

OKAY, so you are saying its about 98% there ?? Some webpage shenanigans…
If so try
a. changing MTU to 1500 if no joy
b. return to default 1420 and try this and then with MTU at 1500
/ip firewall mangle
add action=change-mss chain=forward comment=“Clamp MSS to PMTU for Outgoing packets” new-mss=clamp-to-pmtu out-interface=wg-az-se-sto passthrough=yes protocol=tcp tcp-flags=syn

c. if no joy set MTU to 1420 and try this one.
/ip firewall mangle
add action=change-mss chain=forward new-mss=1380 out-interface=wg-az-se-sto protocol=tcp tcp-flags=syn tcp-mss=1381-65535

1. Rule 12 can be removed now? as it was wrong and should be rule 13 ?
   
   

   fw3.JPG1278×580 105 KB
2. With adding the command , started to work, changing to MTU 1500 didnt worked out.
   /ip firewall mangle
   add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wg-az-se-sto passthrough=yes protocol=tcp tcp-flags=syn

Rest of pages are working now

fw4.JPG1527×294 63.7 KB

Man thanks a lot!!! with the Mikrotik wiki and guides i went through i will be spending few months to accomplish this, really appreciate you time spend with this issue.

\

3. Yes the second attempt worked, the clue is looking at the rule numbers at the left hand column 0,1,2 etc....
   I see those numbers , but no option to change it or reorder in WinBox UI. Bit strange to me how it works

4. Just to confirm port fwd rules
   If i'm adding extra rules:
   add action=dst-nat chain=dstnat comment=Lox123 dst-port=6789 in-interface=ether1-WAN log=yes log-prefix=Lox protocol=tcp to-addresses=192.168.10.XXX to-ports=6789

Need to also add the forwarded IP.XXX into here?
/routing rule
add action=lookup-only-in-table src-address=192.168.10.XXX table=main

5. Final step how to pick / whitelist only few clients to use VPN and others stay on local IP ?

Thanks!

5. How many… a few just add them as you do the servers before the forcing out wireguard rule.

Thanks for all suggestions,

1. Router via WinBox is not reachable via local IP, only via MAC…probably need to add some additional rule into Firewall

2. I have around 50+ clients, on VPN will be 5.

I tried to add ports for Transmission and it says is not open

What i’ve analyzed so far - ports from my “regular” IP via “ether1-WAN” are reachable via FW rules, so i assume the rule is right.

All ports via VPN “wg-az-se-sto” interface , seems NOT reachable

Thanks!
VPN_final2.rsc (8.25 KB)

Not sure what you mean not reachable LOL.
Remember you are putting all traffic out wg tunnel.

SO if you try and reach the router from your LANIP 192.168.10.XX its going out the tunnel if IP based.
MAC works around it and what most people use anyway.


If you want to retain IP access, then take a port off the bridge, give it an IP address only
and add the etheport to the LAN interface list and you will be able to access by IP address.
You could also create another VLAN to access it

++++++++++++++++++++++++++++++++++++++++++++++++++++

I dont see the problem, all your port forwardings from external users should come in the local WAN, hit the 192.168.100 or 101 and go back out the local WAN.
Isnt that what you wanted??? All other users are forced out wireguard for internet!

Not sure what you mean by port via VPN are not available.
If you want to use servers through both VPNs that takes some more programming for sure.
RIght now any traffic exiting the servers goes out the WAN… not VPN.

Not reachable over VPN Public IP

• i’m using duckdns.org in oder to use some own hosted servers and easy remember address and be reachable from Internet
• in torrent for example you are not Active due to that http://bt.degreez.net/firewalled.html

I’ able to be in VPN tunnel → data out, but i need also data IN ← via some ports

Another benefit
AzireVPN gives me Public IP and i dont need to have additional paid Public IP from my provider.

Hope it make sense

MAC for mikrotik is not easy to remember that’s why i use Local IP

VLAN - no experience with that yet…

I dont see the problem, all your port forwardings from external users should come in the local WAN, hit the 192.168.100 or 101 and go back out the local WAN.
Isnt that what you wanted??? All other users are forced out wireguard for internet!

Some services run over local WAN, some need to go over WG VPN interface as described above

40 clients - Via regular WAN / Local Provider IP
5 clients - Via VPN only / Azire IP - example some content on AndroidTV on netflix,iptv etc i can chose Country to unlock the view option

Okay, as for mac, it shows automatically on neighbours on winbox, no need to memorize just select it.

Just for giggles try this to see if it works.

/routing rules. ( in correct order of course )

[1st] add action=lookup-only-in-table dst-address=10.0.15.0/24 src-address=192.168.10.100 table=useWG { allow return traffic to wg server clients } *****
[2nd] add action=lookup-only-in-table src-address=192.168.10.100 table=main { allow return traffic out through local wan }
[3rd] add action=lookup-only-in-table src-address=192.168.10.101 table=main { allow return traffic out through local wan }
[4th] add action=lookup src-address=192.168.10.0/24 table=useWG { last rule to force rest of bridge out wg tunnel }

***** assumes you are sourcnatting the traffic from the WG server to your router. In other words your internal server doesnt see other public IPs but sees a wireguard source address for this rule to work.

+++++++++++++++++++++++++++

Tried, but still not PortFWD via VPN

Removed former rules

Added suggested:

Tried those options:

Even tried to disable working rules, if they dont interfere each other

Why are you trying to port forward the wg traffic coming in on the MT?
The traffic coming in on WG is already on the LAN so to speak…
The port forwarding or moving the traffic appropriately into the WG tunnel and towards the MT is done at the azure site.

The only rule really needed at the MT end is a firewall rule.
add action=forward chain=forward in-interface=wireguard dst-address-list=serverlist

where server list contains .100 and.101 for example.

ADD:

What i’ve also noticed even whole traffic should be currently over WG VPN,

My Duckdns docker (which is regularly updating IP) based on Server IP.101 is sharing PublicIP and NOT VPN IP
even i tried directly VPN IP:port doesnt work.

More and more confusion for me