Wireguard client can't access local lan and internet

RouterOS General
1

hi,
I’m still new to using mikrotik and some networking in general.
I setup wireguard with 4 clients, they all connect successfully and can connect to remote resources as required, however when trying to access their local network or internet, they’re unable to.
I went through whatever related posts i can find on this forum and online and tried few things with no success, i don’t know what I did wrong or what i missed to cause this issue.

here is my mikrotik settings:

/interface ethernet
set [ find default-name=ether7 ] disable-running-check=no name=ether1_LAN1
set [ find default-name=ether8 ] disable-running-check=no name=ether2_WAN1
set [ find default-name=ether1 ] disable-running-check=no name=ether3_LAN2
set [ find default-name=ether2 ] disable-running-check=no name=ether4_LAN3
set [ find default-name=ether3 ] disable-running-check=no name=ether5
set [ find default-name=ether4 ] disable-running-check=no name=ether6
set [ find default-name=ether5 ] disable-running-check=no name=ether7
set [ find default-name=ether6 ] disable-running-check=no name=ether8_LAN0
/interface wireguard
add comment="VPN" listen-port=9966 mtu=1420 name=wireguard_vpn
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_LAN1 ranges=10.10.1.2-10.10.1.199
add name=dhcp_pool_LAN2 ranges=10.10.2.2-10.10.2.199
add name=dhcp_pool_LAN3 ranges=10.10.3.2-10.10.3.199
/ip dhcp-server
add address-pool=dhcp_pool_LAN1 interface=ether1_LAN1 name=dhcp1_LAN1
add address-pool=dhcp_pool_LAN2 interface=ether3_LAN2 name=dhcp1_LAN2
add address-pool=dhcp_pool_LAN3 interface=ether4_LAN3 name=dhcp1_LAN3
/port
set 0 name=serial0
set 1 name=serial1
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1_LAN1 list=LAN
add interface=wireguard_vpn list=WAN
/interface wireguard peers
add allowed-address=192.168.20.2/32 comment="Client1" interface=\
    wireguard_vpn public-key=\
    "l111111111l111111111l111111111l1111111111111"
add allowed-address=192.168.20.3/32 comment="Client2" interface=\
    wireguard_vpn public-key=\
    "22222222222222222222222222222222222222222222"
add allowed-address=192.168.20.4/32 comment="Client3" \
    interface=wireguard_vpn public-key=\
    "33333333333333333333333333333333333333333333"
add allowed-address=192.168.20.5/32 comment="Client4" interface=wireguard_vpn \
    public-key="44444444444444444444444444444444444444444444"
/ip address
add address=10.10.1.1/24 interface=ether1_LAN1 network=10.10.1.0
add address=10.10.2.1/24 interface=ether3_LAN2 network=10.10.2.0
add address=10.10.3.1/24 interface=ether4_LAN3 network=10.10.3.0
add address=192.168.20.1/24 comment="ip access for WireGuard" \
    interface=wireguard_vpn network=192.168.20.0
add address=10.0.0.1/24 interface=ether3_LAN2 network=10.0.0.0
/ip dhcp-client
add interface=ether2_WAN1
/ip dhcp-server network
add address=10.10.1.0/24 dns-server=10.10.1.1,8.8.8.8 gateway=10.10.1.1
add address=10.10.2.0/24 dns-server=10.10.2.1,8.8.8.8 gateway=10.10.2.1
add address=10.10.3.0/24 dns-server=10.10.3.1,8.8.8.8 gateway=10.10.3.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.10.2.45 name=domain1.tld
add address=10.10.2.20 name=domain2.tld
add address=10.10.2.30 name=somelocal.domain1
/ip firewall address-list
add address=10.10.1.0/24 list=LAN
add address=10.10.2.0/24 list=LAN
add address=10.10.3.0/24 list=LAN
/ip firewall filter
add action=accept chain=input dst-address=10.10.3.0/24 src-address=\
    192.168.20.0/24
add action=accept chain=input dst-address=10.10.2.0/24 src-address=\
    192.168.20.0/24 src-address-list=""
add action=accept chain=input dst-address=10.10.1.0/24 src-address=\
    192.168.20.0/24
add action=drop chain=input comment="drop ftp/ssh/telnet brute forcers" \
    dst-port=21-23 protocol=tcp src-address-list=blacklist
add action=add-src-to-address-list address-list=blacklist \
    address-list-timeout=1w3d chain=input comment="blacklist stage3 10 days" \
    connection-state=new dst-port=21-23 protocol=tcp src-address-list=stage3
add action=add-src-to-address-list address-list=stage3 address-list-timeout=\
    1m chain=input comment="blacklist stage2 1minute" connection-state=new \
    dst-port=21-23 protocol=tcp src-address-list=stage2
add action=add-src-to-address-list address-list=stage2 address-list-timeout=\
    1m chain=input comment="blacklist stage1 1minute" connection-state=new \
    dst-port=21-23 protocol=tcp src-address-list=stage1
add action=add-src-to-address-list address-list=stage1 address-list-timeout=\
    1m chain=input comment="blacklist stage0 1minute" connection-state=new \
    dst-port=21-23 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2_WAN1
add action=masquerade chain=srcnat src-address=192.168.20.0/24
add action=dst-nat chain=dstnat comment="domain1.tld http" dst-port=80 \
    in-interface=ether2_WAN1 protocol=tcp to-addresses=10.10.2.45 to-ports=80
add action=dst-nat chain=dstnat comment="domain1.tld relay" dst-port=8041 \
    in-interface=ether2_WAN1 protocol=tcp to-addresses=10.10.2.45 to-ports=\
    8041
add action=dst-nat chain=dstnat comment="domain1.tld https" dst-port=443 \
    in-interface=ether2_WAN1 protocol=tcp to-addresses=10.10.2.45 to-ports=\
    443
add action=dst-nat chain=dstnat comment="VM1 RDP" dst-port=6684 \
    in-interface=ether2_WAN1 protocol=tcp to-addresses=10.10.2.25 to-ports=\
    6684
add action=dst-nat chain=dstnat comment="VM2 RDP" dst-port=6685 \
    in-interface=ether2_WAN1 protocol=tcp to-addresses=10.10.2.35 to-ports=\
    6685
add action=dst-nat chain=dstnat comment="VM3 TCP14121-14122" \
    dst-port=14121-14122 in-interface=ether2_WAN1 protocol=tcp to-addresses=\
    10.10.2.20 to-ports=14121-14122
add action=dst-nat chain=dstnat comment="VM3 TCP14124" dst-port=\
    14124 in-interface=ether2_WAN1 protocol=tcp to-addresses=10.10.2.20 \
    to-ports=14124
add action=dst-nat chain=dstnat comment="VM3 UDP14124" dst-port=\
    14124 in-interface=ether2_WAN1 protocol=udp to-addresses=10.10.2.20 \
    to-ports=14124
add action=masquerade chain=srcnat comment="Masquerade for WireGuard" \
    src-address=192.168.20.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=4040
set ssh port=22
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ca.pool.ntp.org
add address=us.pool.ntp.org

and here is a wireguard client config file:


[Interface]
PrivateKey = 1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A
Address = 192.168.20.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
AllowedIPs = 0.0.0.0/0
Endpoint = MyPublicIP:9966
2

Your explanation is off.
If you mean to say that your MT router is the server and the remote clients can connect and reach local router services that would make more sense.
Further if the computers that the remote users have cannot reach their local resources that is an issue with the devices they are using and has nothing to do with wireguard or the mt router.

3

thank you anav,

you’re correct, that’s exactly what I meant to say, they can’t access their own network resources when connected to my MT WG server.

would you recommend or suggest anything where to start troubleshooting the issue on their side?

thx

4

If their devices do not allow split tunneling, then perhaps its not possible?

5

even if both client computers are just standard windows 10 computers? i think one of them might be windows 11.
or could it also be their home routers?

6

This is a mikrotik forum, if you have windows questions, go to a windows forum or a wireguard forum where windows may be discussed.

7

fair enough

I appreciate your help clarifying that’s it may be an issue with the client devices at this point