Wireguard help (again)

I thought I had this all working, but now I’m travelling and it’s not fully working.

I’m on my laptop and can WG into my site that I call 212. I have full VPN access to the site.

But, I thought I would be able to use the hEX at 212 (the one that I am connected to via VPN) as a relay to get access to all the other sites connected via WG to 212. This is what is not working.

Laptop: 10.10.100.201
212: 10.10.100.1
Other sites include: 10.10.100.2, 10.10.100.12, 10.10.100.50 – no access from my laptop.

The Windows WG config I’m using to connect to 212 is:

[Interface]
PrivateKey = uI6xxxxxx=
Address = 10.10.100.201/24
DNS = 10.10.100.1

[Peer]
PublicKey = xx24Ds=
AllowedIPs = 10.10.100.0/24, 192.168.0.0/16
Endpoint = xxxxx.dyndns.org:51820

The hEX at 212:

# mar/18/2023 06:43:58 by RouterOS 7.8
# software id = C3RH-692B
#
# model = RB750Gr3
# serial number = HCR
/interface bridge
add admin-mac=18:2B auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="TO INET"
set [ find default-name=ether2 ] comment=SWITCH
set [ find default-name=ether3 ] comment="PORT 3 on PATCH -- JRS"
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment="To hAPax3"
/interface wireguard
add disabled=yes listen-port=51200 mtu=1420 name=212-WG-200
add listen-port=51820 mtu=1420 name=212-Wireguard
/interface vlan
add disabled=yes interface=ether2 name=TEST-VLAN-10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MANAGE
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=4w2d name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE bridge-learning=no
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=212-Wireguard list=LAN
add interface=bridge list=MANAGE
add interface=212-Wireguard list=MANAGE
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.10.100.8/32 comment="JRS Laptop" endpoint-port=58820 \
    interface=212-Wireguard public-key=\
    "b9ijRpJX8="
add allowed-address=10.10.100.2/32,192.168.88.0/24 comment=\
    "371;   192.168.88.1" endpoint-address=xxxxx.dyndns.org endpoint-port=52820 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "zoZtzU5lohI="
add allowed-address=10.10.100.9/32 comment="JRS iPhone" endpoint-port=59820 \
    interface=212-Wireguard public-key=\
    "jn2xmSuBAuOb/ZBIFY="
add allowed-address=10.10.100.12/32,192.168.20.0/24 comment=\
    "629;   192.168.20.1" endpoint-address=xxxxx.dyndns.org endpoint-port=51821 \
    interface=212-Wireguard persistent-keepalive=40s public-key=\
    "q28mg9oG4CfXo="
add allowed-address=10.10.100.50/32,192.168.0.0/24,192.168.5.0/24 comment=\
    "355 Hex for behind UDM;  192.168.2.5" endpoint-address=xxxxx.dyndns.org \
    endpoint-port=51833 interface=212-Wireguard persistent-keepalive=40s \
    public-key="Q8CPxxxxxLZq3g="
add allowed-address=10.10.100.60/32,192.168.1.0/24 comment=\
    "255 hEX behind UDM;  192.168.0.11" endpoint-address=\
    xxxxx.dyndns.org endpoint-port=51835 interface=212-Wireguard \
    persistent-keepalive=40s public-key=\
    "6E3xxxxxMwbRc="
add allowed-address=10.10.100.30/32,192.168.30.0/24 comment=\
    "76;   192.168.30.1" endpoint-address=xxxxx.dyndns.org \
    endpoint-port=51830 interface=212-Wireguard persistent-keepalive=40s \
    public-key="EJu69xxxxxcNgUic="
add allowed-address=10.10.90.0/24 comment="BI PC WG APP" disabled=yes \
    endpoint-port=51820 interface=212-Wireguard public-key=\
    "R5SjZxxxxxjt9TV4="
add allowed-address=10.10.100.1/32,192.168.2.2/24 comment=\
    "212 (local, just for reference);   192.168.2.2" disabled=yes \
    endpoint-address=xxxxx.dyndns.org endpoint-port=51820 interface=\
    212-Wireguard public-key="xx27xxxxxop1OqXrW4Ds="
add allowed-address=10.10.100.201/32 comment="JRS Laptop 201" interface=\
    212-Wireguard public-key="Cmfwxxxxxhgntx9Aw="
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=10.10.100.1/24 interface=212-Wireguard network=10.10.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.2.100 comment="15 TV" mac-address=78:6A:1F:8D:F9:C8 \
    server=defconf
add address=192.168.2.121 client-id=1:da:f3:68:be:3f:b comment="Ipad SRN" \
    mac-address=DA:F3:68:BE:3F:0B server=defconf
add address=192.168.2.102 mac-address=78:6A:1F:8D:FC:B4 server=defconf
add address=192.168.2.101 mac-address=78:6A:1F:8D:FC:0F server=defconf
add address=192.168.2.103 mac-address=A0:68:7E:4D:D0:4B server=defconf
add address=192.168.2.138 client-id=1:30:c9:ab:17:71:59 comment=MFC-L3770CDW \
    mac-address=30:C9:AB:17:71:59 server=defconf
add address=192.168.2.107 client-id=1:94:e7:b:29:30:e7 comment=\
    "JRS Laptop ASUS" mac-address=94:E7:0B:29:30:E7 server=defconf
add address=192.168.2.141 client-id=1:c2:5d:7f:1f:4c:f5 comment="JRS iPhone" \
    mac-address=C2:5D:7F:1F:4C:F5 server=defconf
add address=192.168.2.109 client-id=1:0:6b:9e:d1:24:f3 comment="Vizio on 15" \
    mac-address=00:6B:9E:D1:24:F3 server=defconf
add address=192.168.2.119 client-id=1:88:e9:fe:6e:97:9d comment="Thomas MBP" \
    mac-address=88:E9:FE:6E:97:9D server=defconf
add address=192.168.2.128 comment="MBR 65 TV" mac-address=34:51:80:C8:BB:2C \
    server=defconf
add address=192.168.2.200 client-id=1:0:4:20:f9:31:d2 comment="Harmony Hub" \
    mac-address=00:04:20:F9:31:D2 server=defconf
add address=192.168.2.114 client-id=1:46:b4:96:5e:1a:1b mac-address=\
    46:B4:96:5E:1A:1B server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.2 gateway=\
    192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=6w cache-size=65536KiB servers=\
    1.1.1.1
/ip dns static
add address=192.168.2.2 name=212.local
add address=10.10.100.1 name=212.10.10.100.1.local
/ip firewall address-list
add address=xxxx.dyndns.org list=dynamic-WANIP
add address=192.168.0.0/16 list=Authorized
add address=10.10.100.0/24 list=Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" log=yes \
    protocol=icmp
add action=accept chain=input comment="Loopback allow" disabled=yes \
    dst-address=127.0.0.1 log=yes
add action=accept chain=input comment="Allow incoming WG connections" \
    dst-port=51820 protocol=udp
add action=accept chain=input comment="Allow incoming WG connections" \
    dst-port=51200 protocol=udp
add action=accept chain=input comment="Allow Authorized" src-address-list=\
    Authorized
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Allows cross peer subnet traffic" \
    in-interface=212-Wireguard out-interface=212-Wireguard
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
    192.168.2.0/24 in-interface=212-Wireguard
add action=accept chain=forward comment="Allow all traffic out WG iface" \
    out-interface=212-Wireguard
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin" disabled=yes dst-address-list=dynamic-WANIP \
    log=yes new-connection-mark="Hairpin NAT" passthrough=yes src-address=\
    192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT" dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address-list=dynamic-WANIP dst-port=8123 \
    protocol=tcp to-addresses=192.168.2.176
add action=dst-nat chain=dstnat disabled=yes dst-port=51833 protocol=udp \
    to-addresses=192.168.2.50
/ip route
add comment=371 disabled=no distance=1 dst-address=192.168.88.0/24 gateway=\
    212-Wireguard routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=355 disabled=no distance=1 dst-address=192.168.0.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add comment=255 disabled=no distance=1 dst-address=192.168.1.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=212-Wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=629 disabled=no distance=1 dst-address=192.168.20.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.60.0/24 gateway=192.168.2.8 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add comment=76 disabled=no distance=1 dst-address=192.168.30.0/24 gateway=\
    212-Wireguard pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=America/New_York
/system identity
set name=212Hex
/system logging
add disabled=yes topics=wireguard
add topics=interface
add action=echo disabled=yes topics=wireguard
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=216.239.35.4
add address=104.16.132.229
/system scheduler
add interval=1d name=Daily on-event=dyndns policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/18/2022 start-time=02:00:00
add disabled=yes interval=10m name=Route355255371 on-event=\
    "355 255 371 route status" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/24/2022 start-time=04:42:54
add interval=4d name=export-download on-event=export-download policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/14/2022 start-time=04:47:33
add interval=5m name="355 255 371 629 Route Status" on-event=\
    "355 255 371 629 Route Status" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/23/2023 start-time=16:22:48
add interval=1d name=schedule1 on-event=DynDNS policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/11/2023 start-time=06:02:20
add interval=10m name=WG-iface-restart on-event=WG-iface-restart policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/13/2023 start-time=06:41:55

The hEX at 10.10.100.2 is:

# mar/18/2023 06:44:31 by RouterOS 7.8rc3
# software id = 9QHQ-45Y2
#
# model = RB750Gr3
# serial number = CC315
/interface bridge
add admin-mac=DC:2C:6E:E1:65:A7 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether3 ] comment="AP 192.168.88.100"
set [ find default-name=ether4 ] comment="AP 192.168.88.252"
set [ find default-name=ether5 ] comment="2 CAMERAS .40 .41"
/interface wireguard
add listen-port=52820 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=4w2d name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=16384
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wireguard1 list=LAN
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=10.10.100.1/32,192.168.2.0/24 comment=212 \
    endpoint-address=xxxx.dyndns.org endpoint-port=51820 interface=\
    wireguard1 persistent-keepalive=40s public-key=\
    "xx2xXrW4Ds="
add allowed-address=10.10.100.4/32,192.168.1.0/24 comment=255 disabled=yes \
    endpoint-address=xxxx.dyndns.org endpoint-port=54820 interface=\
    wireguard1 persistent-keepalive=40s public-key=\
    "GrHYCxxxxtk8VjkxVU="
add allowed-address=10.10.100.3/32,192.168.0.0/24,192.168.5.0/24 comment=355 \
    disabled=yes endpoint-address=xxxx.dyndns.org endpoint-port=53820 \
    interface=wireguard1 persistent-keepalive=40s public-key=\
    "4HxxxxxP086UhjwU="
add allowed-address=10.10.90.0/24,192.168.88.0/24 comment=\
    "WG client on BI PC" endpoint-port=51820 interface=wireguard1 public-key=\
    "R5SjZuxxxxx0jt9TV4="
add allowed-address=10.10.100.8/32 comment=Laptop interface=wireguard1 \
    public-key="DcxxxQqFSxc="
add allowed-address=10.10.100.50/32,192.168.0.0/24,192.168.5.0/24 comment=\
    "355 hEX UDM " endpoint-address=xxxx.dyndns.org endpoint-port=51833 \
    interface=wireguard1 persistent-keepalive=40s public-key=\
    "Q8CxxxLZq3g="
add allowed-address=10.10.100.60/32,192.168.1.0/24 comment="255 hEX" \
    endpoint-address=xxxxx.dyndns.org endpoint-port=51835 interface=\
    wireguard1 persistent-keepalive=40s public-key=\
    "6E3qxxxWPK0PMwbRc="
add allowed-address=192.168.30.0/24,10.10.100.30/32 comment=76 \
    endpoint-address=xxxx.dyndns.org endpoint-port=51830 interface=\
    wireguard1 persistent-keepalive=40s public-key=\
    "EJuxxxscNgUic="
add allowed-address=10.10.100.12/32,192.168.20.0/24 comment=371 \
    endpoint-address=xxx.dyndns.org endpoint-port=51821 interface=wireguard1 \
    persistent-keepalive=40s public-key=\
    "q28Dxxxmg9oG4CfXo="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=10.10.100.2/24 interface=wireguard1 network=10.10.100.0
add address=192.168.1.1/24 disabled=yes interface=bridge network=192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1d
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.251 mac-address=38:C8:04:2C:0F:4A server=defconf
add address=192.168.88.242 client-id=ff:32:80:3:ba:0:3:0:1:44:61:32:80:3:ba \
    mac-address=44:xxx3:BA server=defconf
add address=192.168.88.241 client-id=ff:32:98:52:cc:0:3:0:1:44:61:32:98:52:cc \
    mac-address=44:xxxx2:CC server=defconf
add address=192.168.88.207 client-id=1:98:cd:ac:b1:2b:6c mac-address=\
    98:CD:AC:B1:2B:6C server=defconf
add address=192.168.88.246 client-id=1:98:f4:ab:25:e2:2c mac-address=\
    98:F4:AB:25:E2:2C server=defconf
add address=192.168.88.247 mac-address=D4:AB:CD:90:23:10 server=defconf
add address=192.168.88.100 client-id=1:24:5a:4c:91:8b:c5 mac-address=\
    24:5A:4C:91:8B:C5 server=defconf
add address=192.168.88.252 client-id=1:74:ac:b9:20:9d:a1 mac-address=\
    74:AC:B9:20:9D:A1 server=defconf
add address=192.168.88.249 mac-address=D4:AB:CD:C0:DF:A3 server=defconf
add address=192.168.88.244 client-id=1:40:f5:20:6f:d9:88 mac-address=\
    40:F5:20:6F:D9:88 server=defconf
add address=192.168.88.245 client-id=1:40:f5:20:88:66:84 mac-address=\
    40:F5:20:88:66:84 server=defconf
add address=192.168.88.239 client-id=ff:32:73:e5:ff:0:3:0:1:44:61:32:73:e5:ff \
    mac-address=44:61:32:73:E5:FF server=defconf
add address=192.168.88.248 client-id=1:80:7d:3a:f:ea:b5 mac-address=\
    80:7D:3A:0F:EA:B5 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.4.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=371.local
add address=10.10.100.2 name=371.10.10.100.2.local
/ip firewall address-list
add address=xxxx.dyndns.org list=mtdale
add address=xxxx.dyndns.org list=212
add address=subnet_1 list=external-access
add address=subnet_2 list=external-access
add address=subnet_XX list=external-access
add address=10.0.100.5 list=external-access
add address=10.0.100.6 list=external-access
add address=IP-local-admin-destkop list=authorized
add address=IP-local-admin-laptop list=authorized
add address=xxxx.dyndns.org list=dynamic-WANIP
add address=192.168.0.0/16 list=admin
add address=10.10.100.0/24 list=admin
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=52820 protocol=udp
add action=accept chain=input comment="REMOVE\?" src-address-list=212
add action=accept chain=input src-address-list=admin
add action=accept chain=input comment="Alow wireguard to router" \
    in-interface=wireguard1
add action=drop chain=input
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Allow wireguard to subnet" \
    in-interface=wireguard1
add action=accept chain=forward in-interface=wireguard1 protocol=udp
add action=accept chain=forward comment="Allow WG to subnet" dst-address=\
    192.168.1.0/24 in-interface=wireguard1
add action=accept chain=forward comment="Allow wireguard to subnet" \
    dst-address=192.168.88.0/24 in-interface=wireguard1
add action=accept chain=forward comment="Allow subnet to enter WG" \
    out-interface=wireguard1
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=9000,8080,554,1935,8035 \
    in-interface=wireguard1 log=yes protocol=tcp to-addresses=192.168.88.35
add action=dst-nat chain=dstnat dst-port=9000,8080,554,1935,8035 protocol=tcp \
    src-address-list=212 to-addresses=192.168.88.35
add action=dst-nat chain=dstnat comment=cam dst-port=8080,9000,554,1935,8035 \
    protocol=tcp src-address-list=mtdale to-addresses=192.168.88.35
/ip route
add disabled=no distance=1 dst-address=192.168.2.0/24 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.0.0/24 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wireguard1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=wireguard1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.30.0/24 gateway=wireguard1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.20.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
/ip ssh
set forwarding-enabled=both
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN

HEX212: The only two things noted on 212 are below, so dont really see a show stopper here…

(1) Your laptop etc is missing persistent-keep-alive setting on the peer for 212.

(2) Why do you have keep alive set on the HEX for all the client peers that are routers except the one discussed at (2)? Its client devices which require persistent-keep-alive! on their peer setting for the hex!!


OTHER ROUTER 100.2 Found it…

(3) THE PEER SETTINGS OF CLIENT FOR WIREGUARD MUST BE SUBNET!! aka 10.10.100.0/24

Think about it…
Allowed IP is for two reasons.
a. allow traffic with destination traffic of that IP ( router matches on destination and looks for peer entry of same for outbound traffic to send to right peer)
b. allow incoming traffic with that source IP ( router filters incoming traffic to allow it to exit the tunnel ).

You had it right for your peer to be able to outbound be matched for any of the wireguard IP addresses of the other routers…so that part was good.
However the other routers would not accept (fiilter out) any wireguard IP address that was not the HEX one on the inbound.
So you cut off your own nose LOL.

I am very confused as to why your hex 210 is setup as though it was the server and not the hex212.???
Are all the wireguard clients connecting to the 212 or the 210??
210 should only have one peer and that to 212 ??

Lets say for example…
212 was the main WIREGUARD SERVER for clients A,B,C,D,E with A being 210.

I think it may be possible using the same wireguard structure for
210 to be the Wireguard SERVER For clients F,G,H,I,J for example.
all using the 10.10.100.0 subnet.

If this is the case I then on hex 210, only the peer setting for 212 would require the 10.10.100.0/24 client peer setting.
The rest of the peer settings would /32 as the 210 would be acting as server for initial handshake.
In this regard on your laptop you could connect to 212 get routed over to 210 and actually access router at J.

All to say need more clarity on your setup to get the proper context.
SO COME CLEAN on what the heck you are doing with 210 ???

++++++++++++++++++
other stuff

note wny is client BI PC given an allowed IP of 10.10.90.0/24 whereas the rest are /32 ???

why two rules that dont really do anything productive in terms of indicating what particular traffic flow is permitted.
The second rule is nonsensical and will never be seen anyway!
add action=accept chain=forward comment=“Allow wireguard to subnet”
in-interface=wireguard1
add action=accept chain=forward in-interface=wireguard1 protocol=udp

1. The reason I took out the persistent is because I was tired of seeing the repeating packets from 127.0.0.1 that Wireguard generates when there is a peer with a persistent time set and no endpoint.

2. I have been trying, unsuccessfully, for hours to get the relay to work.

I’ve tried 10.10.100.0/24, 10.10.100./24 in the peer configs.

Maybe there is a routing interaction between the multiple peers?

For example, if multiple peers have 10.10.100.0/24 in their allowed-ips, does that confuse the routing?

The terminology is challenging also: My understanding is the WG has Servers and Peers. And, there is only a very subtle difference between Server and Peer. Possibly that difference being which device initiates the connection.

Where do “clients” fit in?

Regardless, it’s frustrating.

To be clear:

212hEX should be the relay server (the WG that everything connects to).

201 is my laptop

10.10.100.30 is a peer of 212 hex

10.10.100.2 is a peer of 212hex

If 212 is the only main server for handshakes, I pointed out why its not working and the fixes.
Ensure you do them and post again for any additional refinements…

Im sorry but i don’t understand your instructions.

Mind the quotes, the second one comes before the first but you need the answer on the first before we move to the other one.

There is no confusion: ONLY peers on Wireguard.
For simplicity reason most refer to SERVER (the “hub” or relay) and CLIENTS (the “spokes”)
The difference is only defined by which peer acts as relay for all the others. Usually that’s the one having a fixed IP (or dynamic IP using DDNS).

Not for the clients since they all need to go to the server first (aka hub or relay, if you want). If however you do not want peers to communicate between each other, only use ip address of the “server” as allowed address.
On the “server” you need to specify the endpoint address of the peer as allowed address (and other subnets, if applicable).

At the end of the spokes

And you really should keep persistent keep-alive active on the ‘clients’.
Not on ‘the server’ (it knows where it is since it has a reachable IP)

I got it working.

I am well aware that people far smarter and with far greater expertise have cumulatively written millions of words describing how this works and how to set it up. But, if you’re dense like me, perhaps this will help.

Some clarification (or added confusion) for the future frustrated among us:

Wireguard uses only “peers.” No “servers,” “clients,” “hubs,” “spokes,” or “relays.”

However, using these terms (consistently, and after understanding the strictly ‘peer’ nature of WG) can be helpful when planning, designing and implementing WG.

For example, I have 6 locations that are connected with WG tunnels. In it’s simplest form, each location is a peer to 5 other locations. If one location goes down or suffers from my inquisitiveness of ‘seeing what this config change will do’ then only that one location suffers the fate (unavailability). Similarly, if I play with a peer setting at that location (as opposed to the WG interface setting), then the connection between that location and the location of the peer setting I played with suffers the consequences.

At each location, WG is running on a Mikrotik device. I am intentionally not calling it a server to keep with the peer-only terminology.

I will call the WG running on the MT device the WG Interface. That way, we can describe the configuration of, for example, the WG Interface at location X. Or, we can describe the peers settings at location X that connect to peer Y.

I found myself travelling (physically not at any of the 6 locations) with a Windows laptop and internet access. I have the WG Windows app installed and wanted access to all 6 locations.

I accomplished this (with a great deal of help from the great people here), by creating a single WG tunnel between the laptop and a single location (we will call location 212).

The Windows WG config connects to location 212 and looks like this:

[Interface]
PrivateKey = kIxxxxxxxxxxxxUs=
ListenPort = 58820
Address = 10.10.100.100/24
DNS = 10.10.100.1

[Peer]
PublicKey = xxxxxxxxxxxxxxs=
AllowedIPs = 10.10.100.0/24, 192.168.0.0/16
Endpoint = <private>.dyndns.org:51820

At location 212, the following is the relevant config from RouterOS. It establishes the WG Interface named “212-Wireguard” and identifies peers: The Windows Laptop and the 5 other locations. In allowed-ips the config uses a /32 for the IP address of the WG interface at the laptop and peers, and a /24 for the subnets at those peers.

/interface wireguard
add listen-port=51820 mtu=1420 name=212-Wireguard



/interface wireguard peers

add allowed-address=10.10.100.100/32 comment="JRS Laptop 201" endpoint-port=58820 interface=212-Wireguard public-key=\
    "+3uxxxxxxc="

add allowed-address=10.10.100.2/32,192.168.88.0/24 comment="371;   192.168.88.1" endpoint-address=xxxxx.dyndns.org \
    endpoint-port=52820 interface=212-Wireguard persistent-keepalive=40s public-key=\
    "zoxxxxxxxxI="

add allowed-address=10.10.100.12/32,192.168.20.0/24 comment="629;   192.168.20.1" endpoint-address=xxxxx.dyndns.org \
    endpoint-port=51821 interface=212-Wireguard persistent-keepalive=40s public-key=\
    "q2xxxxxxXo="

add allowed-address=10.10.100.50/32,192.168.0.0/24,192.168.5.0/24 comment="355 Hex for behind UDM;  192.168.2.5" \
    endpoint-address=xxxx.dyndns.org endpoint-port=51833 interface=212-Wireguard persistent-keepalive=40s public-key=\
    "Q8xxxx3g="

add allowed-address=10.10.100.60/32,192.168.1.0/24 comment="255 hEX behind UDM;  192.168.0.11" endpoint-address=\
    xxxxx.dyndns.org endpoint-port=51835 interface=212-Wireguard persistent-keepalive=40s public-key=\
    "6Exxxxxxxx"

add allowed-address=10.10.100.30/32,192.168.30.0/24 comment="76;   192.168.30.1" endpoint-address=xxxxx.dyndns.org \
    endpoint-port=51830 interface=212-Wireguard persistent-keepalive=40s public-key=\
    "EJxxxxxxxic="

Here is the config showing the WG info from location 371 with only the peer config to location 212. Note the peer allowed-ips uses a /24 for the WG Interface IP of the peer (212), as well as a /24 for the peer’s LAN.

/interface wireguard

add listen-port=52820 mtu=1420 name=wireguard1



/interface wireguard peers

add allowed-address=10.10.100.0/24,192.168.2.0/24 comment=212 endpoint-address=xxxxx.dyndns.org endpoint-port=51820 interface=\
    wireguard1 persistent-keepalive=40s public-key="xxxxxxxxxs="

With this configuration, the tunnel between the laptop and 212 provides full access to the LANs at 212 as well as at 371.

I am not sure, but I think retains the peer to peer tunnels between all locations and allows 212 to act as a relay.

When I tried to change the config on the laptop to allowed-ips = 0.0.0.0/0 to route all traffic through the tunnel to 212, connections to other peers broke. I tried using preup and predown scripts to add/remove routing, but couldn’t get it to fully work. Not sure why.

I hope this is correct and helpful.

If not, please let me know.

If you want I can be pretty dense too.
To the point nobody understand anything anymore except me

I can understand your confusion though since regardless the fact it’s only peers, it’s a lot more understandable when using those other terms (which I will not repeat here to keep it clear).

“The Windows WG config”
You don’t need listen port there. It’s your laptop which will reach out to the endpoint:port address.

Similar on the peer section definition on 212: endpoint-port does not need to be specified. 212 is not reaching out for the peers. The peers will come in and thus 212 will figure it out what to use.
Yes ?

A drawing with the setup, where each subnet is used and where allowed addresses are being set might make things clearer.
I am not seeing it right away but the fact the setup breaks when you add 0.0.0.0/0 indicates there is somewhere an overlap.

LOL! I have come to appreciate (and be challenged by) the reality that much of my days are filled with knowing so very much and being surrounded by people who apparently know so very little; and then poking around into an unfamiliar area (RouterOS, Wireguard, for 2 examples) and the roles are reversed.

Great point on the listen port on the Windows laptop WG.

Not sure about the 212 endpoint-port not being needed: I want to keep the tunnels between 212 and the other 5 locations up and running, so maybe 212 needs to reach out?

I totally suck at drawing. How about this:

WRT 0.0.0.0/0 – the WG app adds a second default route to Windows and I’m wondering if that creates a situation where some packets are routed out the WG tunnel and some not.

The keepalive will keep the connection alive, as its name indicates.

Typically this is not needed on the peer having the static IP (or DDNS with some scripting).
For all other peers it is advised to have it set (unless you’re fine with disruptions when their local IP changes for some reason, typically the case with cell phones moving around)

I seem to miss the part with allowed addresses in your table ?
That route for 0.0.0.0 has a metric of 0 so it should get priority. But where does 10.10.100.8 come from ? It has not been mentioned before ?

I, too, am puzzled by the 0 metric not working.

I think Windows has a problem with 2 default (0.0.0.0/0) routes, even with different metrics.

WRT 10.10.100.8: I have a separate peer config in the WG windows app where I was trying to get 0.0.0.0 routing to work:

[Interface]
PrivateKey = sMqlw=
ListenPort = 58820
Address = 10.10.100.8/24
DNS = 1.1.1.1
PostUp = powershell -command "$wgInterface = Get-NetAdapter -Name 212-all-traffic; route add 0.0.0.0 mask 0.0.0.0 0.0.0.0 IF $wgInterface.ifIndex metric 35"
PreDown = powershell -command "$wgInterface = Get-NetAdapter -Name 212-all-traffic; route delete 0.0.0.0 mask 0.0.0.0 0.0.0.0 if $wgInterface.ifIndex metric 35"

[Peer]
PublicKey = xxs=
AllowedIPs = 0.0.0.0/0
Endpoint = xxxx.dyndns.org:51820

And the peer settings on 212 for 10.10.100.8 are:

add allowed-address=10.10.100.8/32 comment="JRS Laptop" endpoint-port=58820 interface=212-Wireguard public-key=\
    "b9xxxxxx8="

But I’ve tried all sorts of configs, as well as removing the 0.0.0.0/0 default route via 172.x.x.x

I’m happy to add the allowed-IPs to the table, but not sure which set of allowed-IPs would be useful? The allowed-IPs of peers connecting to them? Each one is the WG interface IP with a /32 and the local lan ip with a /24.

Drop listen port on windows config and peer config for laptop.
Drop up and down scripts, not needed.

Then post config again.

Windows config:

[Interface]
PrivateKey = sMxxxxw=
Address = 10.10.100.8/32
DNS = 1.1.1.1

[Peer]
PublicKey = xxxxxxx4Ds=
AllowedIPs = 10.10.100.0/24, 192.168.0.0/16
Endpoint = xxx.dyndns.org:51820

212 peer config for windows WG:

/interface wireguard peers
add allowed-address=10.10.100.8/32 comment="JRS Laptop" interface=212-Wireguard public-key=\
    "b9xxxx8="

Tried with windows wg config:

AllowedIPs = 10.10.100.0/24, 192.168.0.0/16

And with:

AllowedIPs = 0.0.0.0/0

And with:

AllowedIPs = 0.0.0.0/1, 128.0.0.0/1 (when I uncheck “block untunneled traffic”)

And with scripts and "table = off) added back (both 0.0.0.0/0 and 0.0.0.0/1, 128.0.0.0/1)

Still no good.

Its simple,
At initial connection, the handshake there is between one client and one server.
In your case you have many clients and thus each will undergo an initial handshake with 212.

You ONLY have peer to peer networks between each client and the Server. There is no direct peer to peer connection between any of the clients.
We use the SERVER to act as a relay between clients. So in effect client A connects to Server thru their peer to peer connection, and traffic exits tunnel. Then traffic is considered local (like LAN) on the server peer and if it needs to go to client B, then it enters the peer to peer network between server and client B. AND SO ON.

The fact that they are all peers simply means two way traffic is possible and the traffic is between two entities at a time. Peer just means the other side of the tunnel!!!

Consistent application of logic and the rules works every time.

Client peers all should have persistent-live SET ( on their single peer ) the Server has none set on its peer or peerS if multiple

Client peers have 0/24 set for allowed addresses of the wireguard address structure for TWO REASONS
a. allowing user to access other clients if necessary as in your case!
b. allowing other clients to access your device ( normal for routers that are clients not servers ) as in your case!

Peer settings found on the Server Device are defined to the single IP of the client /32 for each client peer.


When you select 0.0.0.0/0 on a client device (phone, laptop) one no longer needs wireguard or particlular subnets to be identified as the ZEROs entry covers all IPs!!
This is quite normally seen because its the setting required to access the internet at the other end of the connection!!.

When you select 0.0.0.0/.0 on a SERVER device for one of its client peers, then you are asking for trouble.
This is clear if you actually understand how wireguard works.

• a user puts in a destination IP ( or one has come over from another client peer )
• in other words we now have traffic on the Server device either locally or that has come in from another peer and is now considered local that has a destination address for one of the other client devices connected to the server.
• The router searches for that destination IP address in all the wireguard peers IN ORDER!!, as soon as it finds 0.0.0.0/0 the router will stop looking and state it has found a match for the destination and will associate the request with that specific Peer. The traffic (firewall rules permitting) and routes existing, the traffic will then enter the wireguard tunnel and wireguard routing will ensure the traffic goes out to that identified PEER>

IF in order, the peer with 0.0.0.0/0 is first on the router config, the rest of the client peers WILL NEVER get any traffic!!!

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Attempt to review your work with the above information, make necessary changes.

Post the latest configs of the routers you are not having success on including 212 for review. You should be close

Client peers have 0/24 set for allowed addresses of the wireguard address structure for TWO REASONS
a. allowing user to access other clients if necessary as in your case!
b. allowing other clients to access your device ( normal for routers that are clients not servers ) as in your case!

Peer settings found on the Server Device are defined to the single IP of the client /32 for each client peer.

I can’t make this work.

I don’t know what “client peers” or “server” means in your post. The language is just not working here. That’s why I wrote my post above: To clarify the language so we can communicate.

Each WG device I have has an interface and peers set up for all the other locations.

I just can’t get it to work so I can have a single tunnel from the laptop to 212 that provides access to the other locations.

Your 212 Hex is considered your server.
All the rest are client peers.

From client side server is a peer, from server side peer is client that connects to it. You need to distinguish client from server peer configuration somehow in language even if in wireguard configuration terminology “Peer” is configuration name for both sides but setting parameters differs.

I was hoping for…
Got it all working now I want to expand my wireguard network such that client devices on Server Router 212 are A, B, C, D, E, where E is router 312

• where E is going to act as a Server going to the following peers, Server for clients M, N, O, P

• TWO relay points LOL, get a daisychain going.

• All on the same wireguard subnet.

• WHere 212 and 312 are both server and client to each other, in other words either device an receive or initiate the tunnel from the other.

But alas, it appears not.
Other than teamviewer into your config and doing it for you, not much more can do.

Perhaps by studying the following
https://www.procustodibus.com/blog/2021/12/wireguard-e2ee-hub-and-spoke/
You may get some ideas how to properly implement your objectives …

I think I got it working. By “working” I mean the following:

1. All 6 WG devices have a WG interface and all 5 peers configured in it’s “Peers” tab, so there is a tunnel between any 2 locations (I believe there are 15 combinations of 2 in a group of 6)
2. Each of the 6 WG devices have a single IP address associated with it in the 10.10.100.x/32 single-ip-block
3. WG at 212 location is my designated “server” or “hub”
4. Laptop and iphone connect via their WG apps to the 212 location
5. Tunnels between 212 and other 5 locations pass traffic on the LAN subnets (192.168.x.x) of all of each other’s locations
6. It seems the key to getting this to work is to configure the 212 peer entry in the other 5 WG devices to include 212’s 10.10.100.1 address with a /24. All other peers have their 10.10.100.x IP addresses with a /32.

It is clear to me that using words alone makes communicating about how to configure WG extremely difficult I am including screen shots of the config. I know an exported config is generally far more useful (and I’d be happy to post them), but I think screen shots communicate things easily.

Peer 10.10.100.1 is 212.

Here’s is the config on the iphone:

[Interface]
PrivateKey = oCxxxxxxxI=
Address = 10.10.100.9/24
DNS = 10.10.100.1

[Peer]
PublicKey = xx2xxxxxxs=
AllowedIPs = 10.10.100.1/24, 192.168.0.0/16
Endpoint = xxxxx.dyndns.org:51820
PersistentKeepalive = 40

Finally, ping confirmation on the iphone:

I’m not even trying any longer to route all laptop/iphone traffic through the tunnel.

So where are my errors?

Thank you.