Until I there is a clear need for more than one wireguard interface, I would stick to one tunnel.
My amusing friend sindy tends to overcomplicate issues 
The reason to go to two separate wireguard interfaces is if one has multiple cases or conflicting cases of 0.0.0.0/0 to deal with.
If you want this mikrotik device to be a wireguard portal to the internet somewhere, not use local internet for traffic, aka for your laptop,
then its simply a matter of using routes and routing rules OR mangling and routes etcâŚ
Easy to separate different subnets on the mikrotik, the one your laptop is not associated with, to use the regular internet vice the wireguard tunnel for internet.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Lets say the wireguard network looks like such and your router is assigned .2
/ip address
10.20.30**.2**/24 interface=wireguard-MT network=10.20.30.0
The concept is
/ip allowed ips
add address=0.0.0.0/0 interface=wireguard-MT endpoint-address=ServerPublicIP endpoint-port=Server-WG-Port persistent-keep-alive=35s public-key=âxxxxxxâ
note:1 where public key comes from the Server device.
note2: use 0.0.0.0/0 which allows any address from the local users outbound (aka internet for your laptop) AND any address inbound ( will show an example of this as well )
Lets say you have three subnets on the MT router, they could be associated to different ports no bridge,
or assigned to the bridge as vlans.
/ip address
add address=192.168.10.1/24 interface=ether2 network=192.168.10.0 { laptop subnet }
add address=192.168.20.1/24 interface=ether3 network=192.168.10.0
add address=192.168.30.1/24 interface=ether4 network=192.168.10.0
/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0 { laptop subnet }
add address=192.168.20.1/24 interface=vlan20 network=192.168.10.0
add address=192.168.30.1/24 interface=vlan30 network=192.168.10.0
Note the laptop network could be from wifi
add address=192.168.10.1/24 interface=wlan2 network=192.168.10.0 { laptop subnet }
or if on a vlan same as above.
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0 { laptop subnet }
One has a single internet connection setup in IP routes as such
/ip route
add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP-gateway-IP routing-table=main
all traffic will go out this WAN , and then one for wireguard
add dst-address=0.0.0.0/0 gateway=ISP-gateway-IP routing-table=use-WG
this will only be used by the laptop subnet.
a special table for wireguard
/routing table
add fib name=use-WG
Then one can invoke a routing rule to tie it all together
/routing rule
add src-address=192.168.10.0/24 action=lookup-only-in table table=use-WG
This basically states FORCE all traffic from that subnet to the route with assigned special table.
If you need any traffic locally for that subnet ( between subnets or to the router ) then this allows that to occur and forces all other remaining traffic into tunnel
/routing rule
add min-prefix=0 action=lookup-only-in-table table=main
add src-address=192.168.10.0/24 action=lookup-only-in table table=use-WG
For firewall rules, nothing needed on input chain YET!!!
on forward chain ensure
âŚ
add chain=forward action=accept chain=forward comment=âlocal internet trafficâ in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept chain=forward comment=âlaptop internet thru wireguardâ src-address=192.168.10.0/24 out-interface=wireguard-MT
add chain=forward action=drop comment=âdrop all elseâ
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
There is a question or not if you have to sourcenat your wireguard traffic out the door. If you were going to a third party provider that only expects ONE IP at their end the clear answer is YES.
However, if you are going to a wireguard device that you have access too and can include the subnet 192.168.10.0/24 as part of the allowed IPs
AND you can also create a static route at the other end to ensure that any return traffic for 192.168.10.0/24 goes back into the tunnel, then you dont need to sourcenat!
However if you have not control over the other end and wish to simply then add
/ip firewall nat
add chain=srcnat action=masquerade out-interface=wireguard-MT.
Then the other device (server for handshake) will only see your wireguard address and will not require any extra allowed IP entries or require an additional route.
+++++++++++++++++++++++++++++++++++++++
Lastly, lets talk about when you are away from your MT router and wish to be able to config that router.
In this case you are NOT connected to the router with your laptop and you are travelling to Canada and wish to access something on your LAN or configure your MT router while travelling.
Then you would need an additional wireguard instance setup on the laptop.
/ip address
10.20.30.50/24 interface=wireguard-MT network=10.20.30.0
There would be an additional client peer setting on the Server DEVICe identifying your REMOTE laptop wireguard connection.
On your laptop you would need
/allowed addresses
/ip allowed ips
add address=0.0.0.0/0 interface=wireguard-MT endpoint-address=ServerPublicIP endpoint-port=Server-WG-Port persistent-keep-alive=35s public-key=âxxxxxxâ
On the server device, one would need something similar to this firewall rule
add chain=forward action=accept in-interface=WG-SERVER out-interface=WG-SERVER
This reflects the path of the intended traffic, from the laptop peer to peer, ends up on the Server device, and then by the destination address 10.20.30.2, has to have permission to renter the tunnel for the associated peer client MT router. This permits access to the MT router.
So in the input chain of the router one would need to have
add chain=input action=accept in-interface=wireguard-MT src-address=10.20.30.50
It is clear here that if you wanted to reach one of your lan subnet devices, that the Server Router would then require a static route for that subnet pointing into the wireguard tunnel AND an entry of the subnet on the allowed addresses setting for the peer client MT router.