Wireguard Road Warrior Setup. Problems with iPhone Connection

I am attempting to setup a road warrior Wireguard connection to my router for the purpose of protecting my traffic on insecure public networks and using my home network pi-hole. I appear to have the connection working for a Windows laptop client connecting from another WiFi network. For an iPhone client, I consistently complete the initial handshake, but I get no traffic to or from the internet. Handshake is verified by seeing the handshake time update on the router.

The strange thing is there have been at least three occasions where the traffic was being routed fine for a period of several hours before failing and returning to the state of connection without routing traffic.

My set-up includes 2.4 and 5Ghz Wi-fi with a guest network. I have Ethernet port 5 set-up as a guest port isolated from the netwrok. I have pi-hole and wireguard running on a separate server, but would like to get wireguard running within the Mikrotik. Firewall rules include entries to isolate the wireguard clients too, but it does not work with those turned off either.

Please let me know if you see something I have missed to allow Wireguard traffic to reach the internet.

Config file is below

#2026-06-02 20:33:37 by RouterOS 7.22.1
#software id = 9Z5S-7ZSD
#model = E62iUGS-2axD5axT
#serial number = \[REDACTED\]
/interface bridge
add admin-mac=\[REDACTED\] auto-mac=no comment=defconf name=bridge
/interface wifi
set \[ find default-name=wifi1 \] channel.band=2ghz-ax .skip-dfs-channels=
10min-cac .width=20mhz configuration.mode=ap .ssid=\[REDACTED\] disabled=no 
name=wifi2g security.authentication-types=wpa2-psk,wpa3-psk .ft=yes 
.ft-over-ds=yes
add configuration.mode=ap .ssid=\[REDACTED\] datapath.client-isolation=yes 
disabled=no mac-address=\[REDACTED\] master-interface=wifi2g name=
wifi2g-guest security.authentication-types=wpa2-psk,wpa3-psk
set \[ find default-name=wifi2 \] channel.band=5ghz-ax .frequency=5170-5250 
.skip-dfs-channels=all .width=20/40/80mhz configuration.mode=ap .ssid=
\[REDACTED\] disabled=no name=wifi5g security.authentication-types=
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
add configuration.mode=ap .ssid=\[REDACTED\] datapath.client-isolation=yes 
disabled=no mac-address=\[REDACTED\] master-interface=wifi5g name=
wifi5g-guest security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add listen-port=49876 mtu=1420 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=GUEST
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.99.2-192.168.99.254
add name=dhcp_pool2 ranges=192.168.98.2-192.168.98.254
add name=dhcp_pool3 ranges=192.168.97.2-192.168.97.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=wifi2g-guest name=dhcp1
add address-pool=dhcp_pool2 interface=wifi5g-guest name=dhcp2
add address-pool=dhcp_pool3 interface=ether5 name=dhcp3 use-reconfigure=yes
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wifi2g
add bridge=bridge comment=defconf interface=wifi5g
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wg1 list=LAN
add interface=wifi2g-guest list=GUEST
add interface=wifi5g-guest list=GUEST
add interface=ether5 list=GUEST
/interface wireguard peers
add allowed-address=192.168.77.1/24 client-address=192.168.77.3/32 
client-allowed-address=0.0.0.0/0 client-dns=192.168.88.4 client-endpoint=
\[REDACTED\] comment="\[REDACTED\]" endpoint-port=49876 
interface=wg1 name=User1 public-key=
"\[REDACTED\]"
add allowed-address=192.168.77.1/24 client-address=192.168.77.4/32 
client-allowed-address=0.0.0.0/0 client-dns=192.168.88.4 client-endpoint=
\[REDACTED\] comment="\[REDACTED\]" endpoint-port=49876 
interface=wg1 name=User2 public-key=
"\[REDACTED\]"
add allowed-address=192.168.77.1/24 client-address=192.168.77.5/32 
client-allowed-address=0.0.0.0/0 client-dns=192.168.88.4 client-endpoint=
\[REDACTED\] comment="\[REDACTED\]" endpoint-port=49876 
interface=wg1 name=User3 public-key=
"\[REDACTED\]"
add allowed-address=192.168.77.1/24 client-address=192.168.77.6/32 
client-allowed-address=0.0.0.0/0 client-dns=192.168.88.4 client-endpoint=
\[REDACTED\] comment="\[REDACTED\]" endpoint-port=49876 
interface=wg1 name=User4 public-key=
"\[REDACTED\]"
add allowed-address=192.168.77.1/24 client-address=192.168.77.7/32 
client-allowed-address=0.0.0.0/0 client-dns=192.168.88.4 client-endpoint=
\[REDACTED\] comment="\[REDACTED\]" endpoint-port=49876 
interface=wg1 name=User5 public-key=
"\[REDACTED\]"
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.98.1/24 interface=wifi5g-guest network=192.168.98.0
add address=192.168.99.1/24 interface=wifi2g-guest network=192.168.99.0
add address=192.168.77.1/24 comment=Wireguard1 interface=wg1 network=
192.168.77.0
add address=192.168.97.1/24 comment="LAN Guest" interface=ether5 network=
192.168.97.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add comment=defconf interface=ether1 name=client1 use-peer-dns=no 
use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.88.4 client-id=\[REDACTED\] mac-address=
\[REDACTED\] server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.4 gateway=
192.168.88.1
add address=192.168.97.0/24 comment="LAN Guest" dns-server=192.168.88.4 
gateway=192.168.97.1
add address=192.168.98.0/24 dns-server=192.168.88.4 gateway=192.168.98.1
add address=192.168.99.0/24 dns-server=192.168.88.4 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes 
protocol=icmp
add action=accept chain=input comment="Accept Wireguard Handshake" dst-port=
49876 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" 
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" 
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=accept chain=forward comment="Allow Guest to reach DNS" 
dst-address=192.168.88.4 dst-port=53 in-interface-list=GUEST protocol=udp
add action=accept chain=forward comment="Allow Guest to reach DNS" 
dst-address=192.168.88.4 dst-port=53 in-interface-list=GUEST protocol=tcp
add action=accept chain=forward comment="Allow wireguard to reach DNS" 
dst-address=192.168.88.4 dst-port=53 in-interface=wg1 protocol=udp
add action=accept chain=forward comment="Allow Wireguard to reach DNS" 
dst-address=192.168.88.4 dst-port=53 in-interface=wg1 protocol=tcp
add action=accept chain=forward in-interface=wg1 out-interface-list=WAN
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="Drop guest to LAN" in-interface-list=
GUEST out-interface=bridge
add action=drop chain=forward comment="Drop Wireguard to LAN" in-interface=
wg1 out-interface=bridge
add action=drop chain=forward comment="Drop LAN to Wireguard" in-interface=
bridge out-interface=wg1
add action=drop chain=forward comment="defconf: drop invalid" 
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat 
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" 
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="PiServer VPN" dst-port=47111 
in-interface=ether1 protocol=udp to-addresses=192.168.88.4 to-ports=47111
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" 
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" 
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" 
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" 
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system clock
set time-zone-autodetect=no time-zone-name=America/New_York
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The allowed-address field values of all your WireGuard peers are wrong. Currently, they are all set to allowed-address=192.168.77.1/24 which means WireGuard will work for one of the peers only.

When you have multiple peers assigned to the same WireGuard interface (wg1 in your configuration), then the address range in their allowed-address cannot overlap.

All of the peers have allowed-address=192.168.77.1/24, which means all peers say: "Hey I am responsible for the destination 192.168.77.1/24, if anything is sent to any addresses between 192.168.77.1 and 192.168.77.254, use me!".

One of the peers will catch all packets addresses to those 254 addresses, and the other peers receive nothing. WireGuard only works for one peer, usually the one you edited last.

The fix is to edit allowed-address of all peers, and use for of them only their single /32 address, not /24. For example, the first peer should have allowed-address=192.168.77.3/32, the second peer should have allowed-address=192.168.77.4/32, etc... (matches what you currently have in the client-address field of the peers).

Those /32 address ranges are distinct and not overlap. The first peer will then only be responsible for the single destination 192.168.77.3 and not for 192.168.77.4 for example.

1. I find the fact that you are overlapping subnets on wifi very disconcerting/confusing.
   You provide the bridge a subnet, and the WLANs their own subnet, but then for some reason you put the WLANs (guest) on the bridge???

2. Either use vlans to separate subnets or simply remove the WLANs (guest) from the bridge, they are on on their own port so to speak. I do note that wifi1 is trusted and part of the bridge subnet!
   You are missing the trusdted wifi1 ( wifi2g) on the bridge???

3. If not using ipv6 then disable it in settings ( good done!) but also remove the junk associated ( address lists and fw rules) leaving only the following two rules
   add chain=input action=drop
   add chain=forward action=drop

   4. Simplify firewall rules

4. Fix interface list, simplify and make efficient

   6. Wireguard, remove all the client settings, at least from the config we see, as it makes it very confusing, as the settings are for the router to mesh up with the client.

   7. Will assume your wireguard users are all trusted.

   8. Disabling icmp actually can interfere with traffic flow and any debugging required

   9. If forcing all users to pi, you create loopholes, aka allowing remote servers and allow all users to access services on router including DNS. Remove static setting, only allow pi-hole server to the internet for DNS via the router

   10. Also confusing as to why you are allowing the entire internet to use your pi-sever, DST NAT RULE REMOVED, and added rules to ensure all users go out pi-hole for DNS. Edit: Okay you were using it as some sort of VPN, still removed as you have wireguard to access router securely and thus can reach pi server securely.

   /firewall address-list { set static IPs on dhcp leases }
   add address=192.168.88.X/32 list=Authorized comment=adminPC on trusted network
   add address=192.168.88.Y/32 list=Authorized comment=adminwifi on trusted network
   add address=192.168.77.Z/32 list=Authorized comment="admin on wireguard"
   { ADD as required}
   ++++++++++++++++++++
   add address=192.168.88.4/32 list=EXEMPT comment="pi-hole server"
   { ADD as required }
   /interface bridge
   add admin-mac=\[REDACTED\] auto-mac=no comment=defconf name=bridge
   /interface wifi
   set \[ find default-name=wifi1 \] channel.band=2ghz-ax .skip-dfs-channels=
   10min-cac .width=20mhz configuration.mode=ap .ssid=\[REDACTED\] disabled=no
   name=wifi2g security.authentication-types=wpa2-psk,wpa3-psk .ft=yes
   .ft-over-ds=yes
   add configuration.mode=ap .ssid=\[REDACTED\] datapath.client-isolation=yes
   disabled=no mac-address=\[REDACTED\] master-interface=wifi2g name=
   wifi2g-guest security.authentication-types=wpa2-psk,wpa3-psk
   set \[ find default-name=wifi2 \] channel.band=5ghz-ax .frequency=5170-5250
   .skip-dfs-channels=all .width=20/40/80mhz configuration.mode=ap .ssid=
   \[REDACTED\] disabled=no name=wifi5g security.authentication-types=
   wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
   add configuration.mode=ap .ssid=\[REDACTED\] datapath.client-isolation=yes
   disabled=no mac-address=\[REDACTED\] master-interface=wifi5g name=
   wifi5g-guest security.authentication-types=wpa2-psk,wpa3-psk
   /interface wireguard
   add listen-port=49876 mtu=1420 name=wg1
   /interface list
   add comment=defconf name=WAN
   add comment=defconf name=LAN
   add name=TRUSTED
   /ip pool
   add name=default-dhcp ranges=192.168.88.10-192.168.88.254 comment="bridge & wifi2g"
   add name=dhcp_pool1 ranges=192.168.99.2-192.168.99.254 comment="wifi2-g"
   add name=dhcp_pool2 ranges=192.168.98.2-192.168.98.254 comment="wifi5-g"
   add name=dhcp_pool3 ranges=192.168.97.2-192.168.97.254 comment="ether5"
   /ip dhcp-server
   add address-pool=default-dhcp interface=bridge name=defconf
   add address-pool=dhcp_pool1 interface=wifi2g-guest name=dhcp1
   add address-pool=dhcp_pool2 interface=wifi5g-guest name=dhcp2
   add address-pool=dhcp_pool3 interface=ether5 name=dhcp3 use-reconfigure=yes
   /disk settings
   set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
   /interface bridge port
   add bridge=bridge comment=defconf interface=ether2
   add bridge=bridge comment=defconf interface=ether3
   add bridge=bridge comment=defconf interface=ether4
   add bridge=bridge comment=defconf interface=sfp1
   add bridge=bridge interface=wifi2g
   /ip neighbor discovery-settings
   set discover-interface-list=TRUSTED
   /ipv6 settings
   set disable-ipv6=yes
   /interface list member
   add comment=defconf interface=ether1 list=WAN
   add comment=defconf interface=bridge list=LAN
   add interface=wifi2g-guest list=LAN
   add interface=wifi5g-guest list=LAN
   add interface=ether5 list=LAN
   add interface=wg1 list=LAN
   add interface=bridge list=TRUSTED
   add interface=wg1 list=TRUSTED
   /interface wireguard peers
   add allowed-address=192.168.77.3/32 interface=wg1 name=User1 public-key=
   "\[REDACTED\]"
   add allowed-address=192.168.77.4/32 interface=wg1 name=User2 public-key=
   "\[REDACTED\]"
   add allowed-address=192.168.77.5/32 interface=wg1 name=User3 public-key=
   "\[REDACTED\]"
   add allowed-address=192.168.77.6/32 interface=wg1 name=User4 public-key=
   "\[REDACTED\]"
   add allowed-address=192.168.77.7/32 interface=wg1 name=User5 public-key=
   "\[REDACTED\]"
   /ip address
   add address=192.168.88.1/24 comment=defconf interface=bridge network=
   192.168.88.0
   add address=192.168.98.1/24 interface=wifi5g-guest network=192.168.98.0
   add address=192.168.99.1/24 interface=wifi2g-guest network=192.168.99.0
   add address=192.168.77.1/24 comment=Wireguard1 interface=wg1 network=
   192.168.77.0
   add address=192.168.97.1/24 comment="LAN Guest" interface=ether5 network=
   192.168.97.0
   /ip cloud
   set ddns-enabled=yes update-time=no
   /ip dhcp-client
   add comment=defconf interface=ether1 name=client1 use-peer-dns=no
   use-peer-ntp=no
   /ip dhcp-server lease
   add address=192.168.88.4 client-id=\[REDACTED\] mac-address=
   \[REDACTED\] server=defconf
   /ip dhcp-server network
   add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
   192.168.88.1
   add address=192.168.97.0/24 comment="LAN Guest" dns-server=192.168.88.4
   gateway=192.168.97.1
   add address=192.168.98.0/24 dns-server=192.168.88.4 gateway=192.168.98.1
   add address=192.168.99.0/24 dns-server=192.168.88.4 gateway=192.168.99.1
   /ip dns
   add allow-remote-requets=yes set servers=1.1.1.1,8.8.8.8
   /ip firewall filter
   add action=accept chain=input connection-state=established,related,untracked
   add action=drop chain=input connection-state=invalid
   add action=accept chain=input protocol=icmp
   add action=accept chain=input dst-address=127.0.0.1 dst-address=172.0.0.1 interface=lo
   add action=accept chain=input comment="Accept Wireguard Handshake" dst-port=
   49876 protocol=udp
   add action=accept chain=input in-interface-list=TRUSTED src-address-list=Authorized \
   comment="admin access to router"
   add action=drop chain=input comment="drop all else"
   ++++++++++++++++++++++++++++++++++++++++++++
   add action=fasttrack-connection chain=forward connection-state=established,related
   add action=accept chain=forward connection-state=established,related,untracked
   add action=drop chain=forward connection-state=invalid
   add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
   add action=accept chain=forward comment="Guests & WG to reach DNS"
   dst-address=192.168.88.4 dst-port=53 in-interface-list=LAN protocol=udp
   add action=accept chain=forward comment="Guests & WG to reach DNS"
   dst-address=192.168.88.4 dst-port=53 in-interface-list=LAN protocol=tcp
   add action=drop chain=forward comment="drop all else"
   /ip firewall nat
   add action=masquerade chain=srcnat comment="defconf: masquerade"
   ipsec-policy=out,none out-interface-list=WAN
   add action=dst-nat chain=dstnat comment="redirect" dst-port=53 protocol=udp \
   in-interface-list=LAN src-address=list=!EXEMPT to-address=192.168.88.4
   add action=dst-nat chain=dstnat comment="redirect" dst-port=53 protocol=tcp \
   in-interface-list=LAN src-address=list=!EXEMPT to-address=192.168.88.4
   /ipv6 firewall filter
   add action=drop chain=input
   add action=drop chain=forward
   /system clock
   set time-zone-autodetect=no time-zone-name=America/New_York
   /system ntp client
   set enabled=yes
   /system ntp server
   set enabled=yes
   /system ntp client servers
   add address=pool.ntp.org
   /tool mac-server
   set allowed-interface-list=none
   /tool mac-server mac-winbox
   set allowed-interface-list=TRUSTED

Thank you CGGXANNX! That solved my problem. Ended about 3 weeks of on-and-off struggling with it. Thank you also for the great explanation. That answers why it would seem to start working....I would go add another client and then find it would no longer work.

anav,

Thank you for looking at my config file.

1 &2. I believe I have 4 wireless interfaces defined. wifi2g, wifi5g, wifi2g-guest, and wifi5g-guest. wifi2g and wifi5g are on the bridge, but wifi2g-guest and wifi5g-guest are not. I don't believe I have overlapping subnets. 192.168.88.1/24 is assigned to bridge. 192.168.98.1/24 and 192.168.99.2/24 are assigned to each of the guest networks. 192.168.77.1/24 is used for wireguard connections. For wifi2g-guest and wifi5g-guest the client isolation is selected. Furthermore a firewall rules is set-up to prevent the GUEST interface list (both wifi-guest interfaces plus the ethernet5 port) from reaching the bridge.

3. Removing the default IPv6 rules and leaving just the two makes sense. Will do.

4. I see a few rules that were in place to allow my VPN running on the pi-hold server and some that I added while trying to troubleshoot. I can clean those up now. I'm not sure what you are looking for with the interface list.

5. I'm confused what you are asking for here. I think the client settings are in there just for generating the QR codes used to create the tunnels on the clients.

6. All wireguard users are trusted.

7. ok.

8. When you say "forcing all uses to pi" are you referring to forcing them to it for DNS or wireguard? Wireguard on the pi is gone now that it works in RouterOS. I need the pi-hole DNS server to be static, right? Otherwise everything breaks when its IP changes and the router dhcp server keeps handing out the old pi-hole DNS IP. I see the benefit to restricting outbound pi-hole internet traffic to only DNS, but I feel like that will cause me problems when I want to update the pi-hole. Let me know if I've created a vulnerability here somewhere that I don't understand.

9. dstnat rule was there to permit the wireguard server to run on the pi-server. I will be removed now that I have it working within RouterOS. I plan to add rules only allowing DNS traffic once I make sure the pi-hole is reliably working.

I'm really confused looking through the config file you posted.

Once again, I really appreciate you looking though my config file. If the above explanations don't clear things up, let me know what I still need to look into.

If its working for you ignore my post!