Wireguard routing through Endpoint

Hello!

RouterOS Beta 7.1RC3

The idea: route everything (Internet access) through WireGuard connection

The setup:

WireGuard server on Linux machine with INTERNET IP + WG0 INTERFACE (REMOTE)
Mikrotik acting as WireGuard client (wireguard1 interface) and connecting to WireGuard server (Endpoint set) (LOCAL)

On LOCAL, I have enabled allowed IP to be 0.0.0.0/0
On REMOTE I have enabled forwarding and other rules, so packets go as intended

Pings from LOCAL to REMOTE is OK
Pings from REMOTE to LOCAL is OK

The problem: I can’t ping anything outside, for example 1.1.1.1 from LOCAL via wireguard1 interface

The strange part: i can see in torch and in tcpdump that packets are properly flow, so I get a return packet for ICMP on mikrotik side with DST: mikrotik IP and SRC: 1.1.1.1 but the ping is not working (timeout). I can see these packets on Prerouting (raw+mangle) but seems that they are lost after. For me, it seems like a bug in WireGuard filtering or something like that.

The funny part: same setup but with routing from REMOTE via LOCAL to internet — works as intended.

Is the set-up like this?

LAN → MT router → WG tunnel → VPS → Internet, where the MT router is doing the PAT towards the Internet?

Or

LAN → MT router → WG tunnel → VPS → Internet, where the VPS is doing the PAT towards the Internet?

(PAT: Port address translation, aka. Firewall mangle rules.)

UPD: Fixed in 7.0 RC4!!! Everything works from Router and from LAN

Now I need to figure out how to route packets with Routing Mark

If I add route in rules, it works flawlessly

If I add routing mark - it doesn’t

The “strange” part I can see the incoming packet with the right SRC/DST, but it’s not routed further when Mark Routing is used

If policy routing is enabled, I get the same packets and everything works as intended

Seems when I set up Routing Mark packets are arriving but never leave router and even router can’t see them (same situation as it was with wireguard packets in RC3)