Wireguard Site to Site and road warrior combination

Hello,

I have situation where I will have two offices connected by VPN (Wireguard).

Right now, I have one office, with Public IP and I have 5-6 client PC on remote locations that are connected to the office by Wireguard. That part is working fine.

But what worries me is that now i will have second office, connected to the mobile network and i configured site to site VPN for test between my main office and remote office and that worked but only from PCs that are in main office.

Setup that was first on main router there are two wg interfaces, each one with their IP address and different port. And one interface was for clients and another one for site to site VPN.

Then i tried next, i deleted second interface on the main router (the one with the Public IP) and i tried to add remote router as a client and i added static routes to the main table. Result ? Tunnel is established without a problem, but i can ping main network from the remote network but not vice versa.

My question until tommorrow when i can post configurations is, is there any rule on how to solve this ?

Today was just an experiment and i was unable to find solution to this on the internet.

Love to help… fun for me!
BUT…
Need proper set of requirements, don’t want to chase a moving target.
SO

a. list/identify the user(s), or groups of users
b. Detail what traffic flows they should be able to do and not to do
c. include the admin and here you need to specify from where to where for what purpose

Note: C will take the most time,

• admin at location R1, will that person config R1 from there, R2 from there?
• admin at location R2, will that person config R1 from there, R2 from there?
• admin at road warrior location ( what purposes )

NOTE: for users above, detail.
R1 local users needs
R2 local users needs
remote warrriors needs…

Assumptions Clear:

• R1 is the router with a publicly accessible WANIP and thus the server for connection purposes…
• R2 does not have a public IP and thus cannot act as a server for connection purposes…

https://forum.mikrotik.com/viewtopic.php?t=182340

So, for now i can give you this information until tomorrow when i will post R1 and R2 config.

First things first, if someone maybe ask why not simply use wireguard client software… Well, this devices are not PCs but part of security system and they are managed by configuration software via LAN so my only option is to use site to site VPN.

a. All users on main network (R1 router) should have access to remote network (R2 router)
All road warrior users should have access to the remote network (R2 router) via main network (R1 router) as both remote network (mobile LTE network) and road warriors do not have public IPs. (They all need access because technicians need to have remote access in case there is support needed).

b. For now traffic flow is road warriors to main network (R1 router) and vice versa and what is needed is traffic flow from main network (R1 router) to the remote network (R2 router) (Later, when real PCs are installed to the remote network then traffic should be in both directions), and road warriors to the remote network (R2 router).

c. Admin access to remote router R2 from R1 and one of the road warriors (Winbox)
No admin acces from R2 to R1

If i missed something or if any other information is needed no problem.

So here is the current setup:

Remote router R2

# jan/11/2023 06:16:58 by RouterOS 7.6
# software id = ---------
#
# model = RBwAPR-2nD
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface lte
# A newer version of modem firmware is available!
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
    MikroTik-8DADB3 wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_VPN_STS
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.telemach.hr ip-type=ipv4 name=Telemach \
    use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.1/24,192.168.1.0/24 endpoint-address=172.217.22.14 \
    endpoint-port=13231 interface=WG_VPN_STS public-key=\
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
/ip address
add address=192.168.10.1/24 comment=LAN interface=bridge network=192.168.10.0
add address=10.0.0.6 comment=VPN interface=WG_VPN_STS network=10.0.0.0
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=VPN dst-port=13231 in-interface=lte1 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=WG_VPN_STS \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

And main router R1

# jan/11/2023 06:33:00 by RouterOS 7.6
# software id = ---------
#
# model = RB760iGS
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
/interface wireguard
add comment=Interface_1_S_to_C listen-port=13231 mtu=1420 name=WG_VPN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.3/32 comment="----------" interface=WG_VPN \
    public-key="BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
add allowed-address=10.0.0.4/32 comment="----------" interface=WG_VPN \
    public-key="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC="
add allowed-address=10.0.0.2/32 comment="----------" interface=\
    WG_VPN public-key="DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD="
add allowed-address=10.0.0.5/32 comment="----------" \
    interface=WG_VPN public-key=\
    "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE="
add allowed-address=10.0.0.6/32,192.168.10.0/24 comment="remote R2" interface=\
    WG_VPN public-key="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="
/ip address
add address=192.168.1.1/24 comment=LAN interface=bridge network=192.168.1.0
add address=172.217.22.14/30 comment=WAN interface=ether1 network=172.217.22.12
add address=10.0.0.1/24 comment="VPN S to C" interface=WG_VPN network=\
    10.0.0.0
/ip arp
add address=192.168.1.3 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
-------------------------------------------------------------------------------
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.24,172.217.10.75,172.217.10.76
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="Wireguard VPN S to C" dst-port=13231 \
    in-interface=ether1 protocol=udp
add action=accept chain=input comment="Winbox VPN config" dst-port=8291 \
    in-interface=WG_VPN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=WG_VPN \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Ured_HexS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

With this setup i can ping main network from the remote network but not vice versa.

Public IP, DNS servers, Wireguard ports and public keys are changed.

R2
(1)Allowed IPs…
TO:
/interface wireguard peers
add allowed-address=10.0.0**.0**/24,192.168.1.0/24 endpoint-address=172.217.22.14
endpoint-port=13231 interface=WG_VPN_STS public-key=\

(2) Input chain, rule is only required for server device for connections can be removed… R2 is only a client…
add action=accept chain=input comment=VPN dst-port=13231 in-interface=lte1
protocol=udp

(3) Firewall input chain rules are lacking…to loose… add!! and in proper order…

TO:
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment=“drop all else”

Note: I saw out of sequence after, in the rules some more input chain rules near the end, but they should be now removed except for the default rule invalid which I added to the top set of rules above.

Where firewall address list of authorized looks something like.
add IPaddress of local admin on R2 list=Authorized
add IPaddress of remote admin on R1 list=Authorized
add IPaddress of remote admin on wireguard (aka home pc or mobile laptop or iphone, you could have several to add here)


(4) On the forward chain firewall rules this is where you should define who can access the local subnet…
TO:
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward

That is the starting point, then we need to add rules for wireguard access.
So you have this…
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward in-interface=WG_VPN_STS dst-address=192.168.10.0/24 { allows all road warriors and R1 users coming over WG to access the local LAN }
add action=accept chain=forward in-interface=bridge out-interface=WG_VPN_STS { enables pinging currently and future R2 to R1 traffic when permitted at the far side }
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=drop chain=forward

++++++++++++++++++++++++++++++++++++++++++++

R1

Firewall rules… Again this is what needs most work fixed below… ( note fastrack rule in forward chain comes before the accepted established rule )

/ip firewall filter
{ Input Chain }
(default rules)
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” disabled=yes
protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
(user rules)
add action=accept chain=input comment=“Wireguard VPN S to C” dst-port=13231
in-interface=ether1 protocol=udp
add action=accept chain=input src-address-list=Management
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment=“drop all else”
{ Forward Chain }
(default rules)
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
(user rules)
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding” connection-nat-state=dstnat
add action=accept chain=forward in-interface=WG-VPN out-interface=WG-VPN { allows remote warriors to enter R1 (exit tunnel) and then head to R2 (re-enter tunnel)
add action=accept chain=forward in-interface=WG-VPN src-address-list=Permitted dst-address=192.168.1.0/24 { allow remote warriors users to access local subnet but not R2 users }
add action=drop chain=forward comment=“drop all else”

Note: where firewall address list of Management consists of
add ip address=local admin at R1 list=Management
add ip address=remote admin roadwarrior via WG list=Management

Note: where firewall address list Permitted consists of
add IPaddress 10.0.0.2 list=Permitted
add IPaddress 10.0.0.3 list=Permitted
add IPaddress 10.0.0.4 list=Permitted
add IPaddress 10.0.0.5 list=Permitted

Note: when you decide to allow R2 users to access R1 local subnet the you can modify the rule too ( and get rid of authorized list Permitted)
add action=accept chain=forward in-interface=WG-VPN dst-address=192.168.1.0/24
+++++++++++++++++++++++++++++++++++++++++++++++++++++

Thank you @anav, tomorrow morning i will go trough your configuration in peace, make changes and report back here with new configuration and results.

As i can see from your post, only problem are firewall rules ? Or is this just a first step in repairing my configuration

Hopefully just FW rules.

We will see tomorrow…

Ok, so i tried to make changes as you suggested and now i can’t ping anything.

Here is new configuration:

R2

# jan/12/2023 06:44:46 by RouterOS 7.6
# software id = ---------
#
# model = RBwAPR-2nD
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface lte
set [ find default-name=lte1 ] allow-roaming=no band=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=\
    MikroTik-8DADB3 wireless-protocol=802.11
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_VPN_STS
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=internet.telemach.hr ip-type=ipv4 name=Telemach \
    use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.0/24,192.168.1.0/24 endpoint-address=172.217.22.14 \
    endpoint-port=13231 interface=WG_VPN_STS public-key=\
    "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
/ip address
add address=192.168.10.1/24 comment=LAN interface=bridge network=192.168.10.0
add address=10.0.0.6 comment=VPN interface=WG_VPN_STS network=10.0.0.0
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.10.254 comment="Admin on R2" list=Authorized
add address=192.168.1.57 comment="Admin on R1" list=Authorized
add address=10.0.0.3 comment="Admin RW" list=Authorized
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allows all road warriors and R1 users\
    \_coming over WG to access the local LAN" dst-address=192.168.10.0/24 \
    in-interface=WG_VPN_STS
add action=accept chain=forward comment="enables pinging currently and future \
    R2 to R1 traffic when permitted at the far side" in-interface=bridge \
    out-interface=WG_VPN_STS
add action=accept chain=forward comment="Allow port forwarding " \
    connection-nat-state=dstnat
add action=drop chain=forward
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=WG_VPN_STS \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/system clock
set time-zone-name=Europe/Zagreb
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

R1:

# jan/12/2023 07:06:03 by RouterOS 7.6
# software id = ----------
#
# model = RB760iGS
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireguard
add comment=Interface_1_S_to_C listen-port=13231 mtu=1420 name=WG_VPN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.3/32 comment="----------" interface=WG_VPN \
    public-key="BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
add allowed-address=10.0.0.4/32 comment="----------" interface=WG_VPN \
    public-key="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC="
add allowed-address=10.0.0.2/32 comment="----------" interface=\
    WG_VPN public-key="DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD="
add allowed-address=10.0.0.5/32 comment="----------" \
    interface=WG_VPN public-key=\
    "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE="
add allowed-address=10.0.0.6/32,192.168.10.0/24 comment="remote R2" interface=\
    WG_VPN public-key="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="
/ip address
add address=192.168.1.1/24 comment=LAN interface=bridge network=192.168.1.0
add address=172.217.22.14/30 comment=WAN interface=ether1 network=172.217.22.12
add address=10.0.0.1/24 comment="VPN S to C" interface=WG_VPN network=\
    10.0.0.0
/ip arp
add address=192.168.1.3 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
----------------------------------------------------------------------------------------
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.24,172.217.10.75,172.217.10.76
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.57 list=Management
add address=10.0.0.2 list=Management
add address=10.0.0.3 list=Management
add address=10.0.0.2 list=Permitted
add address=10.0.0.3 list=Permitted
add address=10.0.0.4 list=Permitted
add address=10.0.0.5 list=Permitted
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Wireguard VPN S to C" dst-port=13231 \
    in-interface=ether1 protocol=udp
add action=accept chain=input src-address-list=Management
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="allows remote warriors to enter R1 (e\
    xit tunnel) and then head to R2 (re-enter tunnel)" in-interface=WG_VPN \
    out-interface=WG_VPN
add action=accept chain=forward comment=\
    "allow remote warriors users to access local subnet but not R2 users" \
    dst-address=192.168.1.0/24 in-interface=WG_VPN src-address-list=Permitted
add action=drop chain=forward comment="drop all else"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment="Winbox VPN config" disabled=yes \
    dst-port=8291 in-interface=WG_VPN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=192.168.10.0/24 gateway=WG_VPN \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Ured_HexS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

EDIT:

Road warriors to R1 is working, i just tested it but R1 and RW to R2 not working. When i tried to log on to R2 from RW it says connection refused (mikrotik mobile app)

So R2 is not connected at all via wireguard?
Do you see in a log if R2 hits the Input chain rule on R1?
Do you see any traffic on R1 indicating at least the keep alives from R2?

Lets look at R2.

1. you have the correct port number for the wg interface 13231
2. Allowed addresses are set correctly to allow any incoming wireguard ping traffic from R1 or road warriors and you have allowed any users from R1 and RWs…

I will assume you have not mixed up the keys between the two devices!! Will assume endpoint address is correct.

3. IP address for is incorrect. Should have spotted that earlier but it could make a difference! Since this is a MT device..
   Should be
   add address=10.0.0.6**/24** comment=VPN interface=WG_VPN_STS network=10.0.0.0

4. The first input chain rule is in the wrong order, it should be first…( you dont need the ipsec forward chain rules so lets dump those to make the config cleaner and the fastrack rule should be first in the forward chain and you didnt remove some of the redundant rules…
   out of order in orange and rules to remove in purple.

/ip firewall filter
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment=“drop all else”
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
++++++++++++++++++++++++++++++++++
The fastrack rule should be FIRST in the forward chain ( since we dont need the ipsec rules in your scenario so you can remove them too)
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
++++++++++++++++++++++++++++++++++++++++++++++++++++
This should be the first rule in the input chain!
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=forward comment=“Allow internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allows all road warriors and R1 users
_coming over WG to access the local LAN” dst-address=192.168.10.0/24
in-interface=WG_VPN_STS
add action=accept chain=forward comment=“enables pinging currently and future
R2 to R1 traffic when permitted at the far side” in-interface=bridge
out-interface=WG_VPN_STS
add action=accept chain=forward comment="Allow port forwarding "
connection-nat-state=dstnat
add action=drop chain=forward
+++++++++++++++++
Remove these rules
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN

5. Looking at the allow rules…
   The input chain looks good with only a few specified users with access to the config.
   The forward chain looks good in that we allow road warriors and r1 users to exit the tunnel and visit the LAN as well as all bridge users to enter the tunnel.

6. In terms of routes the autogenerated route from the IP address will allow all routing of RWs etc and the the extra route for R1 users will allow for that return traffic to be handled.

IN summary, the minor problems are the firewall and the major problem is probably due to the ip address which could affect the auto created route…
If fixing these problems does not solve it then the issue is with R1.

R2 looks good, I note that you have the correct order for firewall rules on this router!!!
BuT you need to get rid of the old rules you stuck at the end…
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=input comment=“Winbox VPN config” disabled=yes
dst-port=8291 in-interface=WG_VPN protocol=tcp


I would like to add one more user rule that is missing in the forward chain as show below in blue… and move the port forwarding rule as well.

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=
“allow remote warriors users to access local subnet but not R2 users”
dst-address=192.168.1.0/24 in-interface=WG_VPN src-address-list=Permitted
add action=accept chain=forward comment=“allow R1 users to access tunnel for R2”
src-address=192.168.1.0/24 out-interface=WG_VPN
add action=accept chain=forward comment=“allows remote warriors to enter R1
(exit tunnel) and then head to R2 (re-enter tunnel)” in-interface=WG_VPN
out-interface=WG_VPN
add action=accept chain=forward comment=“Allow port forwarding”
connection-nat-state=dstnat

So this is R2 new firewall rules, i think this is okay now:

/ip firewall address-list
add address=192.168.10.254 comment="Admin on R2" list=Authorized
add address=192.168.1.57 comment="Admin on R1" list=Authorized
add address=10.0.0.3 comment="Admin RW" list=Authorized
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input src-address-list=Authorized
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow internet traffic" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allows all road warriors and R1 users\
    \_coming over WG to access the local LAN" dst-address=192.168.10.0/24 \
    in-interface=WG_VPN_STS
add action=accept chain=forward comment="enables pinging currently and future \
    R2 to R1 traffic when permitted at the far side" in-interface=bridge \
    out-interface=WG_VPN_STS
add action=accept chain=forward comment="Allow port forwarding " \
    connection-nat-state=dstnat
add action=drop chain=forward

Still nothing

The order is still not correct, what is the first rule of the input chain for example and you didnt post a complete config so I have no idea if you fixed the IP address setting.
Also you didnt confirm if on R1 that a request to connect was logged on the input chain rule from R2 etc…

Sorry, i had to go to another location so i was trying at least to post firewall rules changes for R2.

Right now i’m at home so i have access to R1 router but not R2, i’m not sure how to check if there is request in logs, i opened logs but i can’t find anything about wireguard, only changes that i made.

I restarted the counters and i can see that anything related to wireguard did not recieved or transmitted any packages.

As for an IP address i changed /32 to /24 and IP stayed the same, 10.0.0.6

First rule on the input chain is accept ICMP.

As stated this should be the first rule of the input chain on R2
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked

Try this on R1 to see initial connection requests…
FROM
add action=accept chain=input comment=“Wireguard VPN S to C” dst-port=13231
in-interface=ether1 protocol=udp

TO:
add action=log chain=input dst-port=13231 protocol=udp log-prefix=Incoming WG Requests
add action=accept chain=input comment=“Wireguard VPN S to C” dst-port=13231
in-interface=ether1 protocol=udp

Also, post lastest config on R1 please since that should be accessible. Is it (R1) a static WANIP or can change from time to time?

So this is the latest R1 config, with changes you suggested:

 jan/12/2023 16:37:04 by RouterOS 7.6
# software id = ---------
#
# model = RB760iGS
# serial number = ------------
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireguard
add comment=Interface_1_S_to_C listen-port=13231 mtu=1420 name=WG_VPN
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.1-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=10.0.0.3/32 comment="----------" interface=WG_VPN \
    public-key="BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="
add allowed-address=10.0.0.4/32 comment="----------" interface=WG_VPN \
    public-key="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC="
add allowed-address=10.0.0.2/32 comment="----------" interface=\
    WG_VPN public-key="DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD="
add allowed-address=10.0.0.5/32 comment="----------" \
    interface=WG_VPN public-key=\
    "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE="
add allowed-address=10.0.0.6/24,192.168.10.0/24 comment="remote R2" interface=\
    WG_VPN public-key="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF="
/ip address
add address=192.168.1.1/24 comment=LAN interface=bridge network=192.168.1.0
add address=172.217.22.14/30 comment=WAN interface=ether1 network=172.217.22.12
add address=10.0.0.1/24 comment="VPN S to C" interface=WG_VPN network=\
    10.0.0.0
/ip arp
add address=192.168.1.3 interface=bridge mac-address=XX:XX:XX:XX:XX:XX
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
---------------------------------------------------------------------------------------------
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes servers=192.168.1.24,172.217.10.75,172.217.10.76
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.57 list=Management
add address=10.0.0.2 list=Management
add address=10.0.0.3 list=Management
add address=10.0.0.2 list=Permitted
add address=10.0.0.3 list=Permitted
add address=10.0.0.4 list=Permitted
add address=10.0.0.5 list=Permitted
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=log chain=input dst-port=13231 log-prefix="Incoming WG Requests" \
    protocol=udp
add action=accept chain=input comment="Wireguard VPN S to C" dst-port=13231 \
    in-interface=ether1 protocol=udp
add action=accept chain=input src-address-list=Management
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=\
    "allow remote warriors users to access local subnet but not R2 users" \
    dst-address=192.168.1.0/24 in-interface=WG_VPN src-address-list=Permitted
add action=accept chain=forward comment=\
    "allow R1 users to access tunnel for R2" out-interface=WG_VPN \
    src-address=192.168.1.0/24
add action=accept chain=forward comment="allows remote warriors to enter R1 (e\
    xit tunnel) and then head to R2 (re-enter tunnel)" in-interface=WG_VPN \
    out-interface=WG_VPN
add action=accept chain=forward comment="Allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=192.168.10.0/24 gateway=WG_VPN routing-table=main \
    suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/snmp
set enabled=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=Ured_HexS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

R1 WANIP is static and can’t change, dhcp client is disabled on the R1 and connection information is entered manually.

I still can’t see anything in logs, only that user is logged in from 10.0.0.2

In allowed IP on the R1
FROM
add allowed-address=10.0.0.6/24,192.168.10.0/24 comment=“remote R2” interface=\

TO
add allowed-address=10.0.0.6**/32**,192.168.10.0/24 comment=“remote R2” interface=\

+++++++++++++++++++++++++++++++++++++++++
The log rule should show each time a new connection attempt is made from any user.
So fire one up from any remote warrior 10.0.0.3, 4, 5 and you should see it logged like you did for 10.0.0.2

If you are not seeing an attempt from 10.0.0.6 ( you may know what public IP is used for that, as its the only way to recognize for sure it came from R2 ) Check whats my IP from R2 for example.

I changed CIDR as you suggested, and in logs i can see firewall, info → incoming wireguard request, and then mac address, src IP and dst IP, for my laptop and mobile phone, and in wireguard peers i can see last handshake was couple seconds ago but nothing from R2

Yeah its tuff to troubleshoot when you cannot access R2…
I have an SSTP backup through a third party to reach my R2 (similar setup).

The other thing is to ensure you have a script to restart the tunnel if down on R2…
See para 6 - https://forum.mikrotik.com/viewtopic.php?t=182340

I cannot recall if your R1 is a static WANIP in which case that would not be needed it should just connect ( but still need a user to initiate a tunnel )
I wonder if the restart time on the WAN1IP takes too long, whether or not the R2 attempts to connect to it for wg will stop regardless. if so the script may still be a good idea…

Can you confirm users at R2 can access their internet locally, ie get out to the WWW ???

Yes, R1 have static WANIP, we upgraded our service to fiber few months ago.

I can’t access R2 until tomorrow but i do have same router at home… and working data plan for it… If i upload configuration to it, maybe this router can serve for testing ? I could use same IP, i only need to change public keys in peers if im right ?