Hey Guys,
i am not able to become a Wireguard VPN Running.
I followed this in my Test Szenario without any working.
https://help.mikrotik.com/docs/display/ROS/WireGuard
I don’t understand it, there’s no logging, not traffic, no errors, nothing. Just two peers not even try to talk to each other.
Is there any switch to turn on?
Maybe this post will helphttps://forum.mikrotik.com/viewtopic.php?t=182340
You did change the IP addresses from the example?
Can you share you config: /export hide-sensitive file=anynameyoulike
There it is. I just tried it without Allowed Address and with 0.0.0.0/0 because I just wanted to see something happen. The local Gateway is behind tripple NAT so the IP is Wurscht.
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1_WAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/disk
set slot1 disabled=no
set slot1-part1 disabled=no
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/interface list member
add interface=ether1_WAN list=WAN
/interface wireguard peers
add allowed-address=192.168.88.0/24 endpoint-port=13231 interface=wireguard1
public-key="tEO6OXhdlSvVUTumRFve6uZKufPGWC4GJeA0M8hCxgA="
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1_WAN
/ip firewall filter
add action=accept chain=input comment="established, related"
connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment="WinBox, SSH ACCEPT" dst-port=8291,22
protocol=tcp
add action=accept chain=input dst-port=13231 protocol=udp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=fasttrack
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="established, related, untracked"
connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop not DSTNATED"
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=output content="530 Login incorrect" dst-limit=
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=blacklist
address-list-timeout=3h chain=output content="530 Login incorrect"
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22,8291
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new dst-port=
22,8291 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new dst-port=22,8291
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new dst-port=22,8291
protocol=tcp src-address-list=ssh_stage1
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=
22,8291 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=22,8291
protocol=tcp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=CHR
Well lets start with basics.
As far as I can tell you only have one device involved, so either you are creating a tunnel to a higher intelligent alien civilization, or we are missing critical information. 
Seriously, there are two likely possibilities.
a. there is a Device 2 - location, relationship, config ??
OR
b Third party VPN Vendor ??
Like i said, this is my cloud router, the rb3011 is behind tripple nat and has the cloud router as endpoint. i can give the cloud router xyz.notexist as endpoint but for what?
You have posted an export of just one peer, what’s the second one, another CHR or something completely different?
Second, did you try to ping via the tunnel? Wireguard doesn’t initiate the session until it gets a payload packet to transport or unless you set persistent-keepalive at the /interface/wireguard/peers row to something else than 0.
the second peer is a rb3011 behind tripple nat, yes i didnt post the config.
I didnt know that payload is needed, so there is no handshake and no loggign before theres no try, ok i just thought there will be some logging and connection initialization
Slowly you are revealing the facts…
Suggest reading this …
https://forum.mikrotik.com/viewtopic.php?p=908118#p908118
What do you wish to accomplish?
A. Have a CHR subnet go out RB3011 internet thru the wireguard tunnel?
B. Want be able to configure the CHR from the RB3011 admin PC, thru the wireguard tunnel ?
C. etc…
EDIT:
Okay I see you have no user requirements at the moment, just playing with settings.
Oh guys, close it.
Facepalm…i forgot to add an IP for the wireguard interfaces.
But at last…I try to explain what i have to do with my bad english.
Location A: Has 2 WAN, DSL and LTE and offers some webservices for the coworkers. If the DSL goes Down and the LTE goes online the services aren’t available from outside because of Double Nat inside the LTE Network. So i want to Route this through an “always-on-gateway” AKA Azure Cloud Instance AKA LocationB:
So locA has an wguard tunnel to locb and the coworkers ask locb b’s ip/dns which reconnects them through vpn to locA.
So my Tunnel actually goes up after i added ip’s to the interfaces, routing and firewall are set up.
Yes, in fact just playing cause with IPIP i did. this without Problems.
The Picture in help.mikrotik.com didn’t show the IP Addresses from the wireguard Interfaces 
To assign an address to a Wireguard interface is just one of possible ways to tell RouterOS that that interface is a gateway to some subnet.
To be honest I have successfully configured, with Sindy’s astute and accurate help, my ‘live’ wireguard connections without an IP address attached to the wireguard interfaces. I have not found yet, a compelling reason to do so.
With the proper WIREGUARD settings themselves, I have found, thus far, that I can direct traffic flow with appropriate IP Routes and FW Rules (both input and forward chain). Another useful functionality is provided by the fact that the wireguard interface can be an Interface List Member (but not a bridge member).
i tried routing directly onto the interfaces but this didnt work
So I can understand better.
1- Location A, acts as the client device for initial connection, to Location B, because when the Primary WAN goes down, the Secondary WAN provides a private IP with no method of forwarding a port to your Mikrotik Router.
2 - Location B not understood.
What is the relationship between co-workers and Location B?
Are the co-workers actually more affiliated with Location A, aka they use Location A web servers.
If so, what do they use Location B for?
Assuming this Location B is the CHR of what you speak?
Where is the config for this device?
How do co-workers access location B?