THe only end that needs to port forward is the server end of the equation.
That will be the listening port from the first router to the WANIP of the second router (its lanip on the primarys private subnet)
The listening port is at the client end configuration what they put for peer (you the server) Endpoint. YOURPUBLICWANIP:listening port
So you need to ensure:
a. the primary router has port forwarding capability
b. port forward listening port to the RB router.
The RB router is where you define your WG.
Nothing special is needed at the client end because its all outgoing traffic and thus return traffic will be accepted, even if the client is behind a router and an ISP router (same double nat).
The tricky part is the following two items:
(1) You need to add a route on the RB router to the private subnet of the client with interface being the WIREGUARD interface.
Other wise the router does not know where to send traffic back other than sending it normally to the ISP router routing.
(2) You need to add an input chain rule rule on the RB, to accept incoming traffic on the listening port for the wireguard router service.
Similar to how we accept l2tp and other ports on the input chain for other types of vpn.
First thanks for the quick reply
So, do I have to access the ISP router to do a port forwarding to RB?
This is my current configuration (I'm not sure if it's okay at all):
# may/09/2021 21:05:30 by RouterOS 7.1beta5
# software id = SQJM-HXZS
# model = RouterBOARD 3011UiAS
# serial number = 8EED093C5DC5
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=sfp1 ] disabled=yes
add listen-port=12345 mtu=1420 name=wireguard
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add name=poolLAN ranges=192.168.1.15-192.168.1.254
add address-pool=poolLAN disabled=no interface=bridge1 name=serverDHCPLan
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/interface wireguard peers
add allowed-address=10.10.0.2/32 interface=wireguard public-key="xUmMbCnE0O2Ya/uca/r31qmnK6MYDOzK/zJJH1g5Mh8="
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=10.10.0.1/24 network=10.10.0.0
add address=10.10.0.1/24 interface=wireguard network=10.10.0.0
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=188.8.131.52,184.108.40.206 gateway=192.168.1.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=ether1 src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=10.10.0.0/24
/system routerboard settings