Hello,

I've been struggling for quite some time trying to make WireGuard work with Cloudflare DNS. Despite trying various filter rules, I haven't been successful. I would greatly appreciate your expertise.
As I understand it, Cloudflare DNS must not be proxied to work with WireGuard.

My setup:
- Cloudflare DNS configuration (see image attached)

- RG5009 configuration

/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge-lan

/interface ethernet
set [ find default-name=ether1 ] comment=ether1-isp name=ether1-isp \
rx-flow-control=on tx-flow-control=on
set [ find default-name=ether2 ] rx-flow-control=on tx-flow-control=on
set [ find default-name=ether3 ] rx-flow-control=on tx-flow-control=on
set [ find default-name=ether4 ] rx-flow-control=on tx-flow-control=on
set [ find default-name=ether5 ] rx-flow-control=on tx-flow-control=on
set [ find default-name=ether6 ] rx-flow-control=on tx-flow-control=on
set [ find default-name=ether7 ] rx-flow-control=on tx-flow-control=on
set [ find default-name=ether8 ] rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus1 ] rx-flow-control=on tx-flow-control=on

/interface wireguard
add comment=WireGuard listen-port=12313 mtu=1420 name=wireguard1

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment="Detect Internet" name=INTERNET

/ip pool
add comment=main_pool name=main_pool ranges=192.168.10.10-192.168.10.99

/ip dhcp-server
add address-pool=main_pool always-broadcast=yes comment=dhcp-server-lan \
interface=bridge-lan lease-time=5m name=dhcp-server-lan

/system logging action
set 0 memory-lines=500
set 1 disk-lines-per-file=500

/certificate settings
set crl-download=yes

/disk settings
set auto-media-interface=bridge-lan

/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether2
add bridge=bridge-lan comment=defconf interface=ether3
add bridge=bridge-lan comment=defconf interface=ether4
add bridge=bridge-lan comment=defconf interface=ether5
add bridge=bridge-lan comment=defconf interface=ether6
add bridge=bridge-lan comment=defconf interface=ether7
add bridge=bridge-lan comment=defconf interface=ether8
add bridge=bridge-lan comment=defconf interface=sfp-sfpplus1

/ip neighbor discovery-settings
set discover-interface-list=LAN

/ipv6 settings
set disable-ipv6=yes

/interface detect-internet
set detect-interface-list=INTERNET

/interface list member
add comment=defconf interface=bridge-lan list=LAN
add comment=defconf interface=ether1-isp list=WAN
add comment="Detect Internet" interface=ether1-isp list=INTERNET

/interface ovpn-server server
add mac-address=XX:XX:XX:XX:XX:XX name=ovpn-server1

/interface wireguard peers
add allowed-address=192.168.5.2/28 comment=Auster interface=wireguard1 name=\
wg0 public-key="GwR7=" responder=\
yes
add allowed-address=192.168.5.4/28 comment="Moto Horacio" interface=\
wireguard1 name=wg2 public-key=\
"86MF=" responder=yes
add allowed-address=192.168.5.5/28 comment=Coetzee interface=wireguard1 name=\
wg3 public-key="QkAu=" responder=\
yes
add allowed-address=192.168.0.3/28 comment=FLUSHRO2 interface=wireguard1 \
name=wg1 public-key="bDIm=" \
responder=yes

/ip address
add address=192.168.10.1/25 comment=main-lan interface=bridge-lan network=\
192.168.10.0
add address=192.168.20.1/27 comment=iot interface=bridge-lan network=\
192.168.20.0
add address=192.168.5.1/28 comment=wireguard interface=wireguard1 network=\
192.168.5.0

/ip arp
add address=192.168.10.9 comment="Unifi AP3" interface=bridge-lan \
mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.10.2 comment=CRS310 interface=bridge-lan mac-address=\
XX:XX:XX:XX:XX:XX
add address=192.168.10.7 comment="Unifi AP1" interface=bridge-lan \
mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.10.3 comment=CRS304-A interface=bridge-lan mac-address=\
XX:XX:XX:XX:XX:XX
add address=192.168.20.11 comment="EcoWitt GW2000" interface=bridge-lan \
mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.20.12 comment="EcoWitt Console" interface=bridge-lan \
mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.20.20 comment="HikVision NVR" interface=bridge-lan \
mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.20.21 comment="HikVision Cam1" interface=bridge-lan \
mac-address=XX:XX:XX:XX:XX:XX
add address=192.168.10.10 comment=PVE interface=bridge-lan mac-address=\
XX:XX:XX:XX:XX:XX
add address=192.168.10.126 comment=AdGuardHome interface=bridge-lan \
mac-address=XX:XX:XX:XX:XX:XX

/ip dhcp-client
add comment=Fibertel interface=ether1-isp use-peer-dns=no use-peer-ntp=no

/ip dhcp-server config
set store-leases-disk=30m

/ip dhcp-server lease
add address=192.168.10.46 client-id=XX:XX:XX:XX:XX:XX comment=\
Lenovo_Horacio_LAN mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.12 comment=SamsungTV_LAN mac-address=XX:XX:XX:XX:XX:XX \
server=dhcp-server-lan
add address=192.168.10.14 comment=FireTV_Living_LAN mac-address=\
XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.21 comment="\
\nPS4_LAN" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.42 comment="HP Horacio LAN" mac-address=\
XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.47 comment=Lenovo_Horacio_WLAN mac-address=\
XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.48 comment=PC_Fran_LAN mac-addressXX:XX:XX:XX:XX:XX \
server=dhcp-server-lan
add address=192.168.10.60 comment="\
\nEasyWeather_WLAN" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.72 client-id=XX:XX:XX:XX:XX:XX comment="S22 Soledad" \
mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.71 client-id=XX:XX:XX:XX:XX:XX comment="Luvi Redmi" \
mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.36 client-id=XX:XX:XX:XX:XX:XX comment=\
"Posible Dell Soledad" mac-address=XX:XX:XX:XX:XX:XX server=\
dhcp-server-lan
add address=192.168.10.43 client-id=XX:XX:XX:XX:XX:XX comment=\
"HP Horacio WLAN" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.74 client-id=XX:XX:XX:XX:XX:XX comment="Iphone Fran" \
mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.73 client-id=XX:XX:XX:XX:XX:XX comment="S22 Soledad" \
mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.22 client-id=1:ac:89:95:3d:56:4b comment=PS4_WLAN \
mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.2 client-id=1:d4:1:c3:5f:d0:70 comment=CRS310 \
mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.76 client-id=XX:XX:XX:XX:XX:XX comment=\
"Moto Horacio" mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.70 client-id=XX:XX:XX:XX:XX:XX comment="Luvi Redmi" \
mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.3 client-id=XX:XX:XX:XX:XX:XX comment=CRS304-A \
mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan
add address=192.168.10.77 client-id=XX:XX:XX:XX:XX:XX comment="Moto Horacio" \
mac-address=XX:XX:XX:XX:XX:XX1 server=dhcp-server-lan
add address=192.168.10.50 client-id=XX:XX:XX:XX:XX:XX comment=Marconi \
mac-address=XX:XX:XX:XX:XX:XX server=dhcp-server-lan

/ip dhcp-server network
add address=192.168.10.0/25 comment=main-network dns-server=192.168.10.1 \
domain=home.internal gateway=192.168.10.1 netmask=25

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d mdns-repeat-ifaces=bridge-lan \
servers=192.168.10.126 verify-doh-cert=yes

/ip dns static
add address=192.168.10.1 comment=RB5009UG name=rb5009.home.internal type=A
add address=192.168.10.126 comment=AdguardHome name=adguard.home.internal \
type=A
add address=192.168.10.100 comment="AdguardHome Web" name=adguard.kansoit.com \
type=A
add address=192.168.10.2 comment=CRS310 name=crs310.home.internal type=A
add address=192.168.10.3 comment=CRS304-A name=crs304a.home.internal type=A
add address=192.168.10.6 comment="Unifi Controller" name=unifi.home.internal \
type=A
add address=192.168.10.100 comment="Unifi Controller Web" name=\
unifi.kansoit.com type=A
add address=192.168.10.7 comment="Unifi AP1" name=ap1.home.internal type=A
add address=192.168.10.9 comment="Unifi AP3" name=ap3.home.internal type=A
add address=192.168.10.100 comment=PVE name=pve.kansoit.com type=A
add address=192.168.20.2 comment="Home Assistant" name=domus.home.internal \
type=A
add address=192.168.20.3 comment=ZBX-CUPS-NUT name=vesta.home.internal type=A
add address=192.168.10.100 comment=NUT name=nut.kansoit.com type=A
add address=192.168.10.100 comment="Cups Print Server" name=cups.kansoit.com \
type=A
add address=192.168.20.6 comment="Nut UPS-APC" name=fulgora.home.internal \
type=A
add address=192.168.20.11 comment="EcoWitt GW2000" name=ecogw.home.internal \
type=A
add address=192.168.20.12 comment="EcoWitt Console" name=\
ecoconsole.home.internal type=A
add address=192.168.20.20 comment="HikVision NVR" name=nvr.home.internal \
type=A
add address=192.168.20.21 comment="HikVision Cam1" name=cam1.home.internal \
type=A
add address=192.168.10.100 comment=NPM name=npm.home.internal type=A
add address=192.168.10.100 comment="NPM Web" name=npm.kansoit.com type=A
add address=192.168.10.101 comment=Docker name=docker.home.internal type=A

/ip firewall filter
add action=accept chain=input comment="Allow WireGuard port" dst-port=12313 \
protocol=udp
add action=accept chain=input comment="Allow WireGuard Clients to access LAN" \
src-address=192.168.5.0/28 dst-address=192.168.10.0/27
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment=\
"Force traffic to IoT-Lan to appear from gateway" dst-address=\
192.168.20.0/27 log-prefix=nat-iot src-address=192.168.10.0/25 \
to-addresses=192.168.20.1
add action=redirect chain=dstnat comment=\
"Redirect DNS Requests to Router IP - AdguardHome Hangs!" disabled=yes \
dst-port=53 log-prefix=redirect protocol=udp to-ports=53
add action=redirect chain=dstnat comment=\
"Redirect DNS Requests to Router IP - AdguardHome Hangs!" disabled=yes \
dst-port=53 log-prefix=redirect protocol=tcp to-ports=53
add action=dst-nat chain=dstnat comment=\
"Redirect External UDP DNS to AdGuard" dst-address-type=!local dst-port=\
53 protocol=udp src-address=!192.168.10.126 to-addresses=192.168.10.126 \
to-ports=53
add action=dst-nat chain=dstnat comment=\
"Redirect External TCP DNS to AdGuard" dst-address-type=!local dst-port=\
53 protocol=tcp src-address=!192.168.10.126 to-addresses=192.168.10.126 \
to-ports=53

/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.10.0/25
set api disabled=yes
set winbox address=192.168.10.0/25
set api-ssl disabled=yes

/system ntp client
set enabled=yes

/system ntp client servers
add address=br.pool.ntp.org
add address=ar.pool.ntp.org
add address=cl.pool.ntp.org

- Client Configuration (Windows 11)

[Interface]
PrivateKey = QPGy=
Address = 192.168.5.3/24
DNS = 192.168.10.1
MTU = 1420

[Peer]
PublicKey = /QUM=
AllowedIPs = 0.0.0.0/0
Endpoint = wg.kan------.com:12313

This rule always gets traffic:
add action=accept chain=input comment="Allow WireGuard port" dst-port=12313 protocol=udp

This is an example using my phone (4G)

/tool sniffer quick port=12313
Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS, DST-ADDRESS, PROTOCOL, SIZE, CPU
INTERFACE TIME NUM DIR SRC-MAC DST-MAC SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU
ether1-isp 36.025 15 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 154 0
ether1-isp 36.286 16 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 154 0
ether1-isp 37.066 17 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 154 0
ether1-isp 37.474 18 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 154 0
ether1-isp 38.235 19 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 154 0
ether1-isp 38.558 20 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 138 0
ether1-isp 39.238 21 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 106 0
ether1-isp 39.245 22 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 106 0
ether1-isp 39.245 23 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 106 0
ether1-isp 39.245 24 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 106 0
ether1-isp 39.245 25 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 106 0
ether1-isp 39.245 26 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 106 0
ether1-isp 42.383 27 -> XX:XX:XX:XX:F2:81 XX:XX:XX:XX:D8:19 24.XXX.XXX.XXX:12313 186.XXX.XXX.XX:33594 ip:udp 74 3
ether1-isp 43.251 28 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 154 0
ether1-isp 43.577 29 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 138 0
ether1-isp 48.267 30 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 154 0
ether1-isp 51.875 31 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 170 0
ether1-isp 53.258 32 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 154 0
ether1-isp 53.263 33 -> XX:XX:XX:XX:F2:81 XX:XX:XX:XX:D8:19 24.XXX.XXX.XXX:12313 186.XXX.XXX.XX:33594 ip:udp 74 3
ether1-isp 55.897 34 <- XX:XX:XX:XX:D8:19 XX:XX:XX:XX:F2:81 186.XXX.XXX.XX:33594 24.XXX.XXX.XXX:12313 ip:udp 170 0

But this one never gets any traffic:
add action=accept chain=input comment="Allow WireGuard Clients to access LAN" src-address=192.168.5.0/28 dst-address=192.168.10.0/27

I've also tried changing from "input" to "forward" and moving this rule down under the following rule, but without success:
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

Any guidance would be much appreciated.
Thank you!

Some of your peer configs are wrong.

Nevertheless: does it work with just IP-Adress?

1. Most people set this to none, its been known to cause issues.
/interface detect-internet
set detect-interface-list=INTERNET

2. Why do you think its okay to assign two Subnets to the bridge. If you want more subnets make vlans and remove bridge from dchp.
/ip address
add address=192.168.10.1/25 comment=main-lan interface=bridge-lan network=\
192.168.10.0
add address=192.168.20.1/27 comment=iot interface=bridge-lan network=\
192.168.20.0

3. This allowed IP is outside the wireguard subnet allocated
add allowed-address=192.168.0.3/28 comment=FLUSHRO2 interface=wireguard1 \
name=wg1 public-key="bDIm=" \
responder=yes

4. No need to see more of the config, the types and number of mistakes leads me to think you have no business with a complex config yet.
add action=accept chain=input comment="Allow WireGuard Clients to access LAN" \
src-address=192.168.5.0/28 dst-address=192.168.10.0/27

Your problem has nothing to do with cloudflare DNS , most use it just fine, its called
/ip dns
set server=1.1.1.1,1.0.0.1

What is a problem is your bloated use of static DNS,.
Simplify simplify, get a good working config then add on complex things.

Hello Anav. Thanks for your answer

1. Most people set this to none, its been known to cause issues.
/interface detect-internet
set detect-interface-list=INTERNET

I disabled it now. I had it working before because I liked the mobile apps to show internet connection.

2. Why do you think its okay to assign two Subnets to the bridge. If you want more subnets make vlans and remove bridge from dchp.
/ip address
add address=192.168.10.1/25 comment=main-lan interface=bridge-lan network=\
192.168.10.0
add address=192.168.20.1/27 comment=iot interface=bridge-lan network=\
192.168.20.0

I don't. It is a temporary config until I create vlans. I have some wiring constrains so some configs will not be fully by the book. I will open other thread and document it properly

3. This allowed IP is outside the wireguard subnet allocated
add allowed-address=192.168.0.3/28 comment=FLUSHRO2 interface=wireguard1 \
name=wg1 public-key="bDIm=" \
responder=yes

Uupsss. I've been changing segments. It is fixed now

4. No need to see more of the config, the types and number of mistakes leads me to think you have no business with a complex config yet.
add action=accept chain=input comment="Allow WireGuard Clients to access LAN" \
src-address=192.168.5.0/28 dst-address=192.168.10.0/27

You are right. The most complex config will be setting up vlans in router and cascading switches. I know it is not an optimal setup

Your problem has nothing to do with cloudflare DNS , most use it just fine, its called
/ip dns
set server=1.1.1.1,1.0.0.1

I've fixed it to test wireguard connections

What is a problem is your bloated use of static DNS,.

How do you properly deal static DNS entries if you need them?

I've made some step by setup tests.


1) First Test

• Detect Internet was disabled in router.
  WireGuard IP address for the Windows 11 peer was fixed.
  192.168.20.1/27 subnet was temporarily disabled.
  All static DNS entries were disabled.
  I shut down AdGuard Home.
  I flushed the router's DNS cache.
  I connected my notebook through my phone using USB tethering with a 4G connection.

Result: It didn't worked. Same as before.
There is traffic on:
add action=accept chain=input comment="Allow WireGuard port" dst-port=12313 protocol=udp
No traffic on:
add action=accept chain=input comment="Allow WireGuard Clients to access LAN" dst-address=192.168.10.0/25 src-address=192.168.5.0/28

2) Second Test

• Just rebooted router

Result: The Windows 11 peer got connected, and there is traffic flowing on
add action=accept chain=input comment="Allow WireGuard Clients to access LAN" dst-address=192.168.10.0/25 src-address=192.168.5.0/28

3) Third Test

• I enabled DNS static entries.

Result: Wireguard Connection works.

4) FouthTest

• I switched the DNS server to Quad9 with DoH.
  I flushed the router's DNS cache

Result: Wireguard Connection works.

5) Fifth test

• I started Adguard Home service.
  I switched the DNS server to Adguard Home IP address.
  I flushed the router's DNS cache

Result: Wireguard Connection works.

In all cases, WireGuard on my Android phone never worked properly. The same behavior occurred as described before
There is traffic on:
add action=accept chain=input comment="Allow WireGuard port" dst-port=12313 protocol=udp
No traffic on:
add action=accept chain=input comment="Allow WireGuard Clients to access LAN" dst-address=192.168.10.0/25 src-address=192.168.5.0/28

I will test the Windows 11 WireGuard connection through LAN at a coffee shop near my home and report back. I will also attach the WireGuard Android configuration

Conclusion.
"Detect Internet" function appears to be the core issue behind all the problems.

Some of your peer configs are wrong.
Nevertheless: does it work with just IP-Adress?

Thanks! Windows peer IP was wrong.

Hello,
The Windows WireGuard connection seems to be working fine from a coffee shop. I will test it from work next week.
I've attached the Android configuration. I couldn't find anything wrong, but a fresh pair of eyes is always welcome.

Another strange behavior, perhaps related to "MikroTik Detect Internet":
AdGuard Home always showed the router's DNS IP (192.168.10.1) as an upstream server among the defined ones, like https://family.cloudflare-dns.com/dns-query or any other you prefer. However, now it is no longer present.

I didn’t know why this IP was listed as an upstream server with a terrible response time (1999 ms), nor whether it was being used to resolve DNS static entries or not.

Thanks again.

I have uninstalled the app on mobile and set everything back up. It's working now. Grrrrr. I did it so many times. I don't know what could have changed.
Moving to linux client on fedora..

I can't believe it. Same problem again!!! Can't connect from outside. Nothing has changed! I'm going to open a support issue. Wireguard implementation is far from being solid.

EDIT
I moved from this peer config:

add allowed-address=192.168.0.3/28 comment=FLUSHRO2 interface=wireguard1 name=wg1 public-key="bDIm=" responder=yes

to this one:

add allowed-address=192.168.5.0/28 client-address=192.168.5.3/28 client-dns=192.168.10.1 client-endpoint=myendpoint.com client-listen-port=12313 comment=FLUSHRO2 \
interface=wireguard1 name=wg1 public-key="bDIm=" responder=yes

and now the peer is connecting again.

Its not wireguard, that is the problem.
Reset your config to defaults then add wireguard and see if it works.

Its not wireguard, that is the problem.
Reset your config to defaults then add wireguard and see if it works.

Hello! If my last change doesn't work permanently, I'll go for it.

The last change didn’t last.

I’ve found a pattern!
Only one WireGuard connection is allowed at a time. I can’t connect with two devices simultaneously, the last connected device takes precedence.
If I want to switch the device connection, I have to reset each peer’s current endpoint address (just edit and click OK), then connect with the other device.

Total nonsense.
There is no pattern at all. I will reset to factory settings at dawn.

Sure that makes sense, if you have misconfigured your wireguard.
If the router is server peer for handshake and it has a number of peers, and one of the peer client settings on the ROUTER, has the error of 0.0.0.0/0 set in Allowed addresses, then this type of problem occurs.

Sure that makes sense, if you have misconfigured your wireguard.
If the router is server peer for handshake and it has a number of peers, and one of the peer client settings on the ROUTER, has the error of 0.0.0.0/0 set in Allowed addresses, then this type of problem occurs.

This sucks! I'm learning the hard way. I'll create all the peers again one by one.

I didn't bother to read your full config or the whole thread, but using /28 in your allowed-address entries of the peers is simply wrong, and is exactly the reason why only one device can connect at the same time. Please in all the peer entries under /interface wireguard peers change /28 in the allowed-address field to /32.

I can't believe it. Same problem again!!! Can't connect from outside. Nothing has changed! I'm going to open a support issue. Wireguard implementation is far from being solid.

EDIT
I moved from this peer config:

add allowed-address=192.168.0.3/28 comment=FLUSHRO2 interface=wireguard1 name=wg1 public-key="bDIm=" responder=yes

to this one:

add allowed-address=192.168.5.0/28 client-address=192.168.5.3/28 client-dns=192.168.10.1 client-endpoint=myendpoint.com client-listen-port=12313 comment=FLUSHRO2 \
interface=wireguard1 name=wg1 public-key="bDIm=" responder=yes

and now the peer is connecting again.

NO! This specific entry should be:


Please note that client-address and client-whatever are irrelevant for the functionality of the wireguard peer setup, they are optional and are only there as helpers for the QR export and .conf file export.

(I've still not read 95% of the thread)

Nice!!

After testing with different configurations, I've come to the following conclusions:

The "Detect Internet" setting does not affect external WireGuard connections as long as they are properly configured. However, I noticed something unexpected with this setup, I'm able to access Home Assistant from the LAN using its external domain name. That was unexpected.
At the time I was testing WireGuard connections without success, I also had some NAT rules in place that were causing issues. I had to modify those rules in order to successfully establish WireGuard connections. The goal was to intercept all client DNS requests and redirect them to the router’s DNS server, even if the clients were using external resolvers.
The proper way to set up a WireGuard connection was shared by @CGGXANNX in a previous post. There’s also an official MikroTik video about WireGuard, which I watched some time ago, but didn’t fully understand at the time:
https://www.youtube.com/watch?v=vn9ky7p5ESM
Last week, I set up AdGuard Home in an LXC container with the IP address 192.168.10.126, and configured the router’s DNS server to point to that IP. The DNS provided via DHCP on the LAN is still 192.168.10.1 (the router’s IP), so I had to adjust the router’s DNS server settings accordingly.
Additionally, I had to update the DNS-related NAT rules to ensure compatibility with WireGuard.

Current NAT Rules
Everything seems to be working fine now. However, I’m not entirely sure if my NAT rules are set up correctly. Now I can't access Home Assistant from within the LAN using its external domain name unless I define a DNS rewrite in AdGuard Home.

Thanks!

Regarding accessing Home Assistant using domain name: The optimal way is what you are actually doing, by having the local DNS resolver rewriting the DNS record to the local LAN IP address (instead of the public IP address). That's best for performance, because the devices in the same LAN subnet and HA can communicate directly with each other (on Layer 2) without requiring the router to do routing and/or NAT. As a bonus, HA also gets the correct source IP addresses of the client devices connecting to it (instead of the router's address).

If you don't want all that, and still want to only have the domain resolved to the external IP address, and want the LAN device to use the public IP address and DSTNAT to reach Home Assistant, you'll need to implement Hairpin-NAT: https://help.mikrotik.com/docs/spaces/R ... HairpinNAT

* First if your DSTNAT port forwarding rule uses something like in-interface-list=WAN or in-interface=ether1-isp as matching condition, you'll need to replace that condition with either dst-address=<public_ip> (if you have a fixed static public IP address) or dst-address-list=WAN_IP (if address is dynamic, you'll need to write some script and call it from the DHCP client entry and have the script update the address list WAN_IP with the newly acquired IP address).

* Then you'll need a srcnat masquerade rule (as described in the linked documentation above), assuming that HA is hosted at 192.168.10.125 on the same bridge-lan


Edit: I've just seen that you currently have HA on the weird slice 192.168.20.0/27 of bridge-lan. Assuming that you'll later properly configure VLANs and move HA to an iot-vlan interface with 192.168.20.0/24 as subnet, then the hairpin nat becomes:


You only need to masquerade the traffic originating from within the same subnet as the dstnat destination.

Thank you @CGGXANNX very much for your detailed response.

I'm glad to know that setting up a DNS rewrite is actually the correct approach and not just a workaround.
I'll definitely take note of your explanation. You never know when something like this might come in handy again.

Regarding the subnet where Home Assistant is located, you're right: I’m planning to create a VLAN for IoT, another for the WiFi Guest network, and possibly one more for my son’s PC and his gadgets.

Do you have any thoughts or recommendations about NAT rules to prevent DHCP clients (or even static IP devices) from using external DNS resolvers; basically forcing them to use the router’s DNS?
The goal would be to block that kind of outbound traffic, but without breaking functionality for WireGuard connections.

Your redirect rules for intercepting DNS53 are ok. However nowadays many devices and applications (modern web browsers, for instance) support DNS over TLS (DoT), DNS over HTTPS (DoH) and DNS over QUIC (DoQ), which means if you really want to force your kids' devices to use the designated DNS resolver, you'll need to somehow block all the other 3 protocols.

To block DoT and DoQ, for now the easiest solution is to block all outgoing connections to destination port 853, TCP (for DoT) and UDP (for DoQ), because there is only a minimal chance that those ports are used for something else.

To block DoH, you can refer to the discussion in this thread from last week viewtopic.php?t=215670. My suggestion is to use the list of known public DoH hosts and add the addresses to an address list and drop with dst-address-list (but you'll have to update the list periodically). Also pay attention to the special handling with ICMP as other posters from that thread have stated.

You're absolutely right that any device can find its way through DNS over TLS (DoT), DNS over HTTPS (DoH), and DNS over QUIC (DoQ). I'm trying to reduce the exposure surface as much as possible.

I'll carefully read through the thread you suggested. Thank you very much!

Another approach I’m considering is using AdGuard Home, which I already have installed, and creating a blacklist based on the DNS resolvers published here: https://public-dns.info.
There are downloads available in CSV and plaintext formats. I would just need to convert them into a compatible format and import them. A Python script could handle that. Of course, I’ll need to exclude the IP addresses of the resolvers I plan to use.

Right now, I'm using (and haven’t defined any fallbacks):
https://dns.quad9.net/dns-query
https://dns11.quad9.net/dns-query

I’ve created three scripts to monitor AdGuard’s functionality using Netwatch, and to have an emergency contingency plan in place.
Thanks again!