Hi, we have difficulties getting WindScribe WireGuard services correctly configured on the Mikrotik server.

Windscribe did a great service creating a manual for configuring the WindScribe WireGuard service for Mikrotik, but we are not able to get it to work.

We hope someone can have a look at the configuration and comments we supplied in the hope you can provide the last tweaks to make it work for us so we can share with the WindScribe community.

Please have a look at the correspondence below (screenshots). It is the configuration tutorial as was provided for by WindScribe and our response back to them in blue with screenshots for additional information that can assist. They told us after this response that they could not help further as this looked to them to be a specific Mikrotik configuration challenge which they did not have enough knowledge of.

Hope someone can point us to the solution. Thanks so much in advance!

Best to provide your config for review
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys),.\

Steps
1. Take the private key given to you and when you make an interface on the MT router, use that private key to generate a public key ( that way windscribe already knows the public key you have )
2. You can use any listening port on the construction of the interface. The peer address for the server windscribe must include the endtpoint port provided.
3. when you enter in allowed IPs on the router just use 0.0.0.0/0
4. When you put in address on router it should be
add address=100.123.105/24 interface=wg-winscribe network=100.123.105.0

5. The sourcenat rule is required and seems fine. However you also have before this rule a hairpin masquerade rule for the same subnet.
I am not sure if order matters in sourcnat rules but I would be tempted to put the masquerade rule for wg-windscribe BEFORE the hairpin nat rule. ( I am never quite sure if order matters in source nat rules )

6. It is unknown or clear what subnet(s) or user(s) require access to wireguard but it would seem only one user? 192.168.50.68 ??
If so, then you need a table, and a route and a routing rule,

7. Its not clear if you need a firewall rule depending upon the config.

Please post config for better answers.

Thanks so much for getting back to me!

If not mistaken and if I understand you correctly for your point 1. This I have done in step 3

2. Ok, so using 65142 would be considered fine for now.

3. I doubled checked and its also on 0.0.0.0/0

4. I believe you mend address 100.123.202.105/24 and network 100.123.202.0? I changed it to this. 5. I have changed the order as suggested.

6. Correct, using the Rules I will select the computer that is allowed to use this connection. In this case 192.168.50.68. I did already have these rules configured.

7. Please see config attached.

have a nice weekend!

You have hidden way to much information, just the WAN public information and the only thing that would relevent is the username and password on pppoe.

1. Improve Interface list entries, but I dont see a trusted or management vlan?? Ahh you are mixing apples and oranges. Once you go vlans so will change BRIDGE LAN to a vlan and call it home vlan.
In vlan filtering its practice to not have the bridge do any dhcp, much less confusing and less error prone.

/interface list
add name=WAN
add name=LAN
add name=TRUSTED

/interface list members
add interface=pppoe-out (???) list=WAN
add interface=1.2 list=LAN
add interface=1.3 list=LAN
add interface=1.4 list=LAN
add interface=1.5 list=LAN
add interface=1.1 list=LAN
add interface=1.1 list=TRUSTED

/ip neighbours discovery
set discover-interface-list=TRUSTED
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED

add comment=admin-home interface=bridge1 name=bridge1.1 vlan-id=11
/ip dhcp-server
add add-arp=yes address-pool=192.168.50.0/24 interface=bridge1.1 lease-time=8h \
name=192.168.50.0/24
/ip address
add address=192.168.50.1/24 interface=bridge1.1 network=192.168.50.0

NOTES:
a. you seem to have two or three WANS, please explain
b. you are missing a DHCP server for vlan 1.2 ??
c. you seem to have two separate wireguard interfaces, one being for the router (its the server assuming for admin to access router and LAN)?
and the other is for windscribe and to clarify only for one user??

Other observations
SET INTERNET DETECT TO NONE, its known to cause issues.

See this article for /interface bridge ports and vlans........... viewtopic.php?t=143620

To configure for vlans,
What i recommend is create an offbridge port for local emergency access.
So remove etherX from /interface bridge port settings.

Modify the following entry
/ethernet
set [ find default-name=etherX ] name=OffBridgeX

Give it an Ip address
/ip address
add address=192.168.77.1/30 interface=OffBridgeX network=192.168.77.0

Add it to the Interface List Members
/interface list
add name=TRUSTED

/interface list member
add interface=bridge1.1 list=LAN
add interface=OffBridgdeX list=LAN
add interface=bridge1.1 list=TRUSTED
add interface=OffBridgdeX list=TRUSTED

Now you should be able to plug your laptop into ether24, change the IPV4 settings on the laptop to 192.168.77.2, then using winbox enter the router with username and password.
Do all the initial config here as well!
Note the netmask of 30 on the address only allows two addresses to work on the router, .1 and .2.

+++++++++++++++++++++++++++++++
Ran out of time will look at rest of config later.

I had a few more minutes and the rest of the config is a bloated mess. You have strived for complex when simplicity is the key to success.
Simple is often more secure as well and your attempts to allow direct access to the router via public addresses is a big security error.
Access to the router should only be done when behind the router either from a trusted subnet or after coming in on a vlan.

Firewall rule should focus on allowed traffic, not blocking traffic, and simply drop all else at the end of each chain.

Thanks so much for taking the time to go through the config!

It would be easier for me to talk and explain the complexity you see would you be available for paid assistance? So I can show you the setup and explain what everything is? Of course without obligations and expectations. Any help you can provide me is appreciated as my experience is not as advanced as you have it.

Have a nice weekend,

Hi Anav, are you available for service?

Where are you located? I can help but dont take payments..........
contact me at discord (removed no messages sent)

I didnt see any messages on discord.........