I just went through this problem recently and found a few places where Wireguard clients could get blocked from the WWW or Winbox access. I do like the encouragement here to understand WHY - and for me, I had been relying on following
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router so went back there to figure out the "
why"... These suggestions are only helpful if you (like me) followed the 'Securing your Router' suggestions' but maybe did not fully understand them at the time
1) You can stop the www & winbox services from being accessible by IP Address range - I had limited winbox to my local 192.68.0.x range and therefore Router WWW and Winbox sessions could not connect:
https://wiki.mikrotik.com/wiki/Manual:S ... S_services
"...each /ip service entity might be secured by allowed IP address..."
i.e. IP -> Services -> Service Name (winbox/www) -> Available From ( x.x.x.x/yy)
Solution: Add the wireguard IP Range to the 'Available From' (
or remove all entries and have a lot less security...)
2) If you followed 'Securing Your Router' you may have created a list 'Allowed_to_Router' and disallowed any IP range outside your local network from talking to your router at all:
https://wiki.mikrotik.com/wiki/Manual:S ... o_a_router
"...create address-list for IP addresses, that are allowed to access your router"
i.e. IP -> Firewall -> Accept Input -> Address List 'Allowed_to_Router'
Since I had followed this advice, the IP range of my Wireguard clients was not in my 'Allowed_to_Router' list, and they were therefore blocked by this rule.
Solution: IP -> Firewall -> Address List -> Allowed_to_Router (Add Wireguard range) - this would be exactly the problem solved by @Sob's 'accept input from WG Interface' firewall rule - but solved in a prettier way by adding the Wireguard IP Range to the 'Allowed_to_Router' list, instead of prohibiting access with one rule, and reinstating access with another...
3) Finally, you could have stopped your Admin user logging in from the Wireguard Address range:
https://wiki.mikrotik.com/wiki/Manual:S ... IP_address
"...it is possible to restrict username access for the specific IP address..."
System -> Users -> {your admin user} --> Allowed Address --> x.x.x.x/yy
Maybe this will help someone finding this post in future!