You still have not articulated what it is exactly you are trying to accomplish.
This is me just guessing.
A. You want to be able to remotely configure via winbox, the remote site Router.
B. You want the remote site router to use the internet provided by the main Router.
C. Lets review TWO facts about wireguard I had to re-learn today.
-IP addresses are not interfaces
-Wireguard Interface acts like an ethernet interface
Both of these come into play for how we setup our firewall rules and Routes on the router.
Lets look at WG for this.
MAIN SITE
name=wireguard1
listening port - 13321
(public key generated for use in remote routers peer settings)
MAIN peer settings
name: wireguard1
endpoint address who cares, same with end point port
Public key from the remote site router.
allowed addresses= 172.16.0.2/30, 10.0.1.0/24 { incoming users from remote site from remote site lanips (two IPs, and a subnet respectively)
Note1: So what I do is look at the local lan of the Main Site and I notice that there is a local subnet of 192.168.50.0/24 and since none of the addresses above
matches anything on the local router I can conclude, those are bonafide addresses that exist on the other end of the tunnel that will be coming to the MAIN router, and thus, these source addresses will be allowed to exit the tunnel into the MAIN router. In other words, traffic will be only flowing one way.
However we know you want to be able to access and control the remote router the other way. Thus suggesting you take your admin IP from your PC and add it to the allowed addresses.
Such as 192.168.50.23. In this case you want to allow this IP to enter the Tunnel and head towards the Remote Site.
Note2: The other thing to note is that your allowing an entire subnet to reach the main router, probably for internet access and as you state also for local Main subnet access.
Therefore it makes sense to setup a WIREGUARD interface address,
add address=10.0.1.0/24 comment="WIREGUARD TUNNEL" interface=wireguard1 \
network=10.0.1.0
DONT WORRY about the the two IPs also coming across the tunnel from the remote site of 172.16.0.2/30, they will be allowed in through the interface but have to be handled separately via the commensurate rules.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
MAIN ROUTER settings............. lets deal with the rest of the Main router whilst there.
1. clearly the listening port has to be setup on the input chain.
Wireguard Incoming Subnet:
2. The fact that we have an address for most of the incoming wireguard traffic means that we should have no need for any IP routes for the associated IP address as the router will handle those dynamically. If we have more peers, we have to handle those, what are basically return routes (from either queries to the internet or queries to the local subnets) back through the tunnel.
3. Firewall Rules have to be reviewed to see what must be done.
However much to my dismay you have never provided the ???
So I am going to have to guess.
I am going to assume two things off the bat. You have read this article and have similar rule structure -
viewtopic.php?t=180838
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
AND
/Interface list
WAN
LAN
etc..
/Interface list members
add interface=bridge list=LAN
add interface=wireguard1 list=LAN
etc.
So we have a forward chain where we DROP all the traffic period and just above that allow the traffic we want to have such as LAN to WAN traffic.
In addition by adding the wireguard interface to the LAN interface this will ALL wireguard traffic (all peers) to the internet, based on the above forward chain rules.
Now if you also want the remote SUBNET to be able to access the local subnet of the Main router you will need to add the forward chain rule.
add chain=forward action=accept src-address=10.0.1.0/24 dst-address=192.168.50.0/24
if you wanted to only have the TWO IPs connect to the subnet it would be
add chain=forward action=accept src-address=172.16.1.0/30 dst-address=192.168.50.0/24
finally if you wanted both...
add chain=forward action=accept in-interface=wireguard1 dst-address=192.168.50.0/24
As stated because we have identified an address for the wireguard interface, we dont need any routes for the 10.0.1.0/24 users.
However we do need it for the group of two......
dst-address=172.16.1.0/30 gwy=wireguard1 table=main
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Lots to chew on their for sure................. So we have satisfied the remote router to main router traffic flow.
Lets look at the REMOTE Router Settings
Wireguard Interface
not much here needed except the public key generated that goes into the Peer settings of the Main router.
Peer Settings: Here we are setting what DESTINATION addresses are allowed to exit the router.
Thus we can put 0.0.0.0/0 (as that describes both internet which is desired as well as the subnet 192.168.50.0/24 at the other end).
If for example it was only to be to a subnet, that was going to be accessed by client users, then 192.168.50.0/24 would be the only entry.
(remember what is actually allowed at the MAIN site is controlled by allowed entries at the Main wireguard interface and of course after that by firewall rules).
But lets remember, that there is incoming traffic to the Remote Router as well (admin to config the remote router) and thus we have to tell the router what IP address is allowed to exit the tunnel at the remote site and thus we need to add 192.168.50.23/32
Since the remote client router initiates the connection we also should set its PEER keep alive at lets say 40 seconds........
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Not what about ROUTER settings at the Remote Site.
(1) Well lets deal with the incoming traffic from the Admin on the MAIn router.
Admin needs access ONLY to the ROUTER itself. aka input chain
Looking at a standard configuration there are two options.
ADD the wg interface to an allowed interface list that already has access to the ROUTER (could be LAN, could be Management etc........)
OR
SImply make an individual rule, before the last drop rule.
add chain=input action=accept in-interface=wireguard1 src-address=192.168.50.23 (you could probably do without source address but its clear non-ambiguous when reading it
(2) NO NEED for any address for the WG interface on this router!!
()3) Last step is to add a route so that return traffic from the admin queries to the router goes back out the interface.
dst=192.168.50.23 gwy=wireguard1 table=main.
++++++++++++++++++++\
Now we have to ensure that the outgoing traffic from users on the Remote Router, is handled appropriately and that is for both the two users and the entire subnet. We want to ensure they use the tunnel and not the Remote router routing!! Thus we have to FORCE that traffic through the tunnel and not out the remote site wan ....
Create two tables
/routing table name=subnetForce fib
/routing table name=TWOuserForce fib
Two IP routes
dst-address=0.0.0.0/0 gwy=wireguard1 table=subnetForce
dst-address=0.0.0.0/0 gwy=wireguard1 table=TWOuserForce
Two Route rules to match
src-address=10.0.1.0/24
Action: lookup-only-in-table
Table: subnetForce
src-address=172.16.1.0/30
Action: lookup-only-in-table
Table: TWOuserForce
DONE.........
now all traffic for both the subnet and two users will go out the tunnel.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
hope this helps!!