That's the config of the peers I'm using.
As I said, OVPN works fine with inputs from eth1 and eth2, but WireGuard just from eth1 as the reply packages get new connection status and lost the connection mark of eth2.
The VPN range is 10.8.1.0/24 and the LAN is 192.168.10.0/24.
The VPN is intended for traffic only LAN related, not all internet traffic so the client is configured according.
The client uses ddns.net for both address as in myoffice1.ddns.net and myoffice2.ddns.net. In OVPN both are used too.
# dec/28/2022 08:51:05 by RouterOS 7.6
# software id =
#
# model = RB750Gr3
# serial number =
/interface ethernet
set [ find default-name=ether1 ] name=ether1-claro
set [ find default-name=ether2 ] name=ether2-zetanet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] arp=proxy-arp name=ether5-lan
/interface ovpn-server
add name=ovpn-in1 user=""
/interface wireguard
add listen-port=14232 mtu=1420 name=wireguard1
/interface list
add name=wan
add name=lan
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vpn-pool ranges=192.168.10.61-192.168.10.69
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.10.2 name=vpn-profile remote-address=vpn-pool
/queue simple
add dst=ether1-claro max-limit=600M/600M name=eth1 queue=default/default \
target=""
add limit-at=30M/30M max-limit=100M/100M name=eth1-voip packet-marks=\
voip-packet parent=eth1 priority=1/1 queue=default/default target=""
add max-limit=300M/300M name=eth1-general parent=eth1 queue=\
pcq-upload-default/pcq-download-default target=""
add dst=ether2-zetanet max-limit=100M/100M name=eth2 queue=default/default \
target=""
add limit-at=30M/30M max-limit=50M/50M name=eth2-voip packet-marks=\
voip-packet parent=eth2 priority=1/1 queue=default/default target=""
add max-limit=80M/80M name=eth2-geral parent=eth2 queue=\
pcq-upload-default/pcq-download-default target=""
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add fib name=voip
add fib name=to-eth1
add fib name=to-eth2
add fib name=tv
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1-claro list=wan
add interface=ether2-zetanet list=wan
add interface=ether5-lan list=lan
add interface=wireguard1 list=lan
/interface ovpn-server server
set auth=sha256 certificate=server cipher=aes256 enabled=yes port=14231 \
protocol=udp require-client-certificate=yes
/interface wireguard peers
add allowed-address=10.8.1.100/32 comment=max interface=wireguard1 \
public-key="..."
/ip address
add address=192.168.10.2/24 interface=ether5-lan network=192.168.10.0
add address=10.1.1.92/24 interface=ether1-claro network=10.1.1.0
add address=10.1.2.2/24 interface=ether2-zetanet network=10.1.2.0
add address=10.8.1.1/24 interface=wireguard1 network=10.8.1.0
/ip dns
set allow-remote-requests=yes servers=192.168.10.1,8.8.8.8,8.8.4.4
/ip firewall address-list
add address=...com.br list=voip
/ip firewall filter
add action=accept chain=input comment=\
"aceita conexoes estabelecidas e relacionadas" connection-state=\
established,related
add action=drop chain=input comment="descarta conexoes invalidas" \
connection-state=invalid
add action=accept chain=input comment="aceita openvpn" dst-port=14231 \
protocol=udp
add action=accept chain=input comment="aceita wireguard vpn" dst-port=14232 \
protocol=udp
add action=add-src-to-address-list address-list=port-scan \
address-list-timeout=1w chain=input comment="deteccao de port scan" \
in-interface-list=wan log=yes log-prefix=port-scan protocol=tcp psd=\
21,3s,3,1
add action=drop chain=input comment="descarte geral dos links" \
in-interface-list=wan
add action=drop chain=forward comment="descarta conexoes invalidas" \
connection-state=invalid
add action=drop chain=forward comment=\
"descarta conexoes vindas da internet que nao tenham base no nat" \
connection-nat-state=!dstnat connection-state=new in-interface-list=wan
/ip firewall mangle
add action=mark-connection chain=prerouting comment="voip connection-mark" \
connection-state=new dst-address-list=voip new-connection-mark=\
voip-connection passthrough=yes
add action=mark-routing chain=prerouting comment="voip routing-mark" \
connection-mark=voip-connection in-interface-list=lan new-routing-mark=\
voip passthrough=yes
add action=mark-packet chain=forward comment="voip packet-mark (qos)" \
connection-mark=voip-connection new-packet-mark=voip-packet passthrough=\
no
add action=mark-routing chain=prerouting comment=\
"teamviewer tcp routing-mark" dst-port=5938 new-routing-mark=tv \
passthrough=no protocol=tcp
add action=mark-routing chain=prerouting comment=\
"teamviewer udp routing-mark" dst-port=5938 new-routing-mark=tv \
passthrough=no protocol=udp
add action=mark-routing chain=prerouting comment=\
"forca conexoes TS externas na eth2 onde temos IP fixo" dst-port=3389 \
in-interface=ether5-lan new-routing-mark=to-eth2 packet-mark=no-mark \
passthrough=no protocol=tcp tcp-flags=""
add action=mark-connection chain=input comment=\
"marca conexoes entrando pela porta 1" connection-state=new in-interface=\
ether1-claro new-connection-mark=eth1-conn passthrough=yes
add action=mark-routing chain=output comment=\
"marca pacotes saindo que entraram pela porta 1" connection-mark=\
eth1-conn new-routing-mark=to-eth1 passthrough=no
add action=mark-connection chain=input comment=\
"marca conexoes entrando pela porta 2" connection-state=new in-interface=\
ether2-zetanet new-connection-mark=eth2-conn passthrough=yes
add action=mark-routing chain=output comment=\
"marca pacotes saindo que entraram pela porta 2" connection-mark=\
eth2-conn new-routing-mark=to-eth2 passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wan
/ip firewall raw
add action=drop chain=prerouting comment="bloqueio de port scan detectado" \
src-address-list=port-scan
/ip firewall service-port
set irc disabled=no
set sip disabled=yes
set rtsp disabled=no
/ip route
add comment="rota geral (ether1-netwatch)" disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add comment="rota geral (ether2-netwatch)" disabled=no distance=2 \
dst-address=0.0.0.0/0 gateway=10.1.2.1 pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
add comment="rota principal para voip (ether2-netwatch)" disabled=no \
distance=1 dst-address=0.0.0.0/0 gateway=10.1.2.1 pref-src=0.0.0.0 \
routing-table=voip scope=30 suppress-hw-offload=no target-scope=10
add comment="garante rota de saida no mesmo link de entrada" disabled=no \
dst-address=0.0.0.0/0 gateway=10.1.1.1 routing-table=to-eth1
add comment="garante rota de saida no mesmo link de entrada" disabled=no \
dst-address=0.0.0.0/0 gateway=10.1.2.1 routing-table=to-eth2
add comment="rota principal para TeamViewer (ether2-netwatch)" disabled=no \
distance=1 dst-address=0.0.0.0/0 gateway=10.1.2.1 pref-src=0.0.0.0 \
routing-table=tv scope=30 suppress-hw-offload=no target-scope=10
add comment="rota fixa para teste de eth2 com netwatch" disabled=no distance=\
1 dst-address=192.203.230.10/32 gateway=10.1.2.1 pref-src=0.0.0.0 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="rota fixa para teste de eth1 com netwatch" disabled=no distance=\
1 dst-address=192.5.5.241/32 gateway=10.1.1.1 pref-src=0.0.0.0 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add comment="rota alternativa para TeamViewer (ether1-netwatch)" disabled=no \
distance=2 dst-address=0.0.0.0/0 gateway=10.1.1.1 pref-src=0.0.0.0 \
routing-table=tv scope=30 suppress-hw-offload=no target-scope=10
add comment="rota alternativa para voip (ether1-netwatch)" disabled=no \
distance=2 dst-address=0.0.0.0/0 gateway=10.1.1.1 pref-src=0.0.0.0 \
routing-table=voip scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.10.0/24
set api-ssl disabled=yes
/ppp secret
add name=max profile=vpn-profile service=ovpn
add name=ivo profile=vpn-profile service=ovpn
add name=cassiano profile=vpn-profile service=ovpn
add name=anelise profile=vpn-profile service=ovpn
add name=paulo profile=vpn-profile service=ovpn
add name=lorenzo profile=vpn-profile service=ovpn
/system clock
set time-zone-name=America/Sao_Paulo
/system identity
set name=lan-router
/system package update
set channel=testing
/tool e-mail
set address=... from="..." \
port=587 user=...
/tool netwatch
add comment="monitora o link ether1-claro" disabled=no down-script="/ip route \
disable [find comment~\"ether1-netwatch\"]\r\
\n/log error \"Link Claro Down\"\r\
\n/delay 2000ms\r\
\n/tool e-mail send to=\"...\" subject=\"Link Claro Down\"" \
host=192.5.5.241 http-codes="" interval=30s test-script="" type=simple \
up-script="/ip route enable [find comment~\"ether1-netwatch\"]\r\
\n/tool e-mail send to=\"...\" subject=\"Link Claro Up\""
add comment="monitora o link ether2-zetanet" disabled=no down-script="/ip rout\
e disable [find comment~\"ether2-netwatch\"]\r\
\n/log error \"Link Zetanet Down\"\r\
\n/delay 2000ms\r\
\n/tool e-mail send to=\"...\" subject=\"Link Zetanet Down\"" \
host=192.203.230.10 http-codes="" interval=30s test-script="" type=simple \
up-script="/ip route enable [find comment~\"ether2-netwatch\"]\r\
\n/tool e-mail send to=\"...\" subject=\"Link Zetanet Up\""
/tool sniffer
set filter-port=14232
The client is a Windows 10 with the current version of WireGuard.
[Interface]
PrivateKey = ...
Address = 10.8.1.100/24
[Peer]
PublicKey = ...
AllowedIPs = 10.8.1.0/24, 192.168.10.0/24
Endpoint = ...:14232