YOu have half a diagram.
CHR does not typically have any clients SO.
a. what is goig to or coming from WG1\
b. what is going to or coming in from WG2|
What are the relationships?
Are you saying WG1 and WG2 are both WG servers for initial handshake?
What is their relationship?
Still not clear at all......
You didnt provide CHR config ?????????
# 2023-11-07 19:54:23 by RouterOS 7.11.2
# software id =
#
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN disable-running-check=no
set [ find default-name=ether2 ] comment=LAN disable-running-check=no
/interface wireguard
add listen-port=13331 mtu=1420 name=wireguard2fr
add listen-port=13231 mtu=1420 name=wireguard5-lax
/interface list
add name=WAN
add name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.2-192.168.0.253
/ip dhcp-server
add address-pool=dhcp interface=bridge1 name=dhcp1
/ipv6 settings
set accept-router-advertisements=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=wireguard2fr list=VPN
add interface=wireguard5-lax list=VPN
/interface wireguard peers
add allowed-address=::/0,0.0.0.0/0 endpoint-address=103.144.*.* \
endpoint-port=51828 interface=wireguard2fr persistent-keepalive=25s \
public-key="***"
add allowed-address=::/0,0.0.0.0/0 endpoint-address=38.175.*.* \
endpoint-port=58 interface=wireguard5-lax persistent-keepalive=25s \
public-key="***"
/ip address
add address=192.168.0.1/24 interface=bridge1 network=192.168.0.0
add address=23.129.*.*/24 interface=wireguard2fr network=23.129.32.0
add address=192.168.90.2/24 interface=wireguard5-lax network=192.168.90.0
add address=172.17.0.1/24 interface=bridge1 network=172.17.0.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 \
netmask=24
/ip firewall mangle
add action=change-mss chain=postrouting disabled=yes new-mss=clamp-to-pmtu \
passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=VPN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard5-lax \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=23.134.*.*/32 gateway=\
172.16.1.1%ether1 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
add disabled=no dst-address=38.175.*.*/32 gateway=172.16.1.1%ether1 \
routing-table=main suppress-hw-offload=no
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=wireguard5-lax \
routing-table=main scope=30 target-scope=10
/ipv6 address
add address=2602:***::1 advertise=no interface=bridge1
add address=2602:***::4a45 advertise=no interface=veth3
add address=2602:***:102::1 advertise=no interface=bridge1
add address=2a06:***::1 interface=bridge1
/ipv6 firewall address-list
add address=2602:***::/64 list=pool1
/ipv6 nd
set [ find default=yes ] dns=2602:***::1 interface=bridge1 \
other-configuration=yes