Hi. I have a wireguard tunnel set up on my hap ac3. I have two peers configured in the router with addresses 10.1.0.2/24 and 10.1.0.3/24 for a phone and a windows 10 client.
the router itself has an 10.1.0.1/24 address. the firewall rules can be seen in the picture below (rules 1 & 2 are for zerotier).
I also have added wireguard to the LAN interface list to be able to access my router through the vpn tunnel(i think that's why the LAN list is for).
My problem is that i can't have simultaneous connections to my home network using phone and pc. When I connect with either one and try to establish the tunnel on the other one, the second one does not work.
-i want to be able to access my whole LAN and have the peers communicate with each other via the tunnel. What changes do I have to make? thanks in advance
I can post my config if it helps.

EDIT: wow.. i just found out why vpn connections /drop/fail/partially work when i establish them from my home network.. I use a hybrid router (adsl + LTE ) and I read online that more users experience vpn issues with hybrid routers.. turning off the bonding tunnel and using raw dsl provides slower speed but stable connection without ups and downs

firewall client config

Post the complete export of the configuration of the router except sensitive information - see my automatic signature below.

Added.
Note that i changed the peers' prefix from /24 to /32
Not sure if it's important.

The items on the allowed-address list of the /interface wireguard peers row should be subnet addresses (prefixes), so 10.1.0.2/32 is fine, 10.1.0.2/24 was not, and I am not sure why RouterOS doesn't complain about the latter. If it silently "rounded down" the 10.1.0.2/24 to the proper subnet address 10.1.0.0/24, it would explain why only one peer could work at a time, as Wireguard uses this list to choose the proper peer under the same interface and the first one with allowed-address=10.1.0.0/24 shadows the second one with the same allowed-address.

But from what you wrote it seems doing it right (/24 -> /32) hasn't helped, so a stupid question - do you use a distinct private/public key pair for the Windows PC and for the phone?

@sindy
Your last remark should be covered since Mikrotik WG implementation does not allow reuse of private/public key pairs for peers.
You will get an error if you try to do that.
Some consider it a bug, I consider it common sense and logic.

@pitfermi:
If the allowed address contains the IP address of the WG itf, it should be distinct, as indicated. Otherwise WG does not know where to go to.
So /24 will effectively give you problems but using /32 it should work.
Did you try after that change ?
Separate peers should be made with their own private/public key pairs on server side, if you want to call it that, and as a consequence a unique config for each client.

Reusing keys for peers on same WG interface would be problematic, because key is what identifies peer, and peers don't have to use static endpoints, so you wouldn't be able to tell one from another. But reusing keys on different WG interfaces could work just fine.

But reusing keys on different WG interfaces could work just fine.

That would result in a different pair, so no problem indeed.

NO same public/private keys are used. Any other suggestions?

Have you changed the prefix lengths from /24 to /32 at both the "clients" and at the Mikrotik?

Yes. I think restarting the router and/or the devices' networks and/or closing wireguard applications did the trick. Now I can connect with both my devices to the MT and also ping each other without problem. However, if I disconnect one device(i tested with my phone only) while both pc and phone are connected, the other device's connection drops as well.. both my devices are on the same
LAN. Furthermore, switching APs inside my place from main router to an AP/extender(same subnet, acting as switch) and restarting wireguard on my phone does not let me tunnel anymore..
I think this has to do with the endpoint (MT router) not being informed about the connection drop? Is there a thing like "keepalive/" option that i can tune, so that the endpoint can check the connx to the other peers more often?

Have you changed the prefix lengths from /24 to /32 at both the "clients" and at the Mikrotik?

You can activate keepalive, however the Wireguard protocol should deal silently with an IP address change of one peer at a time even on the fly and dynamically change the socket address of the peer. So a new connection of a client from another address should simply replace the previous one without need that it first timed out or something. The keepalive is there to keep the pinholes in firewalls open, not to monitor the state of the connection and eventually tear it down.

Yea thats what I thought.
But something is wrong(or a bug) since the connection of the client drops as soon as I change AP

You can activate keepalive, however the Wireguard protocol should deal silently with an IP address change of one peer at a time even on the fly and dynamically change the socket address of the peer. So a new connection of a client from another address should simply replace the previous one without need that it first timed out or something. The keepalive is there to keep the pinholes in firewalls open, not to monitor the state of the connection and eventually tear it down.

Wireguard is great with moving clients, as soon as it gets first packet from new address:port, it immediatelly switches peer's endpoint to it. I tried tunnel from dual-WAN router to remote server, kept the ping running inside it and made each outgoing packet use random WAN:
And guess what, ping had 0% packet loss. Try to do that with different kind of VPN

So it should work for you too. Check if client sends anything to router, using either packet sniffer or logging rule like:

EDIT: wow.. i just found out why vpn connections /drop/fail/partially work when i establish them from my home network.. I use a hybrid router (adsl + LTE ) and I read online that more users experience vpn issues with hybrid routers.. turning off the bonding tunnel and using raw dsl provides slower speed (1200kB/s, yea, dsl sucks in greece) but stable connection without ups and downs.

so a little update. i ran a speedtest through the wireguard tunnel using my mobile phone.. phone-->WG<--Tik--->speedtest and i get almost full upload speed @42mbps(out of 50). see screenshot below.
downloading a file from my NAS behind the Tik, through the WG tunnel only happens @ 24mbps and not close to 42mbps.. that's half of what the actual WG tunnel can deliver. why??? is this normal?

In case anyone is interested. see how I solved my problem in this post. viewtopic.php?p=902212#p902212
thanks to all for your help either way.

hi all. i still have speed issues. only a couple kB/s to my NAS.
oepning a port to the router and doing file transfers via port forwarding without tunnel is fine, i get full bandwidth.

does my firewall look ok?

@pitfermi
You could create a block list for 15 to 21 [name it buggers] and then create a Firewall Filter rule in RAW that drops those ip addresses ... that will provide some more efficiency.

When using Wireguard is the throughput erratic behavior happen all the time or during specific time of day/night?

Do you use any mangle rules?

(1) First question,
Can a WG tunnel be an interface list member of LAN? if so, nice! ( This should be okay, its just I have a nagging feeling that a wg interface is not allowed somewhere in some rule hmmmmm???)

(2) Second question, is there any reason to put zerotier or wireguard
BEFORE the established related rule, or any reason to put it after ??

(3) The input list chain of IPs that you wish to block, what is their purpose and why out of order ??
Since in the order of rules you already dropped all WAN incoming, are you assuming these IPs are coming from the LAN side ???......

To recap!
(1) A speed test from iphone to the internet through the MT Server router is fast!

(2) A download of a file from the NASS ( on a subnet of the MT Server Router) throughh the same tunnel is slow ???

(3) I fail to see any IP routes,
assuming you have made through the PPPOE client setup etc...... and thus not visible on the config, but you need another to return traffic,
not sure how you are reaching the internet or more accurately not sure how return traffic is reaching you iphone without it ???

ON MT SERVER ROUTER
add dst-address=ipaddress of iphone gwy=wireguard interface table=main

speedtest through the vpn tunnel is fine.
downloading a file from the NAS through the vpn is slow. it can be fast, but it is random and most of the time couple kB/s
i dont have any mangle rules.
the IP route is added to the table automatically when the connection is established. i have seen this live in the MT ip route table when i connect. manually adding it doesnt help.

Oh right you use an IP address for the WG tunnel so its (the IP route from internet return traffic on server router, OR , subnet return traffic from server router) created automagically.
Makes no sense to me why it would be slower, in fact it should be faster in the sense that LAN traffic should be at 1 gig speed ??

@anav
1. Yes you can add the WG interface to the LAN list but it has no effect on whether the the tunnel is established … the control mechanism is the allowed IP’s
2. WG firewall rule can be placed either above or bellow … I prefer below because I like a logical order flow.

NAS performance [throughput] depends on how busy the NAS is with its active apps … also DOCIS is erratic enough especially based on how many are sharing that pipe …. IPerf installed on the NAS as server will provide realistic metrics especially when the client is remote.

another update. I went to a local store that has fiber >60mbps, connected to wifi with my phone and used the WG tunnel to my NAS. the connection was stable and achieved almost max bandwidth. the most important was that the download rate was stable at all times.

on another thought, i should have mentioned how i have been testing so far:
since the internet away from home(home=mikrotik+NAS) is crap and doesnt let me tunnel with the dsl+LTE hybrid connection, I have my android phone(poco f3) usb tethering enabled and share mobile internet to my windows machine (no data cap). the wifi hotspot from my phone is disabled. only usb tethering enabled. With this setup, my PC achieves >100mbps speeds download and 2-3mbps uplink. This is the only way i can establish a link to my home, where MT and NAS are located.
When I use LTE on the phone and download files from NAS via the tunnel, the connection can be fast (sometimes achieving full bandwidth), or it can deliver only a couple kB/s to my phone . But even when it is fast, it drops abruptly, then goes back up and is not consistent. it varies heavily, even when service(signal) is good.
Now when i turn off the tunnel on the phone and connect it to my pc via usb and use internet tethering, the same thing happens to the download rate. but the speedtests deliver exquisite results, thats
what bothers me. i know that mobile internet can be inconsistend, just not sure how sensitive data transfer via a tunnel can become in that case. IF this is normal behavior for using wireguard with mobile data, then it seems my MT and NAS operate properly(since i did the test using fiber internet with stable connection). i hope i provided some more valuable info and sorry for not illustrating my topology from the start.

p,s is there a way to only let my windows machine use the internet of my phone, acting like a transparent bridge? that way LTE will be allocated only for the pc, maybe?