So this is is the latest config. I can ping the wg interfaces from both sides but that's just it, nothing else.
here is the Openwrt side (father's house)
config interface 'vpn'
option proto 'wireguard'
option private_key ''
option listen_port '51820'
list addresses '192.168.9.1/24'
list addresses 'fdf1:e8a1:8d3f:9::1/64'
config wireguard_vpn
option public_key ''
option description 'Phone'
option route_allowed_ips '1'
list allowed_ips '192.168.9.20'
config wireguard_vpn
option public_key ''
option description 'mikrotik'
option route_allowed_ips '1'
option persistent_keepalive '25'
option endpoint_port '13231'
option endpoint_host 'home public IP'
list allowed_ips '192.168.9.2'
list allowed_ips '192.168.88.0/24'
list allowed_ips '192.168.9.0/24'
config wireguard_vpn
option route_allowed_ips '1'
option public_key ''
option description 'Macbook'
list allowed_ips '192.168.9.21/24'
config route
option target '192.168.9.1/24'
option gateway '192.168.1.0/24'
option netmask '192.168.9.0/24'
option interface 'vpn'
and here is my mikrotik config (home router)
# jan/02/2022 14:43:04 by RouterOS 7.1.5
# software id = 2Y0D-P7Z5
#
# model = RB750Gr3
# serial number =
/interface bridge
add admin-mac=XXXXXXXXX auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=XXXXXXXXX
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.88.30-192.168.88.80
add name=vpn-pool ranges=192.168.8.10-192.168.8.12
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
add dns-server=192.168.8.250 local-address=192.168.8.250 name=vpn-profile \
remote-address=vpn-pool use-encryption=yes
/routing table
add fib name=""
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp,rest-api"
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap1,mschap2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server-certificate cipher=aes128,aes192,aes256 \
default-profile=vpn-profile require-client-certificate=yes
/interface wireguard peers
add allowed-address=192.168.9.4/32 comment=Phone interface=wireguard1 \
public-key=""
add allowed-address=192.168.9.5/32 comment=MacBookAir interface=wireguard1 \
public-key=""
add allowed-address=192.168.9.0/24,192.168.1.0/24 comment="Openwrt VPN" \
endpoint-address=no-ip.com endpoint-port=51820 interface=wireguard1 \
persistent-keepalive=25s public-key=\
""
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
add address=/24 interface=ether1 network=0
add address=192.168.9.2/24 interface=wireguard1 network=192.168.9.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.48 comment="NUC wifi" mac-address= \
server=defconf
add address=192.168.88.49 comment="NUC cable" mac-address= \
server=defconf
add address=192.168.88.43 comment="Raspberry pi 4" mac-address=\
server=defconf
add address=192.168.88.52 client-id=1: mac-address=\
server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.49 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=192.168.88.49
/ip dns static
add address=192.168.88.1 disabled=yes name=router.lan
add address=192.168.88.49 name="Home DNS"
/ip firewall filter
add action=accept chain=input comment="Allow OpenVPN" dst-port= protocol=\
tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Wireguard VPN" dst-port=13231 \
in-interface-list=WAN protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="OpenVPN Server NUC" disabled=yes \
in-interface=ether1 log=yes log-prefix=VPN protocol=udp to-addresses=\
192.168.88.49 to-ports=1122
add action=dst-nat chain=dstnat comment=Wireguard dst-port=52994 \
in-interface=ether1 protocol=udp to-addresses=192.168.88.49 to-ports=\
52994
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=tcp \
src-port="" to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp \
to-ports=53
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 disabled=yes dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=bridge \
pref-src=192.168.1.1 routing-table=main scope=10 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=192.168.9.0/32 \
gateway=bridge pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=
/ppp secret
add name=sevim profile=vpn-profile
/system clock
set time-zone-name=Europe/
/system identity
set name=MikroTikRouter
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.88.49
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN