Mikrotik CHR - Azure - Wireguard

Hi there

I might have written something related/similar to this in the past, but with a different objective/different problems.

We currenly dropped our azure hosted windows server (ONG sponsorship got reduced from 3k to 2,5k and then 2k, wich barely covers the anual cost of the server and we didn't want to risk it).

Since public IPv4 is not an option and we need that, i thought about reviving the "Azure hosted CHR" plan, but in this case, to use it as a "IPv4 public ip router" that would then be connected to our 2 offices vía wireguard.

We would use a few port redirection for the services we need FROM it, and then reach one office or the other vía the wireguard tunnels.

We would also interconnect both offices using it (right now they are connected because one of them still has a public ipv4 address, but that will stop soon).

Finally, i would get remote acccess to both offices using wireguard to the cloud CHR router.

I have already installed CHR and it is running, i configured the winbox port to be accesible (only from 1 IP that i manage).

The CHR starts with just 1 network interface, and said interface gets a 10.0.0.0/24 address from Azure (10.0.0.4 in my case).

I thought i could just add the wireguard interfaces and without any firewall rules get that running, but i am either missing something (wireguard does connect apparntly with the azure open port configuration, but i can't connect to WinBox using either the azure public ip, the 10.0.0.4 ip or the wireguard peers interface).

Do i actually need to create an additional interface in the azure vm config and use that as a "lan" interface, while keeping the original one with the 10.0.0.4 ip as the WAN interface? (it will alwasy be behind a "double nat" from the Tik's perspective, because as far as i know i can't set the azure VM to give the public IP directly to the VM interface.

When i had the windows server, i had configured Wireguard in windows and it did work to allow us remote access to it.

Thx in advance