Accesing local network shares behind router

Hi everyone. I’ve got the following problem with my wireguard setup. I have a GL-SF1200 connect to my modem using PPPoE with a public address. The wireguard ip is and internal ip is
The client pc is a win-11 desktop computer behind a nat router with the wg port forwarded, wg ip is and network ip
I’ve tried different setting based on the forum posts but the best I have achieved is with my current connection; The server and client seem to be connected, I can ping and (both the server) from the client but I can’t ping the computers connected to the router for example from the client or the client (, from the computers connected to the router. I also can’t connect to any of the shares in either network.
My server settings are:
config servers
option local_ip ‘’
option local_port ‘51820’
option local_ipv6 ‘fd00:db8:0:abc::1’
option private_key ‘
option public_key '

option access ‘ACCEPT’
option enable ‘1’

config peers ‘wg_peer_8174’
option name ‘
option client_key '

option private_key '
option client_ip ‘’

My client setting are:
PrivateKey = 2IB***=
ListenPort = 55916
Address =

PublicKey = ***
AllowedIPs =,
Endpoint = ***
PersistentKeepalive = 25

I appreciate your help.

When you start WireGuard server on the GL-SF1200, did you Turn On “Allow Access Local Network”?

I do not work for and I do not have formal association with GL.iNet

Hi. Thanks for the response.
Yes it is turned on and I have added the list subnet line to the wireguard_server file on the server.

Can you try changing:

AllowedIPs =

I’ve tried that. When I do that all internet traffic from the client computer gets routed through the server but still the problem with pinging and network share access remains unchanged.

Can you refer to Building a Site-2-Site network manually using two GL.iNet routers

In step 7 and 9 there is guide to add route in the server and client.

Update: The problem was caused windows firewall. Thread closed.

1 Like

Screenshot 2022-06-22 125749
hi thanks for th reply. Unfortunately no change

On the server (SF1200) you should do as step 7.

Step 9 is for the Wireguard client router.

Sorry for confusion

Thanks again for your efforts. The command “ip route add 192.168.*.0/24 dev wg0” returns an error message in command prompt as my wireguard client runs on win11; if I understand it correctly this is a command to set thte ip routting in linux, right? Also do you have a command to undo the ip routing in the server?

In the client machine (windows) you don’t need to do anything.

In the server side you can reboot and the command is gone.

So how should I setup the ip route in the client?

No need to do anything if you use a windows.

Only needed for routers.

So I rebooted and edited the wireguard_server file to the following:
config servers
option local_ip ‘’
option local_port ‘51820’
option local_ipv6 ‘fd00:db8:0:abc::1’
option private_key redacted
option public_key redacted
option access ‘ACCEPT’
option enable ‘1’

config peers ‘wg_peer_8174’
option name ‘redacted’
option client_key redacted
option private_key redacted
option client_ip ‘,’


The problem persists

Maybe it is helpful to understand what a route is.

You’ve got a client. The client got a IP 24 is the same as This means all connected devices with a IP between to are able to connect directly via TCP or UDP or ICMP (simplified).
In this network is a router, The two devices can talk to each other.

There is a route at the client, that say "everything you don’t know (aka not in, send to This is called a default route.
As the routers purpose is to route, the router knows his LAN IP ( and his external IP from your provider.

The GL.iNet devices are routers behind routers. This means:
The client got a address. The router is in the LAN and in this case 192.168.0.x/24 in the ‘LocalWAN’ (the old LAN). So the router knows to take everything send from the LAN and send it into the LocalWAN … So you can reach from your client over your GL.iNet and all devices in … But not the other way around.

IMPORTANT: On the whole path, the net must be unique. Even if it is only a transfer net.

Now you’re setting up a tunnel. The tunnel works nearly the same. There are two endpoints, the Client doesn’t need to know the other net, the router needs.

(Client - ( GL.iNet - [not allowed to be 0, like in the picture] Desktop
As the Desktop ( is a Desktop, I don’t think it is able to route within your right LAN.

So, how is your desired Route? IP by IP.

1 Like

Can you show output of command wg in SF1200?

Hmm from what I read if I understand you correctly:

You got a modem using the PPPoE connection correct? (I assume this because its often used as a isp connection type), this modem is the SF1200?

And your router (missing name here) is behind it using the wireguard client? And the server is on the SF1200?

I think you have to prototype a little here first without the wireguard because it might make things doable.

So the router has a NAT, and the modem has a NAT, with other words your router would be aware of your computer but on the part of the modem, the modem can only see the router as a client and not see the client list like inside the router.

Then there are two options:

You have to make the router static on the modem side, then portforward the input rules for this port and forward it to this router ip.

Then on the router you also portforward but then you forward it to your pc (this ip needs also static), and then of course have the wireguard share option enabled.

If im right but I’m not sure how the ddns works your network should be reachable.

Just my speculation, but wouldn’t it be easier to use a tagged vlan and make it so that the modem handles the dhcp, firewall and maybe even wireguard so you won’t have to deal with the double nat issue?, I had a situation with three nats but I needed a way to reach the clients over one cable, vlans could be very powerfull to traverse into a network topology it might be a good idea depending on your complexity of the network.

Screenshot 2022-06-22 205803

Hi LupusE.
I don’ want to have access from the client lan or to client lan just to the client computer.
So ideally I would like a route
(192.168.8.) - ( GL.iNet - ( Desktop
and reverse Desktop GL.Inet 192.168.8.

Dear xize11,
I don’t think that’s exactly the case. At the office I have a modem that connects to the internet. The wan port of the SF1200 connects to the lan port of the modem and I use the PPoE passthrough feature of the modem and connect the SF1200 with PPoE to the internet. The modem and the SF1200 have different (both public) IPs assigned. If I understand it correctly this means that there is only one NAT (of the SF1200) in play. When I check the netwok settings of the modem (which has a ip range of the SF1200 does not have an ip or appears on the port forwarding list section of the modem.
The client is at home behind a modem ( that has a public ip address and wg ports forwarded.
I hope this makes the setup more clear.
Unfortunately the internet provider does not allow different modes and the modem does not support wg and found the vlan setup quite complicated, thats why I decided to buy the SF1200 and use the PPPoE

Okay, uncommon, but not impossible. Make sure you don’t have to pay twice in the end.
Normal there is a PPPoE and the GL.iNet behind. And Portforwarding does the needed magic.

Please let’s focus on one direction at first.
… btw, why WG ports? It is only one …

I assume the VPN tunnel is up and running.
Your client behind the SF1200 is able to ping
[ ] (?it’s own address)
[ ] (the SF1200 LAN)
[ ] (the SF1200 wg0)
[ ] (the remote endpoint)
[ ] (the remote desktop)

Where does it stop? If it stops in the middle, it’s not a problem right now, maybe just a firewall is blocking ICMP, here.

Edit: My setup.
I have a wg client installed on my android 11 tablet. It is connected to a wg server at my home. Than I’ve got a Beryl with WAN at my home router and LAN at my lab-laptop.
The Beryl is connected to the wg server. I am able with my tablet, to ping the lab-laptop from everywhere through the tunnel.

But the wg server is fully capable of routing. It would be the same, if the Beryl was the server. In my case I’ve had to use ‘boringtun’ (from cloudflare), because my server is a virtual container. I don’t know if anything if this apply to your setup.