Allow Remote Access LAN - how does this work?

I am trying to understand how this “Allow Remote Access LAN” work.

Let’s say my LAN is 192.168.0.x. I start a WireGuard server on the router and I connect to it from a client so the client gets an IP of

Does this function mean that if I have a NAS on my LAN I will be able to access it somehow from the VPN client? I guess I will need some extra firewall settings for that? And what about the client side, how my windows client will know the route to from the VPN network?


When “Allow Remote Access LAN” is enabled, it opens the firewall on your server.

You need add or to AllowedIPs in WireGuard client configuration .

I believe that I am working on exactly the same problem. I have a local LAN,, and a GL-AR300M with Wireguard VPN server configured, and remotely accessing this from the internet using Wireguard Win-10 client on a laptop PC.

The tunnel activates and connects, and works fine to route from the remote laptop PC through the GL-AR300M server, and on out to the internet. However, I cannot access anything on my LAN, with the exception of the GL-AR300M server itself.

I have enabled the “Allow Remote Access LAN” function.

I have added to the AllowedIPs in the WireGuard client.

I have tried all kinds of permutations of the server/client IP’s. I’ve spent hours trying things, and nothing seems to work. What am I missing?

Please help!

Here’s a rough block diagram. What I want is to remotely access all of the devices on my home LAN, from my remote PC. I’d think this is the very most basic definition of a VPN.

All I can seem to do is tunnel from my laptop client to the VPN server and out to the internet. From my remote laptop, I cannot ping anything on my home LAN other than the GL-AR300M VPN server.

VPN Simplified Block Diagram|690x366

You have to insert to access your local subnet.

Insert it where?

One of the first things I did was put the LAN network “” into the client “Allowed IPs” configuration.
I’ve actually done, and undone, this at least 20 times. Never solves the problem.

Is there somewhere else it needs to go?


Here’s a screen capture. Please take a look and tell me if it’s still wrong?
I know the address of 192.168.1.X is not the same as 192.168.0.X. I was experimenting with trying a different subnet.

Client config Test7

First connect only the wan of your gl-inet router to your main router and disconnect lan from it then insert in alloweds ip of WG client config.
In WG server of gl-inet router enable “Allow Remote Access LAN”.

Ok Thanks for the help!

If I disconnect the LAN port, I’m thinking that I have no way to talk to the GL-AR300 router for configuration? But I’ll try it right now.

For the other:

  1. Inserting the allowed IP, or
  2. selecting “Allow Remote Access LAN” at the server

As I posted, and showed in the screenshots, I’ve done this over and over and over and over and over again, for days, all to no avail. So either I’m doing it wrong, or something else is wrong, or it just doesn’t work.

Do my screenshots look ok?

Thanks again.

I just tested it, and if I disconnect the LAN port on the GL-AR300 router, I can no longer reach the router’s management interface. Is there something else I need to do, in order to for it work both the LAN and WAN through the WAN port?

Anyway, I’m still stuck and it won’t work.

First, the LAN segment where your PC is located cannot be
Next, check the routing on your PC. With AllowedIPs configured and the wireguard client running, execute the following command.

route print

I don’t believe the LAN segment where my remote laptop PC is, is, but I believe it is

Look at the screen shots which I previously attached. Am I misunderstanding?

Here’s the results of the print route and tracert

NOTE: my network devices that I care about reaching are in the subnet. But I’d be incredibly super happy to be able to route to either or the subnets.

C:\Users\TOUGHBOOK 31 MK5>route print

Interface List
81…WireGuard Tunnel
20…20 c6 eb 8f 03 c9 …Intel(R) Ethernet Connection (3) I218-LM
77…00 ff f7 82 86 3a …TAP-Windows Adapter V9 for OpenVPN Connect
46…4c 34 88 4f 8c 07 …Microsoft Wi-Fi Direct Virtual Adapter
19…4e 34 88 4f 8c 06 …Microsoft Wi-Fi Direct Virtual Adapter #2
37…94 8d 84 58 52 5d …Generic Mobile Broadband Adapter #18
41…4c 34 88 4f 8c 06 …Intel(R) Dual Band Wireless-AC 7265
1…Software Loopback Interface 1

IPv4 Route Table

Active Routes:
Network Destination Netmask Gateway Interface Metric 311 On-link 0 On-link 256 On-link 311 On-link 311 On-link 311 On-link 331 On-link 331 On-link 331 On-link 0 On-link 256 On-link 331 On-link 311 On-link 331 On-link 311

Persistent Routes:

IPv6 Route Table

Active Routes:
If Metric Network Destination Gateway
37 311 ::/0 2600:1004:b101:4636:bc5a:e992:9416:c917
37 311 ::/0 fe80::bc5a:e992:9416:c917
1 331 ::1/128 On-link
37 311 2600:1004:b101:4636::/64 On-link
37 311 2600:1004:b101:4636:1d17:23de:4e8f:c0a8/128
37 311 2600:1004:b101:4636:2631:c168:aaa0:92ce/128
37 311 2600:1004:b101:4636:fc85:64fa:4cbb:4416/128
37 311 fe80::/64 On-link
37 311 fe80::1208:c511:a05c:2c3b/128
1 331 ff00::/8 On-link
37 311 ff00::/8 On-link

Persistent Routes:

C:\Users\TOUGHBOOK 31 MK5>tracert

Tracing route to over a maximum of 30 hops

1 101 ms 56 ms 59 ms
2 54 ms 65 ms 58 ms
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * ^C
C:\Users\TOUGHBOOK 31 MK5>
C:\Users\TOUGHBOOK 31 MK5>tracert

Tracing route to over a maximum of 30 hops

1 105 ms 56 ms 57 ms
2 reports: Destination host unreachable.

Trace complete.

I am referring to the LAN IP(The IP segment of the Ethernet or WLAN on your PC) and not the virtual IP on the wireguard.

I’m not seeing where my remote PC is on the 192.168.0.x/24 LAN segment?

I’m connecting through a cellular modem that is integral to the remote PC.

But, I’m not very familiar with this, so I may need help understanding where to look?

From here, the packet trying to access reaches with VPN. is it your device?

Yes, is the LAN router/gateway/firewall to the internet on my Home LAN, not on the remote laptop PC.

Referencing the diagram, it’s the “Router Switch” Blue box.
All of the 192.168.“0”.x addresses are now 192.168.“1”.x

So the IP of the NAS is now
So if you tracert or tracert on your PC, will it reach it?

No, the NAS is now

No, a tracert from the remote laptop PC will not reach, and it will not reach I cannot reach anything on the 192.168.1.x subnet, except for, which is the GL-AR300M VPN server.

C:\Users\TOUGHBOOK 31 MK5>tracert
Tracing route to over a maximum of 30 hops
1 100 ms 57 ms 58 ms
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * ^C

C:\Users\TOUGHBOOK 31 MK5>tracert
Tracing route to over a maximum of 30 hops
1 96 ms 57 ms 56 ms
2 * * * Request timed out.
3 * * * Request timed out.
4 * * ^C

C:\Users\TOUGHBOOK 31 MK5>tracert
Tracing route to over a maximum of 30 hops
1 51 ms 62 ms 56 ms
Trace complete.

C:\Users\TOUGHBOOK 31 MK5>

If is the virtual IP on your AR300M, then the router appears to have no problems.
Because your AllowedIPs already contain, the routing table is correct even if is not added. Traffic packets will also reach the gateway correctly.

Please check LuCI → Network → Firewall on the AR300M and make sure that wgserver → lan is accepted.

This is what I show for LuCi → Network → Firewall