Building a Site-2-Site network manually using two GL.iNet routers(SDK 4.X)

This post is to introduce the guide to config WireGuard LAN to LAN VPN (Site-2-Site) based on GL-iNet SDK 4.X fimrware.

Supported Models

Router Model Stable Beta
GL-MT3000 (Beryl AX) -
GL-AXT1800 (Slate AX) -
GL-A1300 (Slate Plus) -
GL-X3000 (Spitx AX) -
GL-AX1800 (Flint) -
GL-MT2500 (Brume 2) -
GL-AR300M (shadow) -
GL-MT300N-V2 (Mango) -
GL-E750 (Mudi) -
GL-SFT1200 (Opal) -
GL-MT1300 (Beryl) -
GL-X750 (Spitz) -
GL-XE300 (Puli) -
GL-X300B (Collie) -
GL-B1300 (Convexa-B) -
GL-AR750S (Slate) -
GL-S1300 (Convexa-S) -

Network Topology

  1. Login the web interface of AX1800, go to VPN > WireGuard Server and click on the Generate Configuration button. Then Click on the Start button to enable the WireGuard Server.

  2. Go to Profiles and add a New User.

  3. Click the Share icon to review and download the configuration file.

Address =

PrivateKey = 6CNNJMq8pFCq4uG15+woPhP+fReD4EQWse86hqSbf1A=
MTU = 1420

AllowedIPs =,::/0
Endpoint =
PersistentKeepalive = 25
PublicKey = DzlU6qbaKJqpbpP2GS5cUOFWiVmPS68wBHISi0UDzQ4=

Note: make sure the Endpoint is the same as the WAN IP address of this router, if not, you shall config port forward for this IP address. Here in this example, the WAN IP address of this router is, I can just use this IP address instead since the client and server are in the same internal subnet.

  1. Go to VPN > VPN Dashboard, click the Setting icon and enable the Allow Remote Access LAN option.

  2. Login the web interface of AXT1800, go to NETWORK > LAN and change the Router IP Address to

  3. Go to VPN > WireGuard Client and add new group and drag the downloaded config file to the box. Then click on Apply when it shows “Upload successful”.

  4. Go to VPN > VPN Dashboard, select the proxy mode to Auto Detect, and click on the Setting icon to enable Allow Remote Access LAN. Then enable the WireGuard client.

    Note: here the Client Virtual IP(IPv4) is for route rule setting on the VPN server router.

  5. Login the web interface of AX1800, go to VPN > VPN Dashboard and click the Routing icon to add a route rule.

  6. The target address shall be set as the subnet of the VPN client router. Here it is in this example. And the gateway is the client router virtual IP in the previous step. After that, back to VPN Dashboard and restart the WireGuard server, to take the route rule into effect.

  7. The two subnets can access each other.


Can you post a list at the top of this HOW-TO of what devices use SDK 4.x?

It is here.Includes those released and those being adapted.

I’m using a similar approach with GL firmware 3.x, just by setting the WG server on one end, generating a config file that I use to set another GL.iNET router as the WG client, it has worked great. Some minor issues like when the client loses power it doesn’t always connect back, but overall it’s a great way to expand the LAN across the pond.

Awesome, very clear and to the point.

Is it clear that this is split-tunnelling on both sides? That is, each subnet goes to other addresses outside of the tunnel?

And/or, perhaps add how to have all the client internet traffic route through the tunnel?

Yeah, you bring up some interesting questions. As this is ultimately all WG based would GL GUI’s VPN Policies be honored in such a set?up