Building a Site-2-Site network manually using two GL.iNet routers(SDK 4.X)

Cathy · July 17, 2023, 8:09am

This post is to introduce the guide to config WireGuard LAN to LAN VPN (Site-2-Site) based on GL-iNet SDK 4.X fimrware.

Supported Models

Router Model	Stable	Beta
GL-MT3000 (Beryl AX)	√	-
GL-AXT1800 (Slate AX)	√	-
GL-A1300 (Slate Plus)	√	-
GL-X3000 (Spitx AX)	√	-
GL-AX1800 (Flint)	√	-
GL-MT2500 (Brume 2)	√	-
GL-AR300M (shadow)	-	√
GL-MT300N-V2 (Mango)	-	√
GL-E750 (Mudi)	-	√
GL-SFT1200 (Opal)	-	√
GL-MT1300 (Beryl)	-	√
GL-X750 (Spitz)	-	√
GL-XE300 (Puli)	-	√
GL-X300B (Collie)	-	√
GL-B1300 (Convexa-B)	-	√
GL-AR750S (Slate)	-	√
GL-S1300 (Convexa-S)	-	√

Network Topology

Login the web interface of AX1800, go to VPN > WireGuard Server and click on the Generate Configuration button. Then Click on the Start button to enable the WireGuard Server.

image1470×795 150 KB

image1237×658 86.3 KB
Go to Profiles and add a New User.

image1215×654 100 KB
Click the Share icon to review and download the configuration file.

image1648×804 166 KB

[Interface]
Address = 10.0.0.2/24

PrivateKey = 6CNNJMq8pFCq4uG15+woPhP+fReD4EQWse86hqSbf1A=
DNS = 64.6.64.6
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = 42.200.xxx.xxx:51820
PersistentKeepalive = 25
PublicKey = DzlU6qbaKJqpbpP2GS5cUOFWiVmPS68wBHISi0UDzQ4=

Note: make sure the Endpoint is the same as the WAN IP address of this router, if not, you shall config port forward for this IP address. Here in this example, the WAN IP address of this router is 192.168.89.173, I can just use this IP address instead since the client and server are in the same internal subnet.

Go to VPN > VPN Dashboard, click the Setting icon and enable the Allow Remote Access LAN option.

image1290×819 136 KB

image1254×808 130 KB
Login the web interface of AXT1800, go to NETWORK > LAN and change the Router IP Address to 192.168.100.1

image1398×804 160 KB
Go to VPN > WireGuard Client and add new group and drag the downloaded config file to the box. Then click on Apply when it shows “Upload successful”.

image1417×804 171 KB
Go to VPN > VPN Dashboard, select the proxy mode to Auto Detect, and click on the Setting icon to enable Allow Remote Access LAN. Then enable the WireGuard client.

image1404×794 138 KB

image1398×791 144 KB

Note: here the Client Virtual IP(IPv4) 10.0.0.2 is for route rule setting on the VPN server router.
Login the web interface of AX1800, go to VPN > VPN Dashboard and click the Routing icon to add a route rule.

image1575×798 153 KB
The target address shall be set as the subnet of the VPN client router. Here it is 192.168.100.0/24 in this example. And the gateway is the client router virtual IP 10.0.0.2 in the previous step. After that, back to VPN Dashboard and restart the WireGuard server, to take the route rule into effect.

image1844×605 94.9 KB
The two subnets can access each other.

bring.fringe18 · July 17, 2023, 3:47pm

Can you post a list at the top of this HOW-TO of what devices use SDK 4.x?

yuxin.zou · July 18, 2023, 1:34am

It is here.Includes those released and those being adapted.

ChrisP · July 18, 2023, 4:20am

I’m using a similar approach with GL firmware 3.x, just by setting the WG server on one end, generating a config file that I use to set another GL.iNET router as the WG client, it has worked great. Some minor issues like when the client loses power it doesn’t always connect back, but overall it’s a great way to expand the LAN across the pond.

elorimer · July 18, 2023, 6:53am

Awesome, very clear and to the point.

Is it clear that this is split-tunnelling on both sides? That is, each subnet goes to other addresses outside of the tunnel?

And/or, perhaps add how to have all the client internet traffic route through the tunnel?

bring.fringe18 · July 18, 2023, 5:34pm

Yeah, you bring up some interesting questions. As this is ultimately all WG based would GL GUI’s VPN Policies be honored in such a set?up