Can't connect to server-side machines over VPN

We have a commercial control system that has a static IP address ( When I configure our GL-AX1800 to use 192.168.1.x everything works fine locally and I’m able to connect to the control system using any device attached to the AX1800 via wired or wireless.

I’d like to be able to connect to the control system remotely using one of the VPN servers hosted by the router. I’ve tried both OpenVPN and WireGuard but can’t get it working. The experience on both VPN servers is the same so I won’t make a distinction from here on.

With the VPN server running I can connect to it using a VPN client on my phone. When I browse to the public IP address of the router I can see the router login screen. Similarly, when I enter I can see the router login screen. I am not able to get to the control system at I’ve tried as many combinations of IP address ranges, port forwarding, ‘use VPN for all devices’ as I can think of and still no joy.

There’s a PC local to the control system, connected to the same router. I need that to have access to the control system too, but I think if I can get the VPN access working I can just configure a VPN client on that PC and access the control system that way, right?

Here’s my network diagram:
Phone (connected to cellular signal or home network) —> AX1800 —> Control System (

Can anyone help?


Can you make sure to enable the Allowed Remote Access LAN option for OpenVPN and WireGuard?

I do not work for and I am not directly associated with GL.iNet

Thanks for getting back to me. I’m running the VPN server on the router, but I’m not using the VPN client (on the router) so it’s not configured at all. I have a VPN client on my phone, which I’m using to connect to the router. Do I need to configure the VPN client on the router in order to run the server?

Oops … I took the wrong screenshots.

The VPN Servers have the same options, only with different headings :face_with_hand_over_mouth::

Allow Access Local Network is enabled. I don’t have an option for IP Masquerading.

Can you try connecting to, pinging and tracert the PC local to the control system and any other PCs/devices connected to the LAN side of the GL-AX1800?

I connected multiple devices to the VPN server: 1. laptop (over home internet connection); 2. cellphone (over cellular connection); 3. iPad (over home internet connection).

I’m unable to ping any of these devices from any of the other devices.

If I SSH into the router from my laptop, I can ping and traceroute all three of these devices.

I’m unable to ping/traceroute the control system from any device.

Do I need to set up any port forwards or open router ports?

I’m tempted to factory reset the router and start again.

thanks again for your help with this.

It sound like a firewall or routing issue. If you don’t mind, then go ahead with a factory reset and reconfiguration.

Also, is the router on the latest firmware release?

Can you pls confirm this is your setup?

Should not need extra setup.

But, can you let me know what kind of protocol do you use for your local server? It must be something related to the protocol.

Yes, that’s the setup. I also have the PC that’s on the same network as the control system/local server as shown below.

I access the control system using a web browser. It’s just regular HTTP (not HTTPS, hence the desire for the VPN for remote access :slight_smile: ).


Here’s my LAN IP info

Here’s my Wireguard Server config info

I don’t have any open ports on the firewall and no port forwards either.

In the WireGuard server config, did you manually set the IP address to

You should try leaving it as the default IP address of, which is for inside the tunnel, and generate a new client config file:

I did manually set that IP address. I changed it back to and generated a new client config file as instructed then created a new tunnel on the Wireguard app on my iPad. I rebooted the router then connected from my iPad. Unfortunately I still don’t have access to the control system server. My iPad has an IP address in the 10.0.0.x range and when I check my internet-facing IP address from the iPad I’m seeing the public IP address of the router, so that seems to be working correctly, but the router-side peer access isn’t working yet.

By using the default settings, nothing else is needed I think. No idea why you cannot.

I rebooted everything tonight, but still no luck. Do I need any port forwarding?

Port forward not needed.

But you can try set up port forward from the router, then try access using the router’s IP, i.e.

Sorry, wasn’t able to spend any time on this yesterday.

What port forwarding should I set up?

I mean you can try port forward to the server you want to access on the router.

For example you want to access port 80, the you can port forward on the other port 8080 to port 80,

Then you can access using

Port forwarding didn’t make any difference so I did a factory reset on the router and started again. Still couldn’t access the control system server remotely. Checking the client list in the router I could see the control system server, which incidentally has a static IP address. I set up a static route in case the static IP address was the issue…still no joy.

I turned on real-time client traffic info and could see data being routed to the control system server but nothing coming back (literally zero bytes). This made me think that maybe the issue was that the control system server was unable to get a route back to the router. A quick check of the control system server network setup showed a gateway address that was incorrect. (I didn’t set up the control system originally, and it used to be directly wired to a control pc so the gateway wasn’t relevant). I set the control system server gateway IP address to the router’s ip and rebooted the control system…success!

Everything is working like it should. Massive thanks to @wcs2228 and @alzhao for getting involved, much appreciated.