I am building site-to-site with my Slate 7 and a third-party home router (Router2), and I want a route like:
third-party router LAN (192.168.10.x) → [Router2] – wireguard → [gl inet router] → gl inet router WAN (10.x.x.x)
It means I need the gl-inet router acts like an “exit node in Tailscale”, but Tailscale is not support by my Router2 so I can only use the basic wireguard. Also only the Router2 has a public ip, not the gl-inet router, so the gl-inet router can only use the wireguard client mode.
Unfortunately, although we have an “Allow Remote Access the LAN Subnet” option with can let we access gl-inet’s LAN from Router2’s LAN, but there are not an option like “Allow Remote Access the [WAN] Subnet” let me access gl-inet’s WAN from Router2’s LAN.
Luckily, after some study I make it works with a little hack (I have NO “IP Masquerading” for wireguard on both routers, the config may difference in other condition) :
- enable LUCI (Advanced Settings)
- allow wgclient1 → WAN:
In luci → firewall → Zones → wgclient1, add “WAN” zone to “Allow forward to destination zones:” - config wan → wgclient route:
In luci → Routing → IPv4 Rules, add a routing: set Destination=192.168.10.0/24 (Router2’s LAN subset), Table=1001 (the table for wgclient1, find it withip rule show, e.g.6000: from all fwmark 0x1000/0xf000 lookup 1001) - In VPN → WireGuard Client, add “192.168.10.0/24” to wgclient1 allowed_ips (this will create a route in table 1001, default’s 0.0.0.0/0 won’t work)
This solved my needs, I recorded it here and wish it can help someone else, and I also wish this can be added as an official feature.