Get crazy with Mango and VPN


I just get crazy with the setting of VPN within the Mango interface.
After the update from 3.x zu 4.x the box could not be connected. Sometimes I was able to connect it for maybe 10 Seconds. So I reset it.

The 1st problem:
I can not connect it via (as in the tutorial) if my router has (as the most router?). So I changed the IP to and then connected it via LAN port. By the way, I could NOT connect to it ( via WAN port as said in the tutorial, just via LAN.

so the setup is that way so far:
router -
mango V2 via LAN -

2nd problem:
I get no internet connection. So I understand, that the is no gateway setting (just in lucy). So I set in lucy gateway and still get no connection to the internet. Why?

3d problem:
if I connect to the router via WAN port (DHCP) it just doesn't work. I see some IP via arp -a, but can not connect to it, even ping doesn't work.

strange behavior for me:
if I connect beside the already connected LAN port also the second cable to the WAN port (so I have two cables connected). Then I get internet connection, but with some interrupted connections to the browser interface.

What I want?
Just get it running behind the router with wireguard server (port forwarding is already set) to get some clients connected to the internal network (to the SQL data on the server).

So whats the clue here?

Best regards

So I ubooted the mini router again.
Checked the WAN port in Lucy, it has DHCP.
Connected it via WAN port to my switch (and this to the router).
I get the IP from the router (speedport pro plus), I see it within the connected devices, but can not even ping it. Lucy shows working WAN port with some KB on RX/TX. WTF??

The very strange thing is, if I just connect the WAN, I can reach the Mango V2 via browser just for about 10 seconds and then the connection is dead. But is still shown as working in Lucy.

Can you explain how do you connect? This sound not ccorrect

meanwhile, I didn't change the settings of LAN. Just connected to the Mango V2 via LAN ( directly, made the basic settings, checked that WAN port has DHCP and connected it then via WAN port to my switch (its connected to the speedport router).

Speedport --> Switch --> WAN-Mango V2 with DHCP

this is the actual setting.

And I get the IP in speedport, but I can not connect to it (just some seconds on the fresh connection). In Lucy I see running and working WAN, but it seems to be dead for my connection.

Wha?.. It must be typo. There is invalid IP syntax…

The format should be:

You mentioned, and

Maybe draw a diagram using

It seems that you set the subnet wrongly.

It also seems that you want to access the router via WAN side. Definitely it will be blocked if not set up correctly.

is it the wrong way to connect it via WAN if I want to use the VPN server?

I mentioned these different IPs just because I was in the process.
After uboot you'll get the for the mango V2 to upload the firmware on it. After that you'll get for the mango V2 (everything on the LAN port). After that I changed the LAN to, so I can implement it within my network (for my router has This was the first try. After that I got no connection on LAN and on WAN, so I ubooted it again.

Then I changed nothing, just connected the mango V2 to the router via WAN.

So the actual setting is, as mentioned above:
Speedport --> Switch --> WAN-Mango V2 with DHCP

It can not be a routing problem.
Speedport gives the mango box an IP (, but I can not reach it, even not via ping.

No, that does not work.
In routing mode you can't integrate the device just because you change the IPs. It‘s an router, not a switch! This means WAN and LAN are separated.

Either you need to use another network mode (like extender) or you need to use drop-in gateway.

Please draw an overview of your network.

?? If I change the LAN to the IP range which my router has, set my router as gateway, so surely I can access the LAN port within my router (speedport) network. That's the way, I know and practice.
So I dont understand, what you mean. I can not access the mango V2 if it has (after uboot) within my network, my network has So if I should connect the mango V2 via LAN port I MUST change the IP. The layer 3 switch would route to the, but I have NO layer 3 switch. That is the point about the LAN.

But as somebody sometime in this forum said, I must use the WAN port to use the mango V2 as VPN server, not the LAN port. Is it right or not?

There is nothing to draw.
As I wrote three times, after I ubooted the mango V2 again, I didn't change anything. Just connected it via WAN to my switch.

And this is the actual setting:
Speedport ( --> Switch --> WAN-Mango V2 with DHCP

So, I suppose the only question is. Is it correct to connect the mango box to the WAN port if I want to use it as VPN server or not?

You cannot change Mango router’s IP to which conflict with your parent network. You should just let it be

The 2nd time you said you didn’t change it and it get in the WAN port. You cannot access it using this IP from your parent network. You should configure it at when connected to it directly.

Then connection and subnet are fine. The next step is to set up vpn.

ok, so I don't connect the mango V2 via LAN, correct? Because if I should connect it via LAN, I can not let it on and connect it to my network. It wouldn't work. It's no problem just to connect it directly to any laptop with DHCP and set the mango V2, but not to the whole network, because it has So as I understand, I dont need the LAN port for any purpose, but for the first setting after uboot. Is it Correct?

So, I connect it via WAN port which has DHCP (I can see it in lucy). So surely I get from my speedport router on WAN. Because I set the DHCP between and xxxx.150

As I understand, the setting is ok, WHEN it's right to connect to the WAN port (after configuration on an extra Laptop with DHCP via LAN).

So that should be fine, isn't it?
Speedport ( --> Switch --> WAN-Mango V2 with DHCP (

This is totally correct.

If you want to set up as vpn server, the next step

  1. Enable vpn server by accessing
  2. Set up port forward in your main router

If you want to set up the router at from your wan network, you need to open port 80 or 443 in the admin panel.


So I must connect with the extra cable to the LAN port with some extra laptop with DHCP, isn't it?

If I just want to connect to it directly via WAN port, I open the port 80 and 443 in the firewall settings, correct?

You have a Speedport. The Speedport got a WAN IP from your internet provider, lets call it a.b.c.d and provides a internal IP with the network
All devices in your LAN get one IP starting with the network part 192.168.167. and get a host part from 2 to 254. Depending on your DHCP configuration maybe from 100 to 200 or similar.
All devices can access in the Internet as client, because of NAT. The Router will translate all 192.168.178.x addresses and route the answer to the requesting device.

But no device from the Internet will reach any device behind your NAT router. The solution is port forwarding. You can tell your Speedport firewall 'all requests on WAN port 1234 should go to LAN IP:port' ...

Now you are setting up a mango, and do exact the same.
Even if it is in your LAN, it works in this way.

Your Mango WAN port goes to a Speedport LAN port. Instead of an Internet IP (a.b.c.d) you'll get a LAN IP ( From your LAN all devices will see only one device. All devices connected to (W)LAN wont be reachable. Until you'll say to the Mango 'Route to', It is NATed and needs a own ruleset. See, the IP is the Mangos IP, nit the clients. The Speedport LAN is not aware about the Mango LAN.

Per default the GL-iNet Devices are secure and won't expose Ports to the WAN (in general Internet, in your case Speedport LAN).

If you want to access the Mango Admin Panel from your LAN, go to 'Network - Firewall' and choose the tab 'Open Ports on Router'. Click on '+ Add' and add Port 80 (http) or 443 (https). Than your Mango admin panel will be accessible from the Speedport LAN. Don't do this in the Internet!!

But VPN is another page, because this is a service. Just got to 'VPN - WireGuard Server' and Generate a configuration. The default Port is 51820. To reach this port from the Internet, your Speedport needs a port forwarding to IP port 51820.
The Mango firewall should already make this port accessible, no need for configuration here.


  • The SpeedPort and the Mango do NAT. The WAN port has only one IP.
  • All devices can only see their own LAN and the Network behind WAN. -> A Laptop or Smartphone is able to access the PC or Laptop or Smartphone in the Speedport LAN, because it is behind the Mango WAN ... Therefore the Network can't be in the Speedport LAN and the Mango LAN, even in any other connected VPN LAN.
  • If you want to access the Mango from WAN (Spedport LAN), you need to open the ports.
  • If you want to access devices in the Mango LAN, you need port forwarding on the Mango.
  • Port forwarding is from the routers IP to a LAN IP
  • A port can only be used once. You cant access the Mango on Port 80 and port forward to another Webserver in the Mango LAN.

I hope this makes it a little more clear. If not, just ignore me.

You can connect via WiFi, not necessarily cable.

Yes after you open ports you can access at

thanks for the whole explanation. The most things there I know. The only thing, that was not clear for me, is the firewall of the mango V2. So I'll try to set it that way next days.

What if I want to configure the LAN manually, so I can access the mango V2 via LAN and have connected it to the speedport via WAN? I suppose I will need layer 3 switch, correct? Because I can not set the LAN f. e. to and the WAN to, for it's a separate network card, which needs another IP range, isn't it?

Lets Split up:

  • SpeedPort WAN (a.b.c.d)

  • SpeedPort LAN network (

  • SpeedPort LAN IP (

  • Mango WAN (

  • Mango LAN network (

  • Mango LAN IP (

Think from the Client over the Mango over the Speedport to the Internet. From the SpeedPort WAN to the Mango LAN are two steps in between, that are not part of the default routing.
The other way around need to be configured: Internet - SpeedPort WAN (forwarding rules to SpeedPort LAN) - Mango WAN (Port opening in WF or port forwarding to Mango LAN)

I don't see the need of any switch here, except you want to connect more than one device to one LAN port. You can't connect more than one port to WAN.

We are starting with Speedport LAN to Mango WAN. So the Mango gets a WAN IP via DHCP.
Be aware everything works as designed. You can connect anything to the Mango (LAN or WAN) and it will work in the Mango network.

Now you want to configure your Mango. This is at this time only possible from the Mango network. Attach any device to LAN or WLAN of the Mango.

  1. Configure the WAN IP you want for the Mango.
  2. Open the ports 80 and 443 (TCP) on the Mango for the router (do not use 'port forwarding'!)

From now on you can reach the Mango admin panel vie Mangos WAN and Speedports network.

If you try to connect Mango LAN to Speedport LAN, the routing will break. These are two different networks, doesn't matter witch layer you are on. A switch won't solve the lack of routing (unless you separate them via VLAN, but I think this will get too complex here, because you still need to configure the back flow).

that's the point, I mean. So it's not possible.
I want just the easier way to connect and configure, maintain the mango V2 (without the need of extra laptop with DHCP for connection. And the only way to do so, is to open ports for WAN. Not so good idea regarding security, but I think, it's more practical for maintain reasons.

Since your WAN-Port is only connected to your Speedport LAN Port, it's totally fine to open ports.

The open WAN Port on the mango is still in the Speedport WAN. No Internet access involved here.

This is how networking works. In general, nothing special OpenWRT or GL-iNet here.
If you want to access a service it needs to be bound to a port on an interface. From the client you need a route to the interface of the service providing server. Port forwarding is a kind of routing within NAT networks.
You can't connect two subnets with a switch. Which would be even more insecure than a port forwarding within a local network.