GL-AX1800 / FW 4.2.1 / WAN access to Router / LAN devices with VPN-client/server enabled


I would like to achive the following:

PC (ssh, port yyyyy) → WAN → GL-AX1800 (mapping port yyyyy to xxxxx, VPN-client enabled) → GL-AX1800 (ssh, port xxxxx)

Access the router GL-AX1800 on ssh (port xxxxx) via WAN-putty (port yyyyy) with enabled VPN-client (global policy).

Everything works well, wenn VPN-client is disabled.
The port-forwarding rule for yyyyy to xxxxx is setup.

As soon as I enable VPN-client the access doesn’t work anymore.

Any ideas what I can do??


Nobody a hint what I can do to make this configuration work?

In order to get accurate help from others please clarify your setup and what you are trying to achieve.

OK … obviously my description in the first post wasn’t accurate enough.

I will try again.

The setup:
I have a GL-AX1800 with FW 4.2.1 running directly behind my modem from my ISP, before all the other network devices in my network (mainly fritz boxes in a MESH-network and a lot of other end-devices).
VPN-client (NordVPN) is enabled
VPN-server (Wireguard) is enabled

The problem:
When I try to access the GL-AX1800 by SSH from a computer outside my network (WAN) with enabled VPN-client directly with the IP-address from my ISP-provider (not via VPN) I can’t reach the router via SSH.
If I disable the VPN-client everything works as it should.
VPN-client uses global policy (as there are other issues when using e.g. MAC-based policy).

So the question is why doesn’t access from WAN by SSH not work if VPN-client is enabled?
And what can be done to make this work?


I am not sure if I understand you correctly:

  • the machine that does the ssh is also using the vpn connection? Or is it from another network ? Where is connected to ?
  • can you show screenshot for a successful ssh connection including the IPs source and destination ?

Try this

How can you access your gl ssh without port forwarding? Since your gl router is behind the isp you need to forward the ssh connection to it .

The machine accessing the router is not using the VPN (e.g. a computer in the office)
There is a port forwarding rule from WAN->LAN in place:

I enabled the option “Allow Access WAN” but no difference with activated VPN-Client.

Screenshot from protocol for successful connection (with deactivated VPN-client:

When I activate VPN-client I don’t see anything in protocol but receive from the connection computer:

Now it is clear when you mentioned your office computer and port forwarding!

Can you please share a screenshot of your firewall at:

here is the screenshot:

btw … nothing changed here from the default settings …

Can you please disable the lan from Edit and then Save & Apply.

I can confirm that doing this on wgclient made no difference.
Port forwarding works fine (before this change) but settings ports on the router doesnt work.

it should be on openvpn rule not wgclient!

Yeah i know. Im not the OP.

got it :slight_smile:

Unfortuantely no change after unticking lan / save / save&apply

ok roll back and try to add a static route

When you connect using SSH (while the OPENVPN client is enabled) the the connection does get forwarded (by your ISP) to your GL modem. However when the modem try to talk to you back it goes through the VPN tunnel. There are many different ways to achieve a VPN bypass so that you SSH connections is entirely excluded form default VPN gateway.

There is another way to do it - but I did not test it!

ALWAYS disable/re-enable VPN connection after changes!

My routing screen looks somehow different:

What to set here?

Look above to my screenshot - it states your the IP for the directly connected ISP modem. So you flint and the ISP devices have IPs on the same network.

Make sure you choose the interface that is connected also to your ISP modem! In my screenshot I used the lan and your setup it could be different!

for example,

I got you … but what shall I set at “Route type”?

and how to set the ip … it asks like

The other way with vpn-client excluding ip didn’t work.