Glinet mango mtn300n x2 site to site setup with wireguard

Hey guys, just to preface, I’m no networking expert, just a guy trying to setup what I believe they call site-to-site using two MT300N-V2 Mango routers. I’ll post as much relevant info as I can.

I’m using one of the Mango routers connected to my home router — this Mango acts as my WireGuard VPN server. That WireGuard server has been running great for a while now — it handles multiple peers successfully (my iPhone, laptops, NAS devices, etc), and those peers are able to connect fine and behave like they’re on my home LAN. Really happy with that part.

My goal:

I’m now trying to add another MT300N-V2 Mango router as a WireGuard VPN client that sits off-site. This “Client Mango” would allow devices plugged into its LAN port to behave like they’re part of my home network as well (i.e. full site-to-site setup). I believe I’m close but still missing something fundamental.

Current status:

:white_check_mark: WireGuard server Mango is running vanilla OpenWRT 22.03.4 (using LuCI to configure everything).

:white_check_mark: WireGuard interface on server (wgserver) has:
• IP: 10.0.0.1/24
• Listen port: 51820
• MTU: 1420
• Route Allowed IPs: Enabled
• route_allowed_ips=‘1’ manually added via UCI to interface config

:white_check_mark: Peers on server:
• All peers have AllowedIPs set properly.
• Client Mango peer is configured with AllowedIPs 10.0.0.2/32, 192.168.8.0/24 (192.168.8.0/24 being the Client Mango’s LAN subnet).

:white_check_mark: Firewall zones on server:
• wgserver has its own zone.
• Forwardings are set: wgserver => lan and lan => wgserver.
• Masquerading enabled where appropriate.
• Input/Output/Forward all set to ACCEPT on wgserver zone.
• WireGuard port allowed via firewall traffic rules.
• ICMP allowed from wgserver zone.

:white_check_mark: Client Mango (WireGuard client) is running OpenWRT (LuCI used to configure WireGuard client interface directly).

:white_check_mark: Client Mango interface (wgclient) config:
• Address: 10.0.0.2/24
• Peer endpoint set to WireGuard server public IP:51820
• AllowedIPs on client side set to 0.0.0.0/0 (full tunnel attempt)
• PersistentKeepAlive: 25

:white_check_mark: WireGuard handshakes are fully up between both sides.
• Client Mango consistently shows latest handshake activity.
• Server Mango shows steady handshake updates from Client Mango.

:white_check_mark: Client Mango routing table looks good and WireGuard routes appear present.

:white_check_mark: I can ping 10.0.0.1 successfully from my WireGuard-connected laptop.

The problem:
• I cannot ping 10.0.0.2 from the WireGuard server Mango.
• I cannot ping 10.0.0.2 from any LAN clients at home.
• Devices connected behind the Client Mango cannot be reached from my home LAN.
• Attempting to ping 10.0.0.2 from the server Mango itself (via SSH terminal) returns:
ping: sendto: Destination address required
• Likewise, pings from client Mango (SSH) back to server 10.0.0.1 usually time out or fail similarly.

Everything seems to route correctly up to the WireGuard interface level but the traffic doesn’t actually cross between peers.

Things we’ve tried:
• Enabling Route Allowed IPs checkbox for the peer on server Mango.
• Manually adding static routes via SSH (ex: ip route add 10.0.0.2/32 dev wgserver).
• Assigning/removing IP addresses from br-lan to avoid interface scope conflicts.
• Testing without NAT masquerade.
• Validated all firewall forwardings, traffic rules, masquerades, and input policies.
• Verified allowed IP ranges are correct on both sides.
• Fully cleared/cleaned up GL.iNet UI configs, performing all current setup exclusively inside LuCI.
• Added option route_allowed_ips '1' manually to the server WireGuard interface in /etc/config/network.

What I’m trying to figure out now:

At this point I feel like I’ve got all the obvious firewall/routing/WireGuard configs correct but may be bumping into some OpenWRT quirk around routing locally sourced traffic from the router itself to its WireGuard peers (or some missing PBR / kernel policy routing issue).

I’ve read that WireGuard on OpenWRT sometimes requires policy-based routing to allow traffic sourced from the router itself to reach WireGuard peer IPs — but I’m unsure if I’m running into that or something else entirely.

My desired end goal:
• Devices connected to Client Mango LAN should be fully reachable from my home LAN.
• Both routers should properly route traffic between LAN clients across the WireGuard tunnel.
• Ideally I’d like to avoid having to introduce overly complex PBR or multiple routing tables if possible.

Thanks so much for reading — I know this was long but wanted to give you full visibility into where I’m at so far. Any help or fresh eyes from the experts here would be greatly appreciated

Open the VPN client: Allow Ping from WAN

I don’t seem to have that in my system options. I’m on firmware 4.3.25 and it says up to date.

Okay follow up, I got a little further.

Site-to-Site WireGuard Setup - Mango to Mango - Need sanity check on last

Hardware

  • GL.iNet Mango MT300N-V2 on both sides (server and client)
  • GL.iNet stock firmware v4.3.25 on both

Network Layout

Location Device LAN Subnet WireGuard Tunnel IP
Home Network Main Router 192.168.1.0/24 N/A
Home Mango (Server) WireGuard Server 192.168.8.1 / 192.168.8.0/24 10.0.0.1
Remote Mango (Client) WireGuard Client 192.168.9.1 / 192.168.9.0/24 10.0.0.4
Other WG Peers (Laptop, iPhone, etc) 192.168.1.0/24 10.0.0.2 (laptop), 10.0.0.3 (phone)

WireGuard Server Peers Configured As

MangoClient (Remote Mango Client Peer):

  • AllowedIPs:
    10.0.0.4/32, 192.168.9.0/24

Laptop Peer:

  • AllowedIPs:
    10.0.0.2/32, 192.168.1.0/24

iPhone Peer:

  • AllowedIPs:
    10.0.0.3/32, 192.168.1.0/24

Routing Config (on WireGuard Server Mango @ 192.168.8.1)

Static Route added (via LuCI):

  • Destination: 192.168.9.0/24
  • Gateway: 10.0.0.4
  • Interface: unspecified

Firewall Config (on WireGuard Server Mango)

  • Forwarding between LAN and wgserver is allowed.
  • Masquerading enabled where needed.

Current Status

  • :white_check_mark: WireGuard tunnels up and stable
  • :white_check_mark: Peers can ping server Mango WG IP (10.0.0.1)
  • :white_check_mark: Routing to 192.168.9.0/24 in place
  • :white_check_mark: Static routing correctly pointing into WireGuard
  • :cross_mark: Cannot reach 192.168.9.x devices behind client Mango from any peer or LAN
  • :cross_mark: Cannot ping 10.0.0.4 from peers
  • :white_check_mark: Pinging 10.0.0.1 works from all peers

Where I believe I'm stuck

  • Client Mango isn’t forwarding incoming WG traffic to its LAN
  • I likely need to allow forwarding from wgclient zone → lan zone on the Client Mango firewall

Summary

  • WireGuard config: :white_check_mark:
  • Routing: :white_check_mark:
  • Static routes: :white_check_mark:
  • Firewall forwarding on Client Mango: :cross_mark: likely missing link

I’m all ears and willing to try anything lol.

Thanks!

Okay, got further and can now ping 10.0.0.4 (mango router wireguard peer) from other wireguard peers, so that’s assume.

However, can’t reach anything behind that routers own LAN.

Here’s what I’ve confirmed:
:white_check_mark: From a VPN-connected peer, I can ping the client Mango at 10.0.0.4.
:white_check_mark: From the server Mango, I can also ping the client Mango.
:cross_mark: But I cannot ping a Windows device on the client Mango’s LAN from either the server Mango or another VPN peer. Request times out.
:white_check_mark: I SSH’d into the client Mango, and from there I can ping the Windows device on its own LAN.

So it seems like the VPN is working to the client Mango itself, but traffic isn’t getting passed from the tunnel through to devices on its LAN.

Might be, likely, a problem with the Windows firewall rejecting IPs not on the local LAN.

I thought that. Disabled the firewall and got the same result. Would that have solved it if that was the issue?

I would have thought so, and then you could have tried the better solution of opening the firewall to that range of IPs. So I guess you have a different problem.