Hey guys, just to preface, I’m no networking expert, just a guy trying to setup what I believe they call site-to-site using two MT300N-V2 Mango routers. I’ll post as much relevant info as I can.
I’m using one of the Mango routers connected to my home router — this Mango acts as my WireGuard VPN server. That WireGuard server has been running great for a while now — it handles multiple peers successfully (my iPhone, laptops, NAS devices, etc), and those peers are able to connect fine and behave like they’re on my home LAN. Really happy with that part.
⸻
My goal:
I’m now trying to add another MT300N-V2 Mango router as a WireGuard VPN client that sits off-site. This “Client Mango” would allow devices plugged into its LAN port to behave like they’re part of my home network as well (i.e. full site-to-site setup). I believe I’m close but still missing something fundamental.
⸻
Current status:
WireGuard server Mango is running vanilla OpenWRT 22.03.4 (using LuCI to configure everything).
WireGuard interface on server (wgserver) has:
• IP: 10.0.0.1/24
• Listen port: 51820
• MTU: 1420
• Route Allowed IPs: Enabled
• route_allowed_ips=‘1’ manually added via UCI to interface config
Peers on server:
• All peers have AllowedIPs set properly.
• Client Mango peer is configured with AllowedIPs 10.0.0.2/32, 192.168.8.0/24 (192.168.8.0/24 being the Client Mango’s LAN subnet).
Firewall zones on server:
• wgserver has its own zone.
• Forwardings are set: wgserver => lan and lan => wgserver.
• Masquerading enabled where appropriate.
• Input/Output/Forward all set to ACCEPT on wgserver zone.
• WireGuard port allowed via firewall traffic rules.
• ICMP allowed from wgserver zone.
Client Mango (WireGuard client) is running OpenWRT (LuCI used to configure WireGuard client interface directly).
Client Mango interface (wgclient) config:
• Address: 10.0.0.2/24
• Peer endpoint set to WireGuard server public IP:51820
• AllowedIPs on client side set to 0.0.0.0/0 (full tunnel attempt)
• PersistentKeepAlive: 25
WireGuard handshakes are fully up between both sides.
• Client Mango consistently shows latest handshake activity.
• Server Mango shows steady handshake updates from Client Mango.
Client Mango routing table looks good and WireGuard routes appear present.
I can ping 10.0.0.1 successfully from my WireGuard-connected laptop.
⸻
The problem:
• I cannot ping 10.0.0.2 from the WireGuard server Mango.
• I cannot ping 10.0.0.2 from any LAN clients at home.
• Devices connected behind the Client Mango cannot be reached from my home LAN.
• Attempting to ping 10.0.0.2 from the server Mango itself (via SSH terminal) returns:
ping: sendto: Destination address required
• Likewise, pings from client Mango (SSH) back to server 10.0.0.1 usually time out or fail similarly.
Everything seems to route correctly up to the WireGuard interface level but the traffic doesn’t actually cross between peers.
⸻
Things we’ve tried:
• Enabling Route Allowed IPs checkbox for the peer on server Mango.
• Manually adding static routes via SSH (ex: ip route add 10.0.0.2/32 dev wgserver).
• Assigning/removing IP addresses from br-lan to avoid interface scope conflicts.
• Testing without NAT masquerade.
• Validated all firewall forwardings, traffic rules, masquerades, and input policies.
• Verified allowed IP ranges are correct on both sides.
• Fully cleared/cleaned up GL.iNet UI configs, performing all current setup exclusively inside LuCI.
• Added option route_allowed_ips '1' manually to the server WireGuard interface in /etc/config/network.
⸻
What I’m trying to figure out now:
At this point I feel like I’ve got all the obvious firewall/routing/WireGuard configs correct but may be bumping into some OpenWRT quirk around routing locally sourced traffic from the router itself to its WireGuard peers (or some missing PBR / kernel policy routing issue).
I’ve read that WireGuard on OpenWRT sometimes requires policy-based routing to allow traffic sourced from the router itself to reach WireGuard peer IPs — but I’m unsure if I’m running into that or something else entirely.
⸻
My desired end goal:
• Devices connected to Client Mango LAN should be fully reachable from my home LAN.
• Both routers should properly route traffic between LAN clients across the WireGuard tunnel.
• Ideally I’d like to avoid having to introduce overly complex PBR or multiple routing tables if possible.
⸻
Thanks so much for reading — I know this was long but wanted to give you full visibility into where I’m at so far. Any help or fresh eyes from the experts here would be greatly appreciated
Cannot reach 192.168.9.x devices behind client Mango from any peer or LAN