Help with 2 Flint 2 Routers

crypticorb · August 28, 2025, 4:40am

I have 2 Flint 2 Routers one is primary and the other is secondary. Primary Router 1. Connected to my ISP and is running a wireguard VPN for all devices. Secondary Router 2 is connected to the LAN on the primary with a reserved IP. I am trying to setup router 2 with the wireguard server and route traffic from router 2 to the primary and out the VPN. I have tried following the guides but I'm stuck. When I create a wireguard device it fails to connect. I have done several things but nothing has really solved the issue. Any assistance would be appreciated. I have a decent bit of knowledge on network and routing but still new to the whole process.

9b9e69c2-4b75-4420 · August 28, 2025, 7:44am

This would be an example conf for the client/downstream device. Don't forget the GL firmware defaults to 192.168.8.0/24. In my peer-to-peer setup that's the upstream/primary device. Downstream is 192.168.18.0/24. The WG tunnel is 10.0.8.0/24 terminating @ the 'server' @ 10.0.8.1/32.

PrivateKey = [ redacted ]
Address = 10.0.8.2/32
# ListenPort = 12345
DNS = 192.168.18.1
MTU = 1400

[Peer]
PublicKey = [ redacted ]
PresharedKey = [ redacted ]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 192.168.8.1:51820
PersistentKeepAlive = 25

crypticorb · August 28, 2025, 11:25am

This is helpful thank you. In terms of setup on the routers. I have my primary one as the default configuration and the secondary is default but the changed the 8 to 10. I guess where I need additional help is on the router setup. Do I use ddns on the primary router or secondary? Do I have to exclude the secondary router from the vpn tunnel on the primary so it has direct access to the ISP address? Do I port forward on the primary router so the secondary can get directly to the internet?

will.qiu · August 29, 2025, 8:18am

Enable DDNS on the router acting as the VPN server.

In your case, the VPN server and the main router are the same device, thus eliminating the need for port forwarding.

Port forwarding on the main router is only required when the VPN server is on the LAN side.

Internet ←→ Main router (With Public IP) ←-LAN/Wi-Fi –> VPN server / GL router as VPN server.

Additionally, could you share your use case with us?

If both routers are operating within your home network, it appears a WireGuard VPN may not be necessary.

9b9e69c2-4b75-4420 · August 29, 2025, 10:39am

That would be the Endpoint withing the Peer section of a client’s conf. It would depend. If you’re looking to encrypt all inter-LAN traffic to the upstream/primary router that would be 192.168.8.1:51820. It’s up to you to do that but I would understand if you do given even W-Fi’s WPA3 isn’t an assurance for security (see Dragonblood; a downgrade attack).

That can be automatically handled by the upstream gateway when its ‘VPN Cascading’ is enabled &/or you define the approp. VPN policy (commonly known as policy based routing).

No, WG ‘clients’ can just send traffic as if it was any other UDP packet. Once it hits the endpoint, said endpoint is responsible for forwarding/routing to the WAN.

All this said: technically WG is a peer-to-peer VPN. ‘Client/server’ or ‘master/slave’ is just holdover terminology to make it more approachable. It’s the routing tables that make the difference. You should be aware of that when referring to other WG-based documentation.

Feel free to draw a topology. That always helps regardless of the complexity:

crypticorb · August 29, 2025, 11:10am

Thank you for the reply. I ended up changing my configuration to be potentially less complex. I made my primary router my edge and configured the sever and client there the primary is where everything is running. The secondary is now where all of my devices connect to and flow through to the primary.

crypticorb · August 29, 2025, 11:12am

Thank you for the reply. I ended up changing my configuration to be potentially less complex. I made my primary router my edge and configured the sever and client there the primary is where everything is running. The secondary is now where all of my devices connect to and flow through to the primary.

I really appreciate the detailed response. This is very helpful if I need to switch from my current configuration to the initial one I was attempting.

9b9e69c2-4b75-4420 · August 29, 2025, 11:20am

Just be aware you still have an unneeded level of complexity as describe: a double NAT from the secondary/’inner’ router. A cheap unmanaged switch would be a better arrangement if the port counts aren’t approp. VLANs would be the preferred way to isolate traffic (eg: IoT or Guest from LAN, etc.).

Your secondary Flint v2 would be a good platform to test VLANs on before putting them into production on the main/primary.

crypticorb · August 29, 2025, 11:37am

Thank you that is a good point. I will have to look at that next especially if I start to see issues.

9b9e69c2-4b75-4420 · August 29, 2025, 11:43am

Don’t worry about it too much. If you don’t run any servers/daemons downstream you’re not going to have much trouble. Here’s a related thread on how a double NAT causes more headache than they’re worth when you do… in this case, integrating an existing Wi-Fi mesh network that’s more of an appliance approach than a well manageable system. Grab some coffee:

crypticorb · August 29, 2025, 12:07pm

Thank you again for all of your helpful insight. I'm not looking to get back into my network as I'm not hosting anything other than the server for wireguard. I really appreciate all of the knowledge and understanding.

9b9e69c2-4b75-4420 · August 29, 2025, 12:09pm

You mean you aren’t yet.

Have a good day.