Help with VPN Routing / Allowed IPs / Multi Site -Flint2

Routers VPN, DNS, Leaks
1

Hi All,

I need some help with VPN routing and Allowed IPs on a WireGuard setup.

  • Site A (Office):

    • Synology NAS with Active Directory Server running.

    • Multiple PCs joined to the AD domain.

    • Virgin Hub in modem only mode, connected to a GL.iNet Flint 2 MT6000.

    • The Flint at Site A is running as the WireGuard server.

  • Site B (Remote Office):

    • Another GL.iNet Flint 2 MT6000, also connected to a Virgin Hub in modem only mode.

    • The Flint at Site B acts as the WireGuard client, connecting back to Site A.

    • PCs at Site B log on to the AD domain, pull Group Policies, and access file shares from the NAS at Site A.

The Problem:
When Site A goes offline (e.g. maintenance or external internet outage), Site B also loses internet access. This means:

  • Remote monitoring and management at Site B are not possible.

  • The WireGuard tunnel still tries to route traffic through Site A, which causes the outage.

What I’ve Tried:

  1. Policy-based routing:

    • Goal was to route only AD/GPUpdate/file share traffic via the VPN, while everything else (e.g. internet browsing) used the local WAN at Site B.

    • However, when I set this up, domain PCs at Site B could no longer run GPUpdate successfully.

  2. WireGuard Allowed IPs:

    • I adjusted the WireGuard profile so that only Site A subnets are routed through the tunnel, and all other traffic uses the local WAN.

    • When testing this with a single client PC, it works fine – the PC can reach Site A resources and still use local internet.

    • But when I apply the same logic to the site-to-site connection, I can access the Site A network but cannot browse the internet via a browser at Site B.

    • I suspect this is a DNS resolution issue, but I haven’t been able to resolve it.

Network ranges:

  • Site A: 192.168.2.0/24

  • Site B: 192.168.3.0/24

Summary:
I want Site B to:

  • Continue using its local internet connection for everything other then NAS shares / Gpupdates

Has anyone dealt with a similar setup, or can suggest how to configure routing/DNS so Site B doesn’t lose internet when Site A is down or use local internet other then Group Policy Updates and File share access?

Wireguard profile below

Thanks in advance,

Site A - 192.168.2.0/24

Site B- 192.168.3.0/24

[Interface]
Address = REDACTED
PrivateKey = REDACTED
DNS = 192.168.2.10,10.10.20.1,fd00:db8:0:abc::1,64.6.64.6
DNS = conquered.local
MTU = 1420

[Peer]
AllowedIPs = 192.168.2.0/24,192.168.3.0/24
Endpoint = REDACTED.glddns.com:51820
PersistentKeepalive = 25
PublicKey =REDACTED

Can anyone help before I raise a support ticket?

2

Based on your description, the issue stems from an overly broad AllowedIPs setting in your WireGuard client configuration at Site B. By including both 192.168.2.0/24 and 192.168.3.0/24, you're essentially routing all traffic, including internet-bound traffic, through the tunnel. To fix this, you must change the AllowedIPs on the Site B client to only include the Site A subnet (192.168.2.0/24) and implement policy-based routing Official Site on the Site B router to direct only the specific traffic (e.g., SMB/AD/DNS) to the tunnel, while all other traffic uses the local WAN.

3

If you upgrade to v4.8 firmware for Flint2, it seems easier to implement your needs.
For example, more flexible policies based on IP/Domain can be set in v4.8.x.

4

Thank you so much for getting back to me and helping.

Does the attached look correct?

AllowedRoutesSiteB
AllowedRoutesSiteB1901×911 166 KB

5

Thank you - I will update to this version and see how it goes.