Permanently connecting/link two GliNet router + mobile client


is it possible to make a outer Glinet router connect permantly into a Glinet home router, and then also connect a mobile phone into home router, and then the mobile phone can access the other outer Glinet router and devices in its subnet? Whats the best way to do that, WireGuard? How would I do this configuration? Configer a Wireguard server on the home router, then keep the outer router act as Wireguard client connecting into home router, and also have the phone mobile device be a Wireguard client connecting into home? Would the routing work automatically between all devices?

I would use ZeroTier since it’s easy and works good out of the box.

What you are asking is possible :+1:

But it depends highly what you describe as:

  1. is this second router located in your lan segment?

  2. is this second router on a completely different location? I.e different home or overseas?

For 1, what you kinda want is some type of dumbap configuration just a router with no firewall zones or maybe configurated in such way that wan access all the input and this router is just accessible like a local client in your lan network, on the main router you can setup a static ip to have the downstream router have a fixed ip.

^ optional: if you want to gain some sort if persistence when upgrading without keeping the configuration you often have a one point of failure this can be solved by creating a script in /etc/uci-defaults/ where the script deletes the wan firewall zone or set everything on accept in the firmware update process, but you always have to place back the script as the router loses it file after, also in /etc/sysupgrade.conf you can define files/folders to preserve when making backups.

For 2, its kinda the same but for this you may want to consider a vpn and if you want to appear like its two houses connected as one you tunnel GRE over the vpn :slight_smile:, though GRE is not really needed only if things like multicast are important to you, vpn can be enough sufficient but only for layer3, tailscale and zerotier also work similar or the same.

Then the only thing you have to do is adding in the lan bridge the vpn device, or if you want more security you create vlan for specific devices to be exposed to vpn clients and not all devices. :grin:

It kinda looks like this:

The left router is far away on a different place, connected via 4G/LTE to the internet. There are also a few IP cameras connected to it I want to remote control from anywhere via my phone or home router.

The problem is, the LTE router has all ports blocked from outside, you cant open ports for it because it is behind a NAT from the 4G ISP down allowing ports.

So I thought maybe it could be possible, the left router always opens a client side line to my home router where I can open a port, wireguard for example, and then both are permanently linked and tan talk to each other, also between all clients like the IP cameras, then also connect via Wireguard from a mobile phone via 4G to home router, and then also can talk to each IP cameras, no?

Or is there a better solution. Dont know what ZeroTier is. I dont see any ZeroTier configuration in the glinet web gui.

There is says the Opal doesnt support that why? The left outer router is a GL-SFT1200 (Opal) with a USB 4g stick, and home router is GL-AX1800 (Flint). But the Flint is permanently opening a OpenVPN client connection to route VPN at home for clients.

I do not recommend zerotier for security reasons. It is better to configure your dsl router as wireguard server then establish a tunnel from your 4g router.

How would you configure a Wireguard solution for this use case, so that both routers and their networks are routed between each other, also that I can then see all clients/ip adresses on the 4g router network side, when I connect from phone to home router via wireguard. is this possible with the GLInet web interface?

I don’t have two modems to test. But it is feasible.

Let’s start by establishing the connection between the modems. Then you can configure the routing.

Quick Google shows :

I would use IPsec site to site but it is little complicated. OpenVPN is an option as well.

why not use wireguard? why not use the web interface solution to configure the wireguard connection? wouldnt that work that it reconnects if the connection is lost automatically?

Some cctv or camera does not reqest open port. Just live… For example:
My cctv box connected to Flint 2 and there nothing firewall for cctv. My phone outside network and using XMeye app (outdoor side) . Another cameras YI iot app (indoor side).

@slesar that just works if you use a cloud based IP camera which cost money for a subscription. the video signal is then broadcast from the lan/router into the web/cloud and then you can access it obviously from anymore. that service though does cost money for most if not all ip cameras which I dont want to pay. and because my 4g router is closed for opening outside ports, I also cant tunnel into the router via SSH for example. ERGO do I need a solution where the 4g router connects from itself into a VPN for example home router, and then also connect from mobile into home router, and access both LAN via VPN solution.

I am not paying any subscription for all cameras. It is P2P system, of course yes cloud but not stored in cloud. Stored on my hdd or microsd.

Home router wireguard server to remote router wireguard client should work.
That’s how I use my Flint and Beryl AX when traveling. Behind the hotels router, I’m still able to connect to my home router. I’m able to login to my NAS share (server side) through WG at the client side. Not sure if that works in reverse.

ZeroTier is 256 bit encrypted - what’s the point here?

ZeroTier doesnt seem to be supported by Opal router: ZeroTier - GL.iNet Router Docs 4

GL web interface can be used for simple setup. But, for advanced settings, tweaks and troubleshooting LuCi or CLI will be necessary.

I think wireguard or tailscale might be still the best option, for a few reasons let me explain:

  • it uses udp, the cool thing about udp is that it is stealth from port scanners, wireguard is designed in such way that it does not respond if a auth has been failed, or a port scan is being used, tcp however will reply with a icmp reply or auth failed which you see on openvpn type of vpn this makes you alot more exposed a workaround is to look into port knocking but you can wonder how viable that is.

  • also wireguard has a smaller code footprint meaning its code is better managed which could lead to less chance it has vulnerabilities, on the other side its still new and new software can also come with vulnerabilities so far its secure :+1:

I guess you need to check some youtube tutorials how to configure a site to site vpn, or check gl documentation Building a Site-2-Site network manually using two GL.iNet routers(SDK 4.X)

For luci:


Holy crap, guys; are you trying to kill OP with info overload? :wink:

I’m ignorant of ZeroTier… what cipher are they using? They’re not all equal. Regardless WireGuard’s ChaCha20-Poly1305 is going to be faster than, say, OpenVPN’s AES-256 no matter the device.


No, routing would not be automatically set up for this but it’s suprising easy to get online. Be sure to set up a Preshared Key as a extra layer of security. Here’s the HOW-TO:


what did you mean with set an extra preshared key? wireguard just uses privat and open keys I dont see any option to set an extra preshared key in the web gui, the guide you linked also doesnt say anything about that.

just curious, the guide just says you need to add a special routing rule on the wireguard server, so if is the wireguard client ip with the router it needs to be added on the server. why do you dont need the opposite to set up on the client?


Ok I found the preshared key option it was for each client, not server setting. does setting a preshared key reduce the bandwidth because it adds another layer of encryption? I read into it and it is just for preventing quantum computer breaking the encryption or something, so I guess I dont need it?

I have followed the above guide and linked the two routers. I can reach each other subnet both and from each other. But I cant reach when I connect with the phone to the wireguard server. Anyone here know what to do to make this also work? @bring.fringe18 @SpitzAX3000 @admon @xize11 @RBzee

router_outdoor (,, wg client1) router_home (,, wg server)

when I now connect through a phone ( wg client2) to router_home, I can reach from the phone, but I cant reach

Hmm just a thought for did you also allow wan from the vpn dashboard under global options for client?:thinking: