Permanently connecting/link two GliNet router + mobile client

@slesar that just works if you use a cloud based IP camera which cost money for a subscription. the video signal is then broadcast from the lan/router into the web/cloud and then you can access it obviously from anymore. that service though does cost money for most if not all ip cameras which I dont want to pay. and because my 4g router is closed for opening outside ports, I also cant tunnel into the router via SSH for example. ERGO do I need a solution where the 4g router connects from itself into a VPN for example home router, and then also connect from mobile into home router, and access both LAN via VPN solution.

I am not paying any subscription for all cameras. It is P2P system, of course yes cloud but not stored in cloud. Stored on my hdd or microsd.

Home router wireguard server to remote router wireguard client should work.
That’s how I use my Flint and Beryl AX when traveling. Behind the hotels router, I’m still able to connect to my home router. I’m able to login to my NAS share (server side) through WG at the client side. Not sure if that works in reverse.

ZeroTier is 256 bit encrypted - what’s the point here?

ZeroTier doesnt seem to be supported by Opal router: ZeroTier - GL.iNet Router Docs 4

GL web interface can be used for simple setup. But, for advanced settings, tweaks and troubleshooting LuCi or CLI will be necessary.

I think wireguard or tailscale might be still the best option, for a few reasons let me explain:

  • it uses udp, the cool thing about udp is that it is stealth from port scanners, wireguard is designed in such way that it does not respond if a auth has been failed, or a port scan is being used, tcp however will reply with a icmp reply or auth failed which you see on openvpn type of vpn this makes you alot more exposed a workaround is to look into port knocking but you can wonder how viable that is.

  • also wireguard has a smaller code footprint meaning its code is better managed which could lead to less chance it has vulnerabilities, on the other side its still new and new software can also come with vulnerabilities so far its secure :+1:

I guess you need to check some youtube tutorials how to configure a site to site vpn, or check gl documentation Building a Site-2-Site network manually using two GL.iNet routers(SDK 4.X)

For luci:


Holy crap, guys; are you trying to kill OP with info overload? :wink:

I’m ignorant of ZeroTier… what cipher are they using? They’re not all equal. Regardless WireGuard’s ChaCha20-Poly1305 is going to be faster than, say, OpenVPN’s AES-256 no matter the device.


No, routing would not be automatically set up for this but it’s suprising easy to get online. Be sure to set up a Preshared Key as a extra layer of security. Here’s the HOW-TO:


what did you mean with set an extra preshared key? wireguard just uses privat and open keys I dont see any option to set an extra preshared key in the web gui, the guide you linked also doesnt say anything about that.

just curious, the guide just says you need to add a special routing rule on the wireguard server, so if is the wireguard client ip with the router it needs to be added on the server. why do you dont need the opposite to set up on the client?


Ok I found the preshared key option it was for each client, not server setting. does setting a preshared key reduce the bandwidth because it adds another layer of encryption? I read into it and it is just for preventing quantum computer breaking the encryption or something, so I guess I dont need it?

I have followed the above guide and linked the two routers. I can reach each other subnet both and from each other. But I cant reach when I connect with the phone to the wireguard server. Anyone here know what to do to make this also work? @bring.fringe18 @SpitzAX3000 @admon @xize11 @RBzee

router_outdoor (,, wg client1) router_home (,, wg server)

when I now connect through a phone ( wg client2) to router_home, I can reach from the phone, but I cant reach

Hmm just a thought for did you also allow wan from the vpn dashboard under global options for client?:thinking:

@xize11 I have tried to enable that option, didnt even know it existed, on the left/outdoor_router (wg_client1), it was disabled so far:

But enabled this option does not solve the issue I have. Not sure if this option is also for this use case reading the description.

The allowed_ips for all clients is, is that correct?

I can also use btw reaching the wg_router web interface from the phone, but using also doesnt work.

Also shouldnt masterquading be disabled on both client and wg server?

wouldnt that mean the entire internet traffic is also routed through the wg tunnel? I obviously dont want that. clients behind outdoor_router should normally use WAN.

I also noticed this in the guide:

is that correct with the “link” as scope? the guide didnt say that in word actually I just saw the word link on the screenshots so I also used it. ignore the .4 btw in that screenshot.

A route has host scope when it leads to a destination address on the local host.
A route has link scope when it leads to a destination address on the local network.
A route has universe scope when it leads to addresses more than one hop away.

Does it maybe have to be one of the other? or maybe the metric does need to not be 0?

I get a “err_connection_refused” in chrome btw on the phone when trying to reach so I guess it is some sort of firewall issue.

Yes often means all network traffic.

This depends highly on your configuration, in your case i say no because the wgclient replaces the wan connection, to demonstrate what i mean: if you tracert to google you see the gateway is never the wan one, basicly from what im told masquarading is only needed to your outgoing zone, for wgserver well maybe but often wgserver goes to wan, and wan should be the masquarading one.

^ though its never wrong to test to enable it on both.

I may be mistaken but i believe your target network is your local lan host network, the gateway should be, also make sure its and not :slight_smile: i believe thats how the configuration generates it now.

How do I change it all that the wireguard are just to reach the local subnets, I dont want to route the entire traffic through it. I also tested it right now with the phone, when I connect with wg, all traffic now gets my home IP address, that is totally NOT want I want. I just want to use the normal WAN/4g in this case of the any wg client device/router, and just use the wg link as a link between the LANs. The guide totally is misleading in this case, and also as I see it is bad, because it is double routing creating double traffic between the routers, if you use masquerade. I just want to use the wg link to reach and no internet traffic going through it, and also to reach it from the phone.

No the wg IP addresses are 10.0.0.x not 10.8.0.x

The link is working like I said… I can reach from both routers to each router. But I cant reach from the phone … nothing I tried so far worked.

Maybe someone else can assist here :+1:, its beyond my scope of knowledge also because theres a phone vpn app involved aswell and routing is for me still something i never understand :yum:

1 Like

I found this Accessing a subnet that is behind a WireGuard client using a site-to-site setup · GitHub which seems to be what I want to do, but I dont know whats difference to the above or how you can configure it with the GLInet GUI to work.

I am trying since over 10h now and am close to give up … would really appreciate if someone helping to get this to work. It cant be that hard, when the tunnel is working already and I can reach both subnets from the routers themselves, but not from the phone.

Update: Restarted both devices, and now when I type in on my phone with wg connected, I land on my home_router wan router ip … totally have no idea how this is even possible.

It’s a bit out of scope to try to analyze the whole network of yours - since you were the one who built it. :wink:
Check if all routes are set and working, check if all firewall rules are set and working. Check on the client-side that no firewall will stop traffic reaching from another subnet, etc. etc.

If everything fails, go with a more easy solution. TailScale or ZeroTier should work just fine.

What routes and firewall rules!? There are none (custom). I am using the GLInet web interface and I have followed the above guide, THATS IT. And it is not working.

And I would really appreciate any help at this point to get it working, because I am getting insane here right now, trying to get it to work since 14h with zero sleep. I am going to bed now though really frustrated.

TailScale or ZeroTier is not supported on the router.

here is the current configuration:

Server (lan, wan,wg server

config servers ‘main_server’
option address_v4 ‘’
option port ‘51820’
option fwmark ‘0x80000’
option ipv6_enable ‘0’
option access ‘ACCEPT’
option masq ‘1’

config peers ‘peer_7528’
option peer_id ‘7528’
option dns ‘’
option mtu ‘1420’
option persistent_keepalive ‘25’
option client_ip ‘’
option deprecated ‘0’
option name ‘phone’
option presharedkey_enable ‘1’
option allowed_ips ‘’

config peers ‘peer_220’
option name ‘router_outdoor’
option peer_id ‘220’
option dns ‘’
option mtu ‘1420’
option persistent_keepalive ‘25’
option client_ip ‘’
option deprecated ‘0’
option presharedkey_enable ‘1’
option allowed_ips ‘,’

config route_rules ‘rule_5599’
option route_flag ‘4’
option dest ‘’
option mask ‘24’
option gateway ‘’
option scope ‘link’

outdoor_router ( lan, x.x.x.x wan, wg client

Address =
MTU = 1420

AllowedIPs =,
Endpoint = …:51820
PersistentKeepalive = 25

phone (x.x.x.x 4g, wg client

Address =
MTU = 1420

AllowedIPs =,,
Endpoint = …:51820
PersistentKeepalive = 25

I had tried everything so far, also tried allowed ips on the clients, yet I dont want that, I just want to have the lan traffic go through the wg link not internet, each client should use its own wan for internet.

With one try, not sure what I did, I had the weird case, that when I typed on the phone, I got access to, which is the router behind home_router. totally no idea how that is possible.

I also disabled masquerading btw on wg client and server and it still works.

After a lot of trial and error I found out by myself whats causing the issue and how to make it work. On the router_home I looked into /etc/config/firewall looking at all rules and saw this:

config zone ‘wgserver’
option name ‘wgserver’
option output ‘ACCEPT’
option mtu_fix ‘1’
option network ‘wgserver’
option input ‘ACCEPT’
option client_to_client ‘0’
option enabled ‘1’
option masq ‘0’
option masq6 ‘0’

config forwarding ‘wgserver2wan’
option src ‘wgserver’
option dest ‘wan’
option enabled ‘1’

config forwarding ‘lan2wgserver’
option src ‘lan’
option dest ‘wgserver’
option enabled ‘1’

config forwarding ‘wgserver2lan’
option src ‘wgserver’
option dest ‘lan’
option enabled ‘1’

I noticed that wgserver zone rule lacked:
option forward ‘ACCEPT’

adding the line reloading the firewall, and now everything worked. Just wow… over 2 days of trying everything because of one line.

Anyone can explain why it is missing by default, and also why it is not working even with the two forward rules wgserver2lan and lan2wgserver on accept?

So whats the right way to fix this now? not sure if a global option forward ‘ACCEPT’ for wgserver should be enabled or not, or if this is a security risk.

Is this a bug in the GLinet firmware? why is the rule missing. shouldnt it be there and also on accept with the toggle of:

Also, I just noticed the option of the OpenWRT firewall config for wgserver called

option client_to_client ‘0’

Anyone know what that does? It seems to be disabled, and as I see there is no option in the GLInet interface for that which handles that option.

I dont see an option there too with that name.