Permanently connecting/link two GliNet router + mobile client

@xize11 I have tried to enable that option, didnt even know it existed, on the left/outdoor_router (wg_client1), it was disabled so far:

But enabled this option does not solve the issue I have. Not sure if this option is also for this use case reading the description.

The allowed_ips for all clients is, is that correct?

I can also use btw reaching the wg_router web interface from the phone, but using also doesnt work.

Also shouldnt masterquading be disabled on both client and wg server?

wouldnt that mean the entire internet traffic is also routed through the wg tunnel? I obviously dont want that. clients behind outdoor_router should normally use WAN.

I also noticed this in the guide:

is that correct with the “link” as scope? the guide didnt say that in word actually I just saw the word link on the screenshots so I also used it. ignore the .4 btw in that screenshot.

A route has host scope when it leads to a destination address on the local host.
A route has link scope when it leads to a destination address on the local network.
A route has universe scope when it leads to addresses more than one hop away.

Does it maybe have to be one of the other? or maybe the metric does need to not be 0?

I get a “err_connection_refused” in chrome btw on the phone when trying to reach so I guess it is some sort of firewall issue.

Yes often means all network traffic.

This depends highly on your configuration, in your case i say no because the wgclient replaces the wan connection, to demonstrate what i mean: if you tracert to google you see the gateway is never the wan one, basicly from what im told masquarading is only needed to your outgoing zone, for wgserver well maybe but often wgserver goes to wan, and wan should be the masquarading one.

^ though its never wrong to test to enable it on both.

I may be mistaken but i believe your target network is your local lan host network, the gateway should be, also make sure its and not :slight_smile: i believe thats how the configuration generates it now.

How do I change it all that the wireguard are just to reach the local subnets, I dont want to route the entire traffic through it. I also tested it right now with the phone, when I connect with wg, all traffic now gets my home IP address, that is totally NOT want I want. I just want to use the normal WAN/4g in this case of the any wg client device/router, and just use the wg link as a link between the LANs. The guide totally is misleading in this case, and also as I see it is bad, because it is double routing creating double traffic between the routers, if you use masquerade. I just want to use the wg link to reach and no internet traffic going through it, and also to reach it from the phone.

No the wg IP addresses are 10.0.0.x not 10.8.0.x

The link is working like I said… I can reach from both routers to each router. But I cant reach from the phone … nothing I tried so far worked.

Maybe someone else can assist here :+1:, its beyond my scope of knowledge also because theres a phone vpn app involved aswell and routing is for me still something i never understand :yum:

1 Like

I found this Accessing a subnet that is behind a WireGuard client using a site-to-site setup · GitHub which seems to be what I want to do, but I dont know whats difference to the above or how you can configure it with the GLInet GUI to work.

I am trying since over 10h now and am close to give up … would really appreciate if someone helping to get this to work. It cant be that hard, when the tunnel is working already and I can reach both subnets from the routers themselves, but not from the phone.

Update: Restarted both devices, and now when I type in on my phone with wg connected, I land on my home_router wan router ip … totally have no idea how this is even possible.

It’s a bit out of scope to try to analyze the whole network of yours - since you were the one who built it. :wink:
Check if all routes are set and working, check if all firewall rules are set and working. Check on the client-side that no firewall will stop traffic reaching from another subnet, etc. etc.

If everything fails, go with a more easy solution. TailScale or ZeroTier should work just fine.

What routes and firewall rules!? There are none (custom). I am using the GLInet web interface and I have followed the above guide, THATS IT. And it is not working.

And I would really appreciate any help at this point to get it working, because I am getting insane here right now, trying to get it to work since 14h with zero sleep. I am going to bed now though really frustrated.

TailScale or ZeroTier is not supported on the router.

here is the current configuration:

Server (lan, wan,wg server

config servers ‘main_server’
option address_v4 ‘’
option port ‘51820’
option fwmark ‘0x80000’
option ipv6_enable ‘0’
option access ‘ACCEPT’
option masq ‘1’

config peers ‘peer_7528’
option peer_id ‘7528’
option dns ‘’
option mtu ‘1420’
option persistent_keepalive ‘25’
option client_ip ‘’
option deprecated ‘0’
option name ‘phone’
option presharedkey_enable ‘1’
option allowed_ips ‘’

config peers ‘peer_220’
option name ‘router_outdoor’
option peer_id ‘220’
option dns ‘’
option mtu ‘1420’
option persistent_keepalive ‘25’
option client_ip ‘’
option deprecated ‘0’
option presharedkey_enable ‘1’
option allowed_ips ‘,’

config route_rules ‘rule_5599’
option route_flag ‘4’
option dest ‘’
option mask ‘24’
option gateway ‘’
option scope ‘link’

outdoor_router ( lan, x.x.x.x wan, wg client

Address =
MTU = 1420

AllowedIPs =,
Endpoint = …:51820
PersistentKeepalive = 25

phone (x.x.x.x 4g, wg client

Address =
MTU = 1420

AllowedIPs =,,
Endpoint = …:51820
PersistentKeepalive = 25

I had tried everything so far, also tried allowed ips on the clients, yet I dont want that, I just want to have the lan traffic go through the wg link not internet, each client should use its own wan for internet.

With one try, not sure what I did, I had the weird case, that when I typed on the phone, I got access to, which is the router behind home_router. totally no idea how that is possible.

I also disabled masquerading btw on wg client and server and it still works.

After a lot of trial and error I found out by myself whats causing the issue and how to make it work. On the router_home I looked into /etc/config/firewall looking at all rules and saw this:

config zone ‘wgserver’
option name ‘wgserver’
option output ‘ACCEPT’
option mtu_fix ‘1’
option network ‘wgserver’
option input ‘ACCEPT’
option client_to_client ‘0’
option enabled ‘1’
option masq ‘0’
option masq6 ‘0’

config forwarding ‘wgserver2wan’
option src ‘wgserver’
option dest ‘wan’
option enabled ‘1’

config forwarding ‘lan2wgserver’
option src ‘lan’
option dest ‘wgserver’
option enabled ‘1’

config forwarding ‘wgserver2lan’
option src ‘wgserver’
option dest ‘lan’
option enabled ‘1’

I noticed that wgserver zone rule lacked:
option forward ‘ACCEPT’

adding the line reloading the firewall, and now everything worked. Just wow… over 2 days of trying everything because of one line.

Anyone can explain why it is missing by default, and also why it is not working even with the two forward rules wgserver2lan and lan2wgserver on accept?

So whats the right way to fix this now? not sure if a global option forward ‘ACCEPT’ for wgserver should be enabled or not, or if this is a security risk.

Is this a bug in the GLinet firmware? why is the rule missing. shouldnt it be there and also on accept with the toggle of:

Also, I just noticed the option of the OpenWRT firewall config for wgserver called

option client_to_client ‘0’

Anyone know what that does? It seems to be disabled, and as I see there is no option in the GLInet interface for that which handles that option.

I dont see an option there too with that name.