Setting up GL*iNet<->opnsense tunnel, starting GLinet wireguard client crashes internet connection

Glenstr · March 24, 2026, 4:06am

I’m a DBA and not a network guy so please bear with me here.

I had a mostly working tunnel between my opnsense home router and my other location with a GLiNet MT6000 router, I could open remote GUI from each side and ping the 192.168.x.x addresses, but from opnsense side I could not ping the 10.50.1.1 GLiNet side so I tried to fix it.

In the GLiNet firewall zones I noticed the wgserver and wgclient1 were “empty” not assigned with an interface, when I went to edit in Luci it was saying unsupported protocol type and could not edit there. A quick search said to restart the WG server and client in the main GUI so I tried that, and I noticed there was a port entry for 51820 on the client when the server wouldn’t start after I restarted the client and I read there shouldn’t be an entry so stopped the client, started the server, removed the port entry and tried to start the client.

That’s when all went to heck, I lost my splashtop connection to the GLiNet site, the client wouldn’t start and my tunnel quit working both directions. Fortunately I have a laptop setup with WG Client and was able to connect to GLiNet site with the .conf file I created earlier because the WG server was running. Now no matter what I do I can’t start the client on the GLiNet side, it hangs, kills my connection for awhile and partially knocks out the internet on that side for awhile, then comes back up. I can ping google etc. from an ssh session into it, but anyone watching TV loses streaming and I can’t see cameras etc on that side.

I set subnet on GLiNet side 192.168.10.x and 192.168.8.x on opnsense side

This is a summary of my setup - I hope someone here can point out where I’m messing up:

opsnsense settings peer:

name: GLINET_PUBLIC_KEY

public key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

allowed ip's: 192.168.10.0/24, 10.50.1.1/32

Instances: GLInet-site

(opnsense) GLInet Instance:
name: GLInet-site

instance:0

public key:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

private key:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

listen port:51820

tunnel address:10.50.2.6/32

peers:GLINET_PUBLIC_KEY

here are GLInet wireguard settings:

client:

[Interface]

Address = 10.50.1.1/32

PrivateKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

MTU = 1280

[Peer]

AllowedIPs = 10.50.2.6/32, 192.168.8.0/24

Endpoint = xxx.xxx.xxx.xxx:51820

PersistentKeepalive = 25

PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I tried using same 10.50.x.x on each side because someone said on GliNet overlapping tunnels may cause and issue, but that didn’t work either.

It makes me nervous experimenting too much because if I break my connection to the GLiNet location permanently I have a couple of hours drive to get there. I thought I was hooped when I first broke it but thankfully I could still connect with laptop / wireguard client.

Thanks in advance!

will.qiu · March 25, 2026, 1:58am

Hi

If you want to access the subnet of a GL.iNet router (acting as a WireGuard VPN client) from the WireGuard VPN server, you can refer to this guide:

In general:

Configure a route on the WireGuard VPN server to the subnet of the GL.iNet router.
On the GL.iNet router acting as the WireGuard VPN client, enable “Allow Remote Access the LAN Subnet.”

image799×678 55.9 KB

That’s all that’s required.

Glenstr · March 25, 2026, 6:31pm

Thanks for the reply - I eventually figured it out, and I did have that part correct. The issue was I had some remnants of when it was on the original 192.168.1.x subnet still lingering, some stale routes, and a line in Luci-system-startup-local startup that shouldn’t have been there. Removing that and a reboot of the router cleaned it up.

elorimer · March 25, 2026, 11:34pm

When you are fooling with wireguard site to site like this, I find it helpful to also be running an OpenVPN server on each side, exactly to provide a backup connection to recover control. I know exactly the despair/gratitude cycle. My painful experience is it is really easy to misconfigure WG so that the interface refuses to come up.
An MTU of 1280 is high.
I thought a WG tunnel had to have a common subnet, so it is interesting to me that you have a tunnel between two different single IP subnets. I'm not sure you can expand this to three peers, like if you are connecting a laptop to one of the two ends of the tunnel.