Site-to-Site + PC Client / Masquerading

Routers
1

I am using two GL.iNet Mango routers with WireGuard.

  • For the site-to-site connection Site B acts as the WireGuard server
  • In parallel, a PC connects as a WireGuard client to Site B

Both WireGuard tunnels are up (handshake OK)

Current behavior:
From the PC via WireGuard, I can access devices in Site B’s LAN
Via the site-to-site tunnel, devices in Site A’s LAN cannot access devices in Site B’s LAN

I read that:
Masquerading (NAT) is usually required for PC clients
Masquerading must be disabled for a proper site-to-site setup

Questions:
Is this assumption correct and what is the best-practice approach to support both requirements?

Thanks in advance.

2

Hi

Please refer to the following tutorial to configure a WireGuard client device to access a WireGuard server's LAN device.

This depends on whether the device can correctly handle subnet routing and whether firewall/permission management is required based on actual LAN addresses.
Typically, Masquerading (NAT) can simplify configuration or resolve routing-related issues, but it changes the source address from the actual accessing LAN device to the WireGuard IP, which complicate firewall/permission management.

4

Thank you for your response, but it does not address my actual problem. I may not have described the setup precisely enough.

  • I have two locations (Site A and Site B), each with its own router and its own LAN.
  • The LAN interfaces of the GL.iNet devices are not used.
  • The GL.iNet routers are intended only to interconnect the two existing LANs via WireGuard, not to act as LAN gateways or client access points.

Current status:

  • The WireGuard tunnel between Site A (client) and Site B (server) is established.
  • If I connect a device directly to the GL.iNet LAN at Site A (for testing purposes only), I can access the remote LAN at Site B.
  • Static routes between LAN A and LAN B are already configured on the respective site routers.
  • However, devices in LAN A still cannot access devices in LAN B.

In short:
The GL.iNet devices are meant to function purely as VPN transit routers between two existing networks, enabling LAN-to-LAN connectivity.

My question is:
How should this be configured correctly?

5

Could you draw a topology diagram that includes the following information so we can better understand your requirements?

  • Device Roles: Identify each device (e.g., Main Router, Mango, LAN Client, WireGuard Server/Client).
  • IP Addresses: Labeled subnets for WAN, LAN, and WireGuard interfaces.
  • Port Connections: Specify which devices are connected via WAN vs. LAN ports.
  • Static Routing: Indicate where static routes are configured and the specific destination and gateway for each.
6

VPN
VPN935×335 57 KB

7

This appears to be a use case for the Drop-in Gateway.

Please try configuring it according to the following tutorial: