Site-to-Site WireGuard Setup: NVR Cannot Reach IP Cameras Behind Restricted Building Network

Router VPN, DNS, Leaks
1

Subject: Site-to-Site WireGuard Setup: NVR Cannot Reach IP Cameras Behind Restricted Building Network (No Port Forwarding)

Body:
Hi everyone,

I am trying to set up a WireGuard Site-to-Site VPN between two GL-SFT1200 (Opal) routers to connect a home NVR system with IP cameras located in a separate building parking lot. However, I cannot get the NVR to discover or access the cameras.

Here is my current network setup:

Site A: Home Network (NVR Location)

  • Internet: Standard home ISP router. I have full administrative access to this router and can do port forwarding.

  • GL.iNet Router: Opal Router A is connected to the home ISP router.

  • Devices: The NVR is connected directly to Opal Router A.

  • VPN Role: Configured as the WireGuard Server (Port forwarded on the main ISP router).

Site B: Building Parking Lot (IP Cameras Location)

  • Internet: Building shared network. I do not have access to the main router and cannot perform port forwarding.

  • GL.iNet Router: Opal Router B is connected to the building's network.

  • Devices: Two IP cameras are connected directly to Opal Router B.

  • VPN Role: Configured as the WireGuard Client, initiating the connection back to Site A.

The Problem:
The WireGuard tunnel seems to establish successfully (Client connects to Server), but the NVR at Site A cannot "pull" the video streams or ping the IP cameras located at Site B.

I assume it is a routing or firewall issue between the two subnets, or perhaps an issue with how Site-to-Site / AllowedIPs is configured on the Opal firmware.

  1. What are the correct LAN subnet and IP settings I should use for both Opals to avoid conflicts?

  2. What specific firewall rules or "Allowed IPs" settings do I need to configure on both sides so the Server side (Site A) can actively initiate connections to devices on the Client side (Site B)?

Thank you in advance for your help!

2

I am in a similar situation but between a GL-XE3000 running over 5G with 4.0 version and a pfSense.

On the GL side the LAN devices can reach (ping, ssh, curl, etc) the remote pfSense side, but the pfSense LAN side can only ping the GL LAN devices while ssh, curl etc all fail. I have the WG to LAN and LAN to WG zone set to accept forwarding, no masquerade needed since it would be a site-to-site tunnel.

On the pfSense side I have GW and route configured, and it seems to work since ping reaches the GL devices.

I have tried to add port forwarding to the GL LAN IP and GL WG IP as well but even that won’t work.

There seems to be some big issue with the GL side’s Wireguard implementation or setup as this pfSense has an equivalent setup to a remote pfSense as well that works in the same WG setup.

Would really appreciate a guide or some semi-official help to Site-to-Site setups on GL devices as it seems to be a problem for most people.

Thank you in advance as well!

3

You will need to add a static route on the server side, if you want to access the VPN Client from Server.

Maybe try with this guide: Building a Site-2-Site network manually using two GL.iNet routers(SDK 4.X)

4

I am trying to build a manual WireGuard Site-to-Site connection between two GL.iNet routers following this guide:

Topology:

Home (Server)

  • Router: 192.168.2.1
  • LAN: 192.168.2.0/24
  • NVR: 192.168.2.129

Parking Lot (Client)

  • Router: 192.168.8.1
  • LAN: 192.168.8.0/24
  • Cameras:
    • 192.168.8.118
    • 192.168.8.174

WireGuard:

  • Server: 10.0.0.1
  • Client Router: 10.0.0.2
  • Windows VPN Client: 10.0.0.4

What works:

  • WireGuard tunnel is connected and has a valid handshake.
  • I can reach the NVR at 192.168.2.129 through the VPN.
  • Traceroute to 192.168.2.129 works:
    10.0.0.1 -> 192.168.2.129
  • From the parking lot router I can ping both cameras.
  • From the parking lot router:
    wget 192.168.8.118
    returns HTTP 401
  • Camera 192.168.8.174 is configured with:
    IP: 192.168.8.174
    Gateway: 192.168.8.1
    DNS: 192.168.8.1
  • Firewall forwarding rules between LAN and WGCLIENT exist and are enabled.
  • Route Rule configured according to the guide:
    192.168.8.0/24 -> 10.0.0.2
  • Server routing table contains:
    192.168.8.0/24 via 10.0.0.2

What does NOT work:

  • From my Windows PC connected through WireGuard (10.0.0.4), I cannot access:
    192.168.8.118
    192.168.8.174
  • ping fails
  • curl http://192.168.8.118 fails
  • browser access fails

Additional information:

  • GoodCloud Site-to-Site previously worked with the exact same hardware and network layout.
  • When using GoodCloud Site-to-Site, the NVR successfully saw all cameras.
  • The issue only exists with the manual WireGuard Site-to-Site setup.

Current client AllowedIPs:

10.0.0.1/32
10.0.0.2/32
10.0.0.4/32
192.168.2.0/24
192.168.8.0/24

Has anyone seen a case where:

  • The tunnel is up
  • 192.168.2.x is reachable
  • The remote router can access devices on 192.168.8.x
  • But VPN clients cannot access devices on 192.168.8.x?

Any ideas on what could still be missing?

5

Please go to the router acting as the server and enable Client-to-Client under Admin Panel → VPN → WireGuard Server → Options.

This will allow communication between VPN clients:

image
image1303×723 40.6 KB