Two Flints vpn suggestion

Hey everyone, so I was thinking about linking two Flints on separate locations and would welcome suggestions on the approach. Setup is like this

Flint 1:

  • public IP address on the WAN port
  • LAN
  • Wireguard connected to VPN1 with killswitch active and all clients go through it

Flint 2:

  • no public IP address from ISP (CGN) although same ISP as Flint 1
  • LAN
  • Wireguard connected to VPN2 with killswitch active and all clients go through it

Now goal is for all LAN clients behind Flint 2 to access devices on LAN behind Flint 1.
LAN clients behind Flint 1 won’t be accessing anything behind Flint 2 (although it’s not a flaw if they do have access)



should work like you thought about it.
Flint1 should be the WG server here in that case and Flint2 has to connect to it.

For better understanding (not only for us but for you as well), it’s helpful to use to draw a quick network plan.


I’d also change your terminology, OP; There’s a Flint version 2 now.

So it’s my understanding there’s CG-NAT in play for Flint 02? Given your goal is only to have Client Device → Flint 02 → VPN ↔ [WAN/Public Internet} ↔ VPN → Flint 01 → Client Devices, your use case is a variation of a Site-to-Site/WireGuard configuration… even though you won’t be able to connect into Flint 02’s LAN/devices connect to it.

Substitute Flint 02, which is behind CG-NAT in your case, for the WG Client router in the following HOW-TO:

(If that doesn’t work due to something w/ CG-NAT, there’s Tailscale to fall back on but that presents a whole new set of hurdles as GL support for it is still marked ‘beta’.)

1 Like

thanks for suggestions guys and for that nice website
I have created a diagram below. Now, I did see that thread previously, but I need (in this case FLINT02) to be able to run two wireguard client instances, one for internet access for clients behind it and other for connecting to FLINT01. Seems like there is no option for that? Or am I missing something…

You can’t run two WG Client instances on the current stable builds of GL firmware OOTB ATM. If you’re OK w/ running general Public Internet connectivity (that is, unencrypted/non-VPN on the general 'net/Clearnet), take a look @ the GL GUI’s VPN’s Proxy Modes:

Let us know if that’ll suffice.

1 Like

thanks, I guess I’ll wait for future version which will enable that functionality

You’d better add your request to the request thread then.

1 Like