I am about to deploy two old Rukus point-to-point WiFi links. They will be using WPA2/AES but I know someone could sit there and eventually crack the WiFi password. My plan is to connect the Rukus’s to one GL-MV1000 each and have those create an always on Wireguard VPN over the WiFi link.
There are three subnets involved
Site A - Secure Side Subnet - 192.168.1.x (255.255.255.0 subnet mask)
Site B - Secure Side Subnet - 192.168.6.x (255.255.255.0 subnet mask)
WiFi Insecure Subnet - 10.226.0.x (255.255.255.248 subnet mask)
Site A - Insecure Side
10.226.0.41 is the MV1000 at Site A
10.226.0.42 is the Ruku’s AP at Site A
Site B - Insecure Side
10.226.0.43 is the Ruku’s AP at Site B
10.226.0.44 is the MV1000 at Site B
Site A - Secure Side
This network is 192.168.1.x / Subnet Mask is 255.255.255.0
It’s default gateway is 192.168.1.254
It also has DHCP for IPv4 and IPv6
Site B - Secure Side
This network is 192.168.6.x / Subnet Mask is 255.255.255.0
It’s default gateway needs to be the Site B GT-MV1000’s secure side interface
i.e.
192.168.1.x ← MV1000-A → 10.226.0.x ← MV1000-B → 192.168.6.x
secure side site _______\ ← wireguard → / ________ secure side site B
I can see how to set-up DHCP for any interface so configuring the GL-MV1000 at site B to provide DHCP services to it’s secure side LAN seems easy.
My questions are;
Q1. What’s the best practice way of getting this VPN bridge created?
Q2. If I don’t want the Site A GT-MV1000 to route traffic to the 10.226.0.x network how do I do that, and, if it’s running the WireGuard server on it’s 10.226.0.x interface how does Wireguard route the VPN traffic? Will it give out Site A secure side IPs to Site B’s secure side (confused) OR will it just use the VPN as a default route from 192.168.6.x to 192.168.1.x (hoping that)?
Q3. Which interfaces would you use? i.e. WAN ports for insecure site, LAN ports for secure site?
Q4. Is it advisable to re-boot these little guys (GT-MV1000’s) once every 24 hours automatically to ensure any resource leaks (memory or otherwise) are cleared down. I could schedule a reboot with crontab I’m sure but is that a good idea? What I don’t want is site 2 ringing me up complaining 
Any pointers and suggestions would be great.