Using two GL-MV1000's to create a Wireguard VPN over a WiFi bridge

I am about to deploy two old Rukus point-to-point WiFi links. They will be using WPA2/AES but I know someone could sit there and eventually crack the WiFi password. My plan is to connect the Rukus’s to one GL-MV1000 each and have those create an always on Wireguard VPN over the WiFi link.

There are three subnets involved
Site A - Secure Side Subnet - 192.168.1.x ( subnet mask)
Site B - Secure Side Subnet - 192.168.6.x ( subnet mask)
WiFi Insecure Subnet - 10.226.0.x ( subnet mask)

Site A - Insecure Side is the MV1000 at Site A is the Ruku’s AP at Site A

Site B - Insecure Side is the Ruku’s AP at Site B is the MV1000 at Site B

Site A - Secure Side
This network is 192.168.1.x / Subnet Mask is
It’s default gateway is
It also has DHCP for IPv4 and IPv6

Site B - Secure Side
This network is 192.168.6.x / Subnet Mask is
It’s default gateway needs to be the Site B GT-MV1000’s secure side interface


192.168.1.x ← MV1000-A → 10.226.0.x ← MV1000-B → 192.168.6.x
secure side site _______\ ← wireguard → / ________ secure side site B

I can see how to set-up DHCP for any interface so configuring the GL-MV1000 at site B to provide DHCP services to it’s secure side LAN seems easy.

My questions are;

Q1. What’s the best practice way of getting this VPN bridge created?

Q2. If I don’t want the Site A GT-MV1000 to route traffic to the 10.226.0.x network how do I do that, and, if it’s running the WireGuard server on it’s 10.226.0.x interface how does Wireguard route the VPN traffic? Will it give out Site A secure side IPs to Site B’s secure side (confused) OR will it just use the VPN as a default route from 192.168.6.x to 192.168.1.x (hoping that)?

Q3. Which interfaces would you use? i.e. WAN ports for insecure site, LAN ports for secure site?

Q4. Is it advisable to re-boot these little guys (GT-MV1000’s) once every 24 hours automatically to ensure any resource leaks (memory or otherwise) are cleared down. I could schedule a reboot with crontab I’m sure but is that a good idea? What I don’t want is site 2 ringing me up complaining :slight_smile:

Any pointers and suggestions would be great.