VPN Connection to two separated networks


First of all, I’m not a network expert. I’m just kind of lost, trying to find a solution.

I played a bit with the VPN (IPSec) on a FRITZ!Box 4060 and was able to connect to my local network from anywhere in the world. Worked great, but I did not like the the way I had to set-up the connections (mainly on older machines) so I wanted to switch to WireGuard. At the same time, I was getting a bit annoyed when watching IPTV in a hotel room (I’m using a Beryl to set-up a local network in the hotel to bypass the captive portal and hook-up a Chromecast, Laptop, etc.). So the idea came to add an additional router (Brume2) and create a VPN tunnel between the Beryl (as VPN client) and the Brume2 (as VPN Server). So in theory, depending on what VPN I use, I create either a tunnel to the Brume2 (for IPTV) or to the 4060 (my local network). And yes, I can solve this with only 1 VPN, but I have a Mikrotik RouterBOARD hEX laying around in order to add some more network segregation. So I will run into the 2x VPN issue anyhow.

So at the moment I have a cascaded set-up that looks like this:

[Ziggo Modem] <—> [Brume2 / GL-MT2500] <—> [FRITZ!Box 4060] <—> [Some more stuff]

On both the MT2500 and the 4060 I’m running WireGuard. Connecting with the Brume2 is no problem at all and works great. But I’m stuck regarding the connection with the 4060 and my “Some more stuff” network. I tried to add port forwarding and translation (changed the port in the WireGuard App) and in the Brume2 changed it back to the original while forwarding. I expected that to work, but it does not. I’m still missing some ports that have to be forwarded or something else. I have played with networks before, but the VPN part is rather new to me.

Anyone able to tell me what I’m missing and point me in the right direction?

Cheers, Henk

So that I’m understanding correctly:

  • Beyrl is the WG Client
  • Burme 2 is a WG Server
  • FRITZ!Box 4060 is a different WG Server

The Beryl WG Client connection will be manually toggled in the GL GUI → VPN → WG Client when you want to use either/or, correct?

I haven’t used any FRITZ!Box equipment so this could well be hearsay but IIRC their implementation is an adulterated version of WG. It doesn’t/didn’t play nice with ‘pure’ WG, which is what the Beryl uses.

Ah! Found it:

There’s a related link to a potential solution that might work, too.

Re: Burme 2 ↔ FRITZ!Box 4060

I think you’re looking for a S2S between those two WG peers/endpoints. See the following HOW-TO base on using two GL devices. The steps should be similar, sans GUIs, in your case:


The Beryl is the WG Client I’m using in the Hotel.
Both the Brume2 (WG Server #1) and the 4060 (WG Server #2) are at my home in a cascaded set-up.

The Beryl toggle (press the switch on it’s side) determines if the WG Client will be enabled or not. In effect that will switch between using the Hotel connection directly, or going via the WG Server #1 at Home. This allows me to first activate the Hotel portal (WG Client disabled) and after the activation, tunnel to WG Server #1.

For my other devices I’m using the WG App. So by disabling the WG Client in the Beryl, I can use the App to create a tunnel. In this case I would like to be able to select a tunnel to WG Server #1 or to WG Server #2.

A tunnel to WG Server #1 avoids google to end up in languages I do not speak, have my phone Cast all the stuff like If I’m at home.
A tunnel to WG Server #2 allows me to use my network as if I’m at home. Monitor all my devices at home and I sometimes write some SW (getting bored in the evenings) that I would like to upload to my devices without having to open several ports on my router and add a sh.t load of protection to my devices. I’m using so many different protocols on these devices, from SSH, (S)HTTP, (S)FTP to dedicated protocols and ports. Being able to have a tunnel would solve most if not all of them.

The connection to WG Server #1 is no issue. I forwarded the WG Server #2 listening port from the Brume2 to the 4060, but that seems to be not enough. I’m missing something and I have no clue what. As the WG Server #1 and the WG Server #2 listen to different ports, I thought that should fix it, but it does not. What am I missing?

Cheers, Henk
P.S. Next week in the Hotel again, and no way to test my SW. :frowning:

1 Like

You can SSH in over WG. That’s how I manage my remote endpoints.

So this reads to me that you’re looking for the Beryl’s switch to toggle to WG-Server-00 or WG-Server-01 (be it Burme 2 or Fritzbox). Theoretically it’s scriptable. I’ve done similar toggle scripts for other models.

Post your confs. This forum supports Markdown. Use three backticks (```) to


Redact sensitive info of course.

Perhaps it’s better to diagram the current setup; it seems unclear. I don’t understand why you just don’t make the fastest device the WG Server for your entire subnet & put that out on the DMZ. S2S can then handle Client/Server tunnelling.