VPN wireguard on GL-MT300N-V2 client

Hi to everybody, i need help about routing on GL-MT300N-V2.
I have Mango (IP 192.168.8.1) with IP cam wifi, this router are connected with Tp-link (LTE) (IP 192.168.0.1) with wan port. The provider LTE are in CGNAT so not reachable from Internet. I have a remote VPS where I have installed wireguard Server on Docker. I use Mango to connect with the server in VPN and it work and my CAM are reachable from Internet.
On my VPS with wireguard server I have routing the port 8008 to my Mango in port 80, and this work perfect.
PostUp = iptables -t nat -A PREROUTING -p tcp --dport 8008 -j DNAT --to-destination 192.168.8.1:80

I do the same thing to reach my Tp-link
PostUp = iptables -t nat -A PREROUTING -p tcp --dport 8010 -j DNAT --to-destination 192.168.0.1:80

But Mango block the connection to my tp-link.

I'll show my peers configuration:

[Peer]
PublicKey = xxxxxxxx
PresharedKey = xxxxxxxxx
AllowedIPs =192.168.0.0/24
AllowedIPs = 10.252.1.1/32
AllowedIPs = 192.168.8.0/24
PersistentKeepalive = 15

the destination 192.168.0.0/24 is unreacable because are in double nat?
What I can do to bypass?
I think about wgclient need to routing to WAN, but I do not know how....

What is your firmware version on MT300N-V2?

A unrelated question: which VPS are you using? How much is it?

Seems to be a firewall issue, data arriving at 192.168.8.1 belongs to the firewall INPUT, but data arriving at 192.168.0.1 belongs to forwarding, please make sure you allow wireguard->WAN forwarding on the Mango router.

GL-MT300N-V2 Firmware: 4.3.11

VPS Contabo 5,50 euro at mount
4 vCPU Cores
6 GB RAM
400 GB SSD

that is what i supposed, but I do not know how redirect wgclient to WAN.
I'll try to port forward on Mango, from wgclient port 80 to WAN 192.168.0.1 port 80 but don't work.
Can you explain me?
thank you

pls try below firewall rule, this rule is not precise and therefore not safe, we are just trying to troubleshoot problems

iptables -I FORWARD -j ACCEPT

Thank you for answer, but not work.
I do on my Mango

iptables -I FORWARD -j ACCEPT

I'll try with netcat

nc -v ipVpsServer 8009 work (Connection to xxx.xxx.xxx.xxx 8009 port [tcp/*] succeeded!)
nc -v ipVpsServer 8010 no answer

Hi, any idea about the problem?
any suggest are welcome

With 2 static ROUTE it work but not very well....

Screenshot 2024-07-05 alle 09.42.521942×950 89.6 KB

and now this is the page of login of my Tp-Link

Screenshot 2024-07-05 alle 09.44.09928×1570 45.9 KB

I do not know what is wrong....

cloud you show your peer configuration on Mango?

This is the config on Mango (client wireguard)
[Interface]
Address = 10.252.1.1/32
PrivateKey = xxxxxxxxxxxxxxxxxxxx
DNS = 8.8.8.8,8.8.4.4
MTU = 1450

[Peer]
PublicKey = xxxxxxxxxxxxxx
PresharedKey = xxxxxxxxxxxxx
AllowedIPs = 0.0.0.0/0
Endpoint = ipServer:51820
PersistentKeepalive = 15

Let me confirm the topology as follows. You want to access the tp-link router directly through VPS, right?

image729×575 74.2 KB

I did almost the same thing as you, but it was very smooth and I had easy access to my parent router.
wg server configure on vps

wg client configure on router

The only thing I did was set the following firewall rules on the router

iptables -I FORWARD -j ACCEPT

Screenshot 2024-07-11 alle 10.26.582054×2566 352 KB

you are right.
I can reach the router, but I see imperfect page, like the image attached.
analyzing the page i see the path of the "link" are ../CSS ecc...
So I think the page not load correct.

It looks like you've succeeded, but the page you're trying to visit isn't fully loaded because it relies on sites like www.w3.org. You can try tracing the path to www.w3.org

you are right. I know the problem and I do not think there is a solution.
Thank you for your time.

thank you.
I do not know how to find other Intranet addresses or other ports who need to work....
best luck