VPN with 2 GL-MT300N-V2 behind the main router

Technical Support for Routers VPN, DNS, Leaks
1

I purchased 2 GL-MT300N-V2 Routers to create a VPN with WireGuard. I followed this guide: Building a Site-2-Site network manually using two GL.iNet routers(SDK 4.X) and the connection works correctly if I connect to the LAN port of the GL-MT300N-V2 (client side), I can navigate with server side IP and access the server side network resources (192.168.0.2, etc). However, I cannot navigate and access the 192.168.0.0/24 subnet if the devices are connected directly to the main router. I have made several attempts but with no success.
I attach a network diagram.

Screenshot 2025-02-08 221619
Screenshot 2025-02-08 2216191183×568 57.1 KB

2

Using the WAN port on both VPN endpoints puts the main network clients outside of each VPN endpoint’s firewall.

I’ve done a similar setup using an AR750S Slate and a MT2500 Brume 2 as my VPN endpoints, but I used OpenVPN which should be the same network configuration.

In my case, I used the LAN port and not the WAN port on my VPN endpoints since I wasn’t using the LAN networks anyway which it appears from your diagram that you are not using the LAN network side of the two VPN endpoints either. So you might try disabling the Network LAN DHCP Server on both VPN endpoints devices, and set their LAN IP address to the 192.168.x.254 & 192.168.x.254 on each end, and then connect the LAN port instead of the WAN port to their main router networks. Then perhaps the clients on the two main networks will be able to connect to each other over the VPN since the VPN endpoint’s firewalls aren’t in the way.

3

a457f5d01562694754260eac9e2b36d549079377
a457f5d01562694754260eac9e2b36d5490793771183×568 56.1 KB

I will tell you what you need to configure so you can reach any computer from any other within your network.

Main routers:

  • You have to make your WireGuard "server" accessible from Internet
    • In router 192.168.0.1 you'll have to open and redirect the WireGuard server port to the 192.168.0.254
  • The main routers need to know how to reach any network not directly attached.
  • You will have to add some routes manually:
    • In router 192.168.0.1 you'll have to add route: 192.168.1.0/24 GW:192.168.0.254
    • In router 192.168.1.1 you'll have to add route: 192.168.0.0/24 GW:192.168.1.254

GL-MT300N-V2 (or any other WireGuard server):

  • Connect LAN port to your main router LAN network
  • Disable DHCP server, because you have a DHCP server on your main router.
  • Disable or disconnect any WAN, WiFi client, cellphone tethering... that acts as WAN connection and adds a default route (the goal is to remove any default gateway route).
  • You will have to add a default gateway route pointing your main router:
    • In router 192.168.0.254 you'll have to add route: 0.0.0.0/0 GW:192.168.0.1
    • In router 192.168.1.254 you'll have to add route: 0.0.0.0/0 GW:192.168.1.1

WireGuard configuration

  • Its very important to understand that what you put on "Allowed IPs" peer configuration is transformed into routing rules.
  • You need to put in "Allowed IPs" not only the IP of the other endpoint but all the accessible networks through the tunnel:
    • In 192.168.0.254 WireGuard "server" configuration you'll have to put in peer "Allowed IPs": 10.0.0.2/32, 192.168.1.0/24 (that's because you can reach through the tunnel to 10.0.0.2 host and full 192.168.1.0/24 network)
    • In 192.168.1.254 WireGuard "client" configuration you'll have to put in peer "Allowed IPs": 10.0.0.0/24, 192.168.0.0/24 (that's because you can reach through the tunnel to all the WireGuard peers 10.0.0.0/24 and full 192.168.0.0/24 network)
    • Is not the case, but, if you want that a WireGuard "client" routes all traffic through the VPN tunnel, you have to put "Allowed IPs": 0.0.0.0/0 in the client peer configuration so it will be transformed into the default gateway rule for the client.

WireGuard Server 192.168.0.254 configuration example

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = GH7HVfpCc+36LXUFkGX38Ud3rfUC3YQP+oqTSWqg2UQ=
# PublicKey = ACVoP67IWqoOyCi0F7lmWiVNbmYcVMYiBqUB8cnGhGY=
# Server = wireguard.fqdn

[Peer]
PublicKey = fMl5wKucz5asA3RGMse+9HROAhNJOtk+OHLocfwsHRc=
AllowedIPs = 10.0.0.2/32, 192.168.1.0/24

WireGuard Client 192.168.1.254 configuration example

[Interface]
Address = 10.0.0.2/24
PrivateKey = OHLUXH43WBXzNHveaamFZBOxpwSGlUfngQk5qbLi/2Y=
#PublicKey = fMl5wKucz5asA3RGMse+9HROAhNJOtk+OHLocfwsHRc=

[Peer]
PublicKey = ACVoP67IWqoOyCi0F7lmWiVNbmYcVMYiBqUB8cnGhGY=
AllowedIPs = 10.0.0.0/24, 192.168.0.0/24
Endpoint = wireguard.fqdn:51820
PersistentKeepalive = 25

More info:
All the clients behind NAT, if there is no port redirection, have to use "PersistentKeepalive = 25" in order to let the UDP packets in through the NAT-firewall. When a UDP packet goes out through a firewall, the firewall keeps the port open for a few seconds waiting for a response, letting in the packets that match IP-port-source-destination of the packet that came out. Sending continuously a UDP packet to the server before the waiting expires, creates effectively, a port redirect to de client.

In WireGuard, if you have more than one "client", each "client" must have a unique Private-Public Key, because WireGuard "server" identifies the "client" by the key used to encrypt the tunnel not the source IP of encrypted packets. The clients can change their public IP whenever they want and there is no interruption because WireGuard uses UDP and associates the private VPN IP (10.0.0.X) to the encryption key.

4

wireguard esquema
wireguard esquema1780×1248 258 KB

5

Thank you so much for everything. I will try the configuration in the next few days