WireGuard client and server

I setup my new Flint 2 and was playing around with the Wireguard client/server options.

I connected the router as a client to my external VPN provider so that all outgoing traffic for connected clients goes through the VPN.

Now if I setup the router as a server as well I can have the devices on the local network connect to it on VPN.

In addition, there’s also the option to enable cascading VPN, which according to the docs will connect the client and server VPN with one another.

Now my questions:

  • What is the benefit and use case of establishing the cascading connection?
  • Does this mean that when I have a device connect to my external provider vpn that I could potentially connect to my router as it’s on the vpn network? Or would I have to connect to the router server from external (not my provider) directly to gain access to resources in the local network?
  • How does tailscale differ from setting up my router as a server and connect devices with VPN to it?


  • You can get proper security for all your Wi-Fi connected hosts/client devices, for one[1]. Just be sure to set up a Preshared Key for ea. WG Client conf.
  • Your internal WG network can be (read: not without addn’l work) treated as a wholly separate network contained/isolated from the rest (a highly encrypted virtual local area network (VLAN) if you will).
  • IF your WG Service Provider supports incoming port forwarding you can reach your internal network hosts/clients near anywhere on the Public Internet/clearnet thru an encrypted tunnel (again, addn’l work required). There’s not many that do to my limited knowledge.

You can do the latter as it’s a common enough configuration (caveats apply) but see my above point in Q1 re: WG Service Provider incoming port forwarding. That’d be the preferred option if security is a priority.

Tailscale is an ‘overlay network’ that uses WG-based tech but is not ‘pure’ WG. It is, by default, an either/or setup: tailnet or WG. A ‘tailnet’ is independent of your WG Service Provider but can accomplish similar goals & overcome a restrictive ISP network which one may be using when the ISP in question uses CG-NAT. CG-NAT restricts one’s ability to have incoming connections from the Public Internet to your GL device (the Flint v2 in this case) WG Server’s port 51820… which also invalidates any WG Service Provider’s incoming port forwarding capabilities.

Again & unsurprisingly, setting up a tailnet on a GL device requires addn’l configuration to be done as it is not fully supported ATM (read: beta status but can work as expected[2]).

  1. https://www.zdnet.com/article/dragonblood-vulnerabilities-disclosed-in-wifi-wpa3-standard/

Thanks for the comprehensive explanation.

For this point, is there any documentation available how such VLAN setup could be accomplished?

Not in the current builds of stable. Technically the stock Guest net ( is a VLAN but there’s no addn’l VLAN capabilities in the GL GUI. You’re going to want to go ‘out of support/scope’ & fire up LuCI (GL GUI → System → Advanced Settings).

Make a backup beforehand so you can eventually unfvck it when things go sideways… & keep a log, topology diag. Save some sanity. Then consult the OpenWrt Wiki or Van Tech Corner’s tuts over on YouTube.

Right; sorry. I misread

as if you were just referring to general VLANs… not using WG. I’d diagram your desired topology before delving into details. Some WG client/LAN hosts don’t require full duplex communication/‘always on’ incoming port fowarding over WG (eg: a standard phone, tablet).

Custom routing can get out of hand real quick when just going in blind.

Thanks, I’ll have a look at LuCi and the tutorials.

Rough idea atm is to have a dedicated vlan for printer, tv, smart stuff. Have the phones, laptops go over VPN but still allow them to access the regular network ( to talk to the isolated VLan group. I saw there’s a handy toggle on the UI to get VPN stuff acess the underlying network.

1 Like

In that case, you could simply use the guest network and change the firewall rule so you are allowed to access from the regular network → guest network but not vice versa.