How to access WireGuard client LAN side from Server¶
This tutorial introduces the steps to access the LAN subnet of WireGuard client (such as IP camera, NAS, etc.) from your WireGuard server side.
Topology¶
As shown below, the GL-MT2500 is a WireGuard server and the GL-AXT1800 is a WireGuard client connected to it. You can access the devices on the GL-AXT1800's LAN side (such as IP camera or NAS) from the server side.
1. Add route rule on server¶
For firmware v4.7 and earlier
Log in to the web admin panel of your WireGuard server, then go to VPN -> VPN Dashboard -> VPN Server.
Click on the route icon on the right to enter the route rule.
Click Add Route Rule in the upper right corner, and input the subnet you want to access.
For example, the LAN subnet of the WireGuard client GL-AXT1800 is 192.168.8.0/24, so the Target Address is 192.168.8.0/24.
Gateway is the client IP that your WireGuard server generated for this WireGuard client. You can find it under the Profiles tab of WireGuard Server page. As shown below, the client IP for the WireGuard client GL-AXT1800 is 10.0.0.4.
So set the Gateway as 10.0.0.4, and the Scope as global, then click Apply.
For firmware v4.8 and higher
Log in to the web admin panel of your WireGuard server, then go to VPN -> WireGuard Server.
Click the Route Rules tab, and click Add Route Rule on the right side.
In the pop-up window, input the subnet you want to access.
For example, the LAN subnet of the WireGuard client GL-AXT1800 is 192.168.8.0/24, so the Target Address is 192.168.8.0/24.
Gateway is the client IP that your WireGuard server generated for this WireGuard client. You can find it under the Profiles tab on the same page. As shown below, the client IP for the WireGuard client GL-AXT1800 is 10.1.0.2.
So set the Gateway as 10.1.0.2, then click Apply.
2. Allow remote access to client LAN¶
For firmware v4.7 and earlier
Log in to the web admin panel of your WireGuard client, and go to VPN -> VPN Dashboard -> VPN Client.
Click on the gear icon on the right side of WireGuard.
In the pop-up window, enable Remote Access LAN, then click Apply.
For firmware v4.8 and higher
Log in to the web admin panel of your WireGuard client, and go to VPN -> VPN Dashboard.
On the top-left corner of your VPN tunnel, click the gear icon to enter the tunnel options.
In the pop-up window, enable Allow Remote Access the LAN Subnet, then click Apply.
3. Test connection¶
Test if you can access the LAN devices of your WireGuard client from the Server side.
You can test the connection via ping. For example, on a device connected to the WireGuard server (GL-MT2500), ping the IP address of a device within the LAN of your WireGuard client (GL-AXT1800), and check if it can ping successfully.