How to Port Forward for WireGuard VPN Use on GL.iNet Routers

Setting up a WireGuard VPN server on a GL.iNet router allows secure (full-tunnel), remote access to your local network. If your GL.iNet router is connected to a primary router, such as an ISP router’s LAN port, you’ll need to configure port forwarding on the primary router to direct VPN traffic to your GL.iNet device. This blog article will guide you through the steps, clarify the settings, and explain key terms to make the process more clear.


Why Port Forwarding is Necessary

When your GL.iNet router is connected to a primary router, port forwarding on the primary router is required for external traffic to reach the WireGuard server. Enable port forwarding on the main router to ensure that the external network can connect to the VPN server, specifically by opening only the port for the VPN server (ex. 51820). Once a device on the external network establishes a VPN tunnel with the GL.iNet router, the local network under the main router can be accessed through the VPN. This means not only is the GL.iNet router’s LAN accessible, but the main router’s LAN is also accessible.

Main router port forwarding to VPN server (ex. GL.iNet Brume 2)

Step-by-Step Guide to Port Forwarding for WireGuard

Gateway IP address for main router

1. Log in to Your Primary’s Admin Panel (or download and log in to your ISP’s mobile app):

Access the admin interface by typing your primary router’s IP address into a web browser. Typically this is 192.168.1.1 or 10.0.0.1. A quick way to determine this IP is to look at the “Gateway” IP on the Internet page of your GL.iNet router while it is connected to your home network.

2. Navigate to the Port Forwarding Section:

This section may be labeled as “Port Forwarding,” “Virtual Server,” or “NAT Forwarding,” depending on the router brand.

3. Configure the Port Forwarding Rules:

  • External Port (Public Port): Set this to the port your Wireguard server is configured to use (default 51820).
  • Internal Port (Private Port): Also set this to 51820 to match the port on your GL.iNet router where Wireguard is listening.
  • Protocol: Choose UDP, as WireGuard operates over the UDP protocol.
  • Internal IP Address (Destination IP): This should be the LAN IP address of your GL.iNet router, which should look something like 192.168.x.x or 10.x.x.x, depending on your network. This is assigned by your primary router once you’ve plugged the GL.iNet router WAN port into your ISP router LAN port. You can find this IP address in your primary router’s device list or simply by checking the GL.iNet router interface on the Internet page.

4. Set Source Port (Optional):

If your router provides a “Source Port” option, set it to “Any” (or leave it blank) to avoid restricting connections based on their originating port. WireGuard clients might use a randomized source port, especially if they’re behind NAT, and restricting this port could block legitimate connections.

5. Save and Test the Configuration:

  • After entering all necessary information, save the settings and reboot your primary router if needed.
  • To test the setup, try connecting to the WireGuard server from an external network (such as a mobile hotspot) to confirm that port forwarding is functioning correctly. For instructions on setting up the Wireguard server and corresponding client profile, go here: https://docs.gl-inet.com/router/en/4/interface_guide/wireguard_server/

Key Terms and Their Meanings

  • External (Public) Port: This is the port on your primary router exposed to the internet. Incoming VPN requests will target this port.
  • Internal (Private Port): This is the port on your GL.iNet router where WireGuard listens for connections.
  • Source Port: This refers to the port used by the client to initiate the connection. Setting it to “Any” is usually recommended to a void blocking legitimate connections, as most clients use randomized ports.
  • Internal IP Address (Destination IP): The IP address of your GL.iNet router on your local network.

Additional Tips

  • Consider Security: Limit the port forwarding rule to the necessary protocol (UDP) to minimize exposure.
  • Using Dynamic DNS (DDNS): If your public IP is dynamic (changes periodically), then enable the GL.iNet router’s built-in DDNS service to keep your VPN accessible.

For more router-specific instructions, take a look at the GL.iNet documentation list here: https://docs.gl-inet.com/router/en/4/tutorials/how_to_set_up_port_forwarding/


A Brief Explanation on CGNAT

Many ISPs use CGNAT to manage limited IPv4 addresses, assigning a shared public IP to multiple customers. This prevents direct access to devices and makes port forwarding impossible. If you’re behind CGNAT, consider using VPN services like Astrowarp or Tailscale, which enable secure remote access without requiring port forwarding. Click the link to check if your GL.iNet router supports Tailscale or AstroWarp. For step-by-step VPN setup instructions, refer to this video playlist.

About GL.iNet

GL.iNet builds network hardware and software solutions that bring affordable and secure network connectivity to families and businesses all over the world. We work with a wide range of industries, solving everyday internet problems in offices, and providing complex networking solutions such as smart buildings and IoT Networks. At GL.iNet, We believe all successful businesses build upon a strong and secure foundation, which is why our highest priority is perfecting network security and reliability for our partners.