Reaching an RUTX subnet remotely wireguarded through a second RUTX, from a subnet on a third RUTX!

Our offices are out in the sticks and I am having trouble getting two subnets to talk to each other (I am ok with really basic networking but I get stumped when things like this don’t work as I expected). As the 4th subnet that is connected via pfsense is working fine, I have proved that it is possible so just need to know where I am going wrong with the RUTX09 configuration.

AWS (wireguard used to bridge networks together as its the only point with a fixed IP.
Teltonika RUTX50 in main office (Wireguard
Teltonixa RUTX11 in remote office (Wireguard
Teltonika RUTX09 near main office port 3 set to and connected to main office LAN.
PFSense near main office port X set to and connected to main office LAN.

10.10.10.X can talk to 10.11.10.X.
10.20.10.X can talk to 10.11.10.X ( has a static route to
10.30.10.X will not talk to 10.11.10.X.

10.20.10.X can talk to 10.10.10.X.
10.30.10.X can talk to 10.10.10.X.

I have tried adding a static route for 10.11.10.X to gateway like pfsense has (I did this), on the RUTX09.
I noticed that pfsense has an entry in NAT that it has made automatically for
I don’t see any way of adding NAT to a subnet that isn’t associated to a LAN interface on the Teltonika units and suspect that is the problem.

I have gotten around it by also setting up wireguard on the RUTX09 but I would prefer it to work through the one link like 10.30.10.X does on pfsense.

Can anyone help me with this please?



There should be no need to use static routes (nor NAT either) everything should be done via the Allowed IPs lists:

  • on the RUTX11, set Allowed IPs to + + +
  • on the AWS server
  • for the RUTX11 peer set Allowed IPs to +
  • for the RUTX50 peer set Allowed IPs to + + +
  • on the RUTX50 set Allowed IPs to +
    No need to NAT anymore.

Oops of course you need static routes on the RUTX50 in order to reach the RUTX09 and the pFsense, but this is not a wireguard issue.
You can create them with:

ip -4 route add via metric 1
ip -4 route add via metric 1

or the equivalent menu in Network->Routing/Static IPv4 routes.

Hi Flebourse - thanks very much for your response!

I got the IP ranges wrong in my haste so I have changed them for my sanity:

I am concerned about trying this as I am pretty sure some of these settings locked me out of the routers before when I first tested wireguard on the Teltonika units… basically I found that I had to use the LAN from the opposite end of the connection in each case. So these are the settings that I currently have:

RUTX50: IP Addresses
RUTX50 Peer: Allowed IPs,

RUTX11: IP Addresses
RUTX11 Peer: Allowed IPs,*

*only added since I have temporarily connected RUTX09 via its own wireguard connection.

With the existing settings above I can connect from 10.10.10.X to 10.11.10.X, I can connect from 10.20.10.X to 10.11.10.X and I can connect from 10.11.10.X to 10.10.10.X (but not 10.20.10.X which is fine and preferred at the moment).

When I got locked out, came to the conclusion that allowing the IP of the local subnet was actually causing any connection to the router to be routed across wireguard and so I could no longer log into the web UI!

You have suggested that I set allowed IPs in a non-peer menu as well, but the only other options I get in the menu before the peer menu is “IP Addresses”.

I would really appreciate it if you can clear up my confusion over which LAN range to put where, where the other lists of “Allowed IPs” are, and maybe explain how the subnet works in the context of a wireguard link please?

(note understood about the static routes, I was confused last night when you said that they where not needed as I couldn’t understand how those two networks would ever route to RUTX50, so at least I understand that bit!)

Thanks for your time, this is really helpful.


In Allowed IPs you declare the hosts/net you want to reach via the wg tunnel, for example on the RUTX11 that would be all the wg network itself ( plus the all the lans on the RUTX50’s side ( + + How the RUTX50 will route packets for is not a concern at the RUTX11’s side.

The same applies at the RUTX50’s side, both the wg network and the RUTX11’s lan have to be reachable so Allowed IPs would be +

On the AWS side, you have to be very careful you have two peers so for each peer you need to specify the lans (10.x.10.0/24) plus the wg host (not lan) that would be (not /24) and

As the wg network is most of the time a management network only I prefer to have it in a separate address space I use a 172.[16…31].x.y for this purpose the configuration is much easier to read and maintain.

Thankyou very much.

That all makes sense. I will play with it a bit more when I can put some more time to it - I cant see any reason why it shouldn’t work with this guidance!

Thanks again,


This topic was automatically closed after 15 days. New replies are no longer allowed.