4.x Wireguard REKEY-TIMEOUT troubleshooting

Hi All,

A lot of users feedback that in Firmware 4.x Wireguard has REKEY-TIMEOUT loops. This thread just want to have a summary so that you classify your issue in the correct category and go in the right direction.

I will list some cases that I have solutions and some cases I am not sure.

Please note, REKEY-TIMEOUT is a general message and it does not contains info about the reason. Wireguard has too little info in the log.

Scenario 1: Wireguard does not connect at all

  • Most of the cases are in this scenario. If wireguard does not connect at all, the general reason is that the server is not reachable or config not correct.
  • If this is your own server, have to make sure your are doing port forward correctly.
  • Some ISP blocks UDP port so your port forward may not work. Some ISP have a advanced firewall so you have extra settings in order to make your port forward work normally.
  • Some user also report that copy and paste caused the problems, but I don’t have a clue why.
  • If this happens to you, please try the wireguard on your phone or windows to make sure it works.
  • If you use Flint or Slate AX as wireguard server in firmware 4.0 or 4.1, when you active vpn client and server at the same time, you cannot connect to the vpn server from the Internet. This is called vpn cascading and pls upgrade to 4.2.0.

Scenario 2: Wireguard connects but has intermittent breaks and cannot connect by itself

Some users reported such cases. I believe this happens but it is very difficult for me to replicate this issue.

  • Several feedbacks that this problems resolved by itself so could not track more.
  • One user said it is related to his 5G network.
  • One nice users gave me some info that this may be related to 4G/5G network which has MTU limitations. He needs to adjust the Wireguard MTU 1324 and lower to make it connect well. If this is your case pls adjust the MTU lower to see if works better.

What to do when you met this problem:

  • Make sure the wireguard is valid by using the exact same config on your phone or pc.
  • Make sure the wireguard server side has correct setup, e.g. port forward
  • If you want to bring this issue up to me, please give me these info:
  1. What is the router model and firmware version
  2. Are you using 4G network? What is your ISP?
  3. Are you using IPV6?
  4. Are you using DDNS in the wireguard config end point?
  5. Is this your own wireguard server (a GL.iNet router, Netgear or Asus) or a commercial Wireguard service?
  6. Are you using vpn policy, adguard home etc?

If this is your own Wireguard server, the easiest way is to send one config to me to try out directly, if possible.


Case update:

One user case show that he is using Flint as wireguard server and cannot connect to it from the Internet. It is because he is using both vpn client and server at the same time on Flint.

When use use vpn server and client at the same time, it is called vpn cascading. Flint 4.0 and 4.1 does not support this. Pls upgrade to firmware 4.2.

This needs to be pinned.

Other issues:

  1. Your WireGuard IP cannot be within the 192.168.8.X or 192.168.9.X range for default GL.iNet setups. Either change the WireGuard range, or change the LAN.
  2. If you’re running your own server, and you can connect to (ping) the Wireguard endpoint, and you’re using as your “Allowed IPs”, make sure the outbound port forwarding rules on your server are correct. See this guide for help.
  3. If you are testing and it works from your phone but not from your router, try connecting your router through your phone. Sometimes trying to access your public IP from your LAN behaves in strange ways.

Where can we find firmware V4.2? I’m unable to find it in the download center & on GitHub.

~Edit: nvm, found it😄

Update one case:

The ISP blocked incoming UDP traffic on the modem.

Even you set up port forward it does not work.

Case update: Start vpn ddns bug: Starvpn provide wireguard configure with endpoint as ddns. But the ddns may resolve to some servers that does not work at all. Users should hardcore the ddns as correct IP or ask Starvpn to fix the bug. Slate AX (GL-AXT1800) Wireguard Issue (REKEY-TIMEOUT) - #34 by hectorricardo

I had a new case that the presharekey is dropped when upload config to the router. This may be caused by old firmware. 4.2 is working fine.