Beryl AX (GL-MT3000) Wireguard client VPN doesn't work

dabigm · April 16, 2024, 12:18pm

Hi

Brand new Beryl AX.
I’ve gone to configu
e Wireguard as a client.
I’ve given it a known working config, and it doesn’t connect.
Error log contains

rTue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):    * Rule 'safe_mode_mark_save'
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):    * Zone 'lan'
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):    * Zone 'wan'
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):    * Zone 'guest'
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):    * Zone 'wgclient'
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):  * Set tcp_ecn to off
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):  * Set tcp_syncookies to on
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):  * Set tcp_window_scaling to on
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):  * Running script '/etc/firewall.nat6'
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):  * Running script '/etc/firewall.swap_wan_in_conn_mark.sh'
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):  * Running script '/etc/firewall.vpn_server_policy.sh'
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):  * Running script '/var/etc/gls2s.include'
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):    ! Skipping due to path error: No such file or directory
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001):  * Running script '/usr/bin/gl_block.sh'
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001): Failed to parse json data: unexpected character
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001): uci: Entry not found
Tue Apr 16 13:13:49 2024 daemon.notice netifd: wgclient (11001): cat: can't open '/tmp/run/wg_resolved_ip': No such file or directory
Tue Apr 16 13:13:49 2024 daemon.notice netifd: Interface 'wgclient' is now down
Tue Apr 16 13:13:49 2024 daemon.notice netifd: Interface 'wgclient' is setting up now
Tue Apr 16 13:13:49 2024 user.notice firewall: Reloading firewall due to ifdown of wgclient ()

I can confirm the VPN server does have port 51820 open. I have other clients connected. I can also confirm that I have taken the config for this Beryl AX router and put it on another device and it connected. But when putting it on the Beryl, it won’t.

I haven’t set up anything as this is brand new router. I have also tried manually entering the config rather than give it a config file. I have checked the forum for other issues, installed some opkg file they said to install

root@GL-MT3000:~# opkg install iptables-mod-conntrack-extra

but still doesn’t work. I’d appreciate some assistance please.

Extra information:

This is not a commercial VPN like mullvad/nord/surfshark this is a self-hosted wireguard VPN running on my own private server.

The VPN does work for other clients. I have two phones, and my laptop all connecting just fine.
I’ve also taken the config for my laptop, put it on the BerylAX and it does not work. It does work on the laptop.

This is definitely something wrong on the Beryl AX side. There are numerous similar issues reported on the forum. I am not blocking anything on my internet connection, other devices can reach just fine, it’s just the Beryl that cannot establish a connection to the wireguard server.

Firmware version is 4.5.16 “release 3”

hecatae · April 17, 2024, 10:23am

Beryl AX here, also an Opal and a Mango.
Wireguard working on all three to my private wireguard vps server.

Same Firmware version on my Beryl AX, routing over a UK FTTP connection via an Openwrt router, but also tested with a ZTE MC888 and a ZTE MC7010.

What are you connecting over?

dabigm · April 17, 2024, 10:53am

DSL at the moment. Yesterday to ensure it wasn’t anything weird with my network, I connected it directly to my 5G modem, in bridge mode with a real IP (no CGNAT) and the result was the same. I can literally take a working .conf file / keys from my phone , put it on the Beryl and it won’t connect. Just a yellow circle all the time, and the same logs as above.

sudo wg on the wireguard server show it not even hitting the server. Yet other clients (like my phone) connect just fine.

dabigm · April 17, 2024, 11:00am

Do you think you could possibly post your /etc/config/wireguard with the sensitive parts redacted?

hecatae · April 17, 2024, 11:19am

cat /etc/config/wireguard

config proxy 'global'
        option global_proxy '1'

config providers 'AzireVPN'
        option auth_type '1'
        option procedure '0'
        option group_id '3782'

config providers 'Mullvad'
        option auth_type '2'
        option procedure '1'
        option group_id '6749'

config providers 'FromApp'
        option auth_type '1'
        option procedure '0'
        option group_id '9715'

config groups 'group_3782'
        option group_name 'AzireVPN'
        option group_type '1'
        option auth_type '1'
        option procedure '0'

config groups 'group_6749'
        option group_name 'Mullvad'
        option group_type '1'
        option auth_type '2'
        option procedure '1'

config groups 'group_9715'
        option group_name 'FromApp'
        option group_type '3'
        option auth_type '1'
        option procedure '0'

config groups 'group_4967'
        option group_name 'New Provider'
        option group_type '2'
        option auth_type '0'

config peers 'peer_2001'
        option group_id '4967'
        option name 'beryl'
        option address_v4 '10.226.86.15/24'
        option address_v6 ''
        option end_point 'x.x.x.x:51820'
        option private_key ''
        option public_key ''
        option presharedkey_enable '1'
        option preshared_key ''
        option allowed_ips '0.0.0.0/0, ::0/0'
        option dns '10.226.86.1'
        option persistent_keepalive '25'
        option local_access '0'
        option masq '1'

dabigm · April 17, 2024, 11:41am

Mine doesn’t appear to be much different. Besides the order of some things but no pre-shared key (I’m not using one) and no IPv6

config groups 'group_6525'
	option group_type '2'
	option auth_type '0'
	option group_name 'VPS_UK'

config peers 'peer_6760'
	option group_id '6525'
	option name 'VPS_UK'
	option persistent_keepalive '25'
	option address_v4 '10.20.30.6/24'
	option private_key '='
	option public_key '='
	option allowed_ips '0.0.0.0/0'
	option dns '1.1.1.1'
	option ipv6_enable '0'
	option presharedkey_enable '0'
	option local_access '0'
	option masq '1'
	option mtu '1420'
	option end_point '<my VPS IP>:51820'

dabigm · April 17, 2024, 12:01pm

going to re-install my wireguard server and create some new keys.
I can’t explain why a working config on my phone won’t work on the router.

dabigm · April 17, 2024, 12:08pm

well this is embarrassing.

seems that I have two clients using the same client IP.
i’ve now resolved it.