Beryl MT3000 VPN to Brume MT2500 - not sure where I am going wrong

Hi everyone and anyone,

I have been trying to resolve this issue for days but it would appear that I am too much of a simpleton to follow the incredibly straight forward set-up guides available from gl.inet.
Please help.

I have Fibre To The Home, ONT is set to bridge mode, this feeds into the Brume (MT2500) WAN port (set-up to connect using PPPoE) and the LAN port of the MT2500 feeds into a network switch and off to the many devices in the home.

MT2500 seems to be working great as a Home router, with ad-guard activated and various port forwarding.

I need to access the home network remotely and have previously relied upon a raspberry pi running OpenVPN, this has worked great and is still running great

I now want to use the Beryl (MT3000) as a travel router that ensure that all devices connected to MT3000 have their traffic directed through either OpenVPN or Wireguard (MT2500 acting as server) and ensures that my IP address and DNS details while travelling are showing as my home location and that I can access the home network devices when required.
I do not need access from home location to remote location, only to do an ET and phone home

The problem seems to be with setting up OpenVPN and Wireguard.
I have attempted all the guides provided by gl.inet, they all appear to be so straight forward to follow and complete, yet the end result is not what I wanted, expected or feel emotionally able to try to resolve on my own any further.

I had the expectation that I could just follow the guides and be laughing all the way to the pub to reward myself with a beer for a job well done.
I do not know what I am missing.

Anyone willing to help me? I will buy you a beer…or however many you think you would need!

I have tried to include as much info below as I can….

I am using DDNS ( glddns )as I do not have fixed IP from ISP
Adguard is turned on but doesn’t make a difference to the success of the VPN if I turn it off
DNS settings under ‘Network’ are set to Automatic - I have played with this in various ways, doesnt make too much difference to success of VPN
Under ‘Firewall’ I have set-up port forwarding to all required devices

MT2500 (Brume) VPN Server set-up:
‘Allow Remote Access LAN’ and ‘IP Masquerading’ is turned on for both OpenVPN and Wireguard
‘Enable VPN Cascading’ is turned off
No ‘Route Rules’ are set-up on either OpenVPN or Wireguard

User setting file under Wireguard:
[Interface]
Address = 10.0.0.3/24
PrivateKey = xxxxxxxxxxxxx (redacted)
DNS = 64.6.64.6, 64.6.65.6
MTU = 1280

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xxxxxxx.glddns.com:51820 (redacted)
PersistentKeepalive = 25
PublicKey = xxxxxxx (redacted)

I tried playing around with the MTU settings but this did not make any difference to success.

OpenVPN server settings are:
Device Mode - TUN
Protocol - UDP
Local Port - 1195
IPv4 Subnet - 10.8.0.0
IPv4 Netmask - 255.255.255.0
Authentication Mode - Username/ Password only
Enable LZO Compression - off
Enable TLS Authentication - off
Client to Client - off
Verbosity Level - 3

MT3000 (Beryl) VPN Client set-up:
‘Allow Remote Access LAN’ and ‘IP Masquerading’ is turned on for both OpenVPN and Wireguard
‘Enable VPN Cascading’ is turned off.
‘Allow Access WAN’ turned off and ‘Services from GL.iNet Use VPN’ is also off

I am currently away from home in another country after running out of time to get this set-up completely before leaving. I am grateful for having the raspberry pi VPN to help me access to home MT2500 to make any necessary changes.
The MT3000 is able to connect through WG and OpenVPN to the MT2500 but this is a far as it seems to be successful.

MT3000 Log file for Wireguard after connecting to MT2500:
Sat Oct 7 14:02:41 2023 user.notice mwan3[9713]: Starting tracker on interface wgclient (wgclient)
Sat Oct 7 14:02:44 2023 user.notice firewall: Reloading firewall due to ifup of wgclient (wgclient)
Sat Oct 7 14:03:39 2023 daemon.notice netifd: Network device ‘wgclient’ link is down
Sat Oct 7 14:03:39 2023 daemon.notice netifd: wgclient (13359): sh: 1: unknown operand
Sat Oct 7 14:03:39 2023 user.notice mwan3[13358]: Execute ifdown event on interface wgclient (unknown)
Sat Oct 7 14:03:40 2023 daemon.notice netifd: Interface ‘wgclient’ is now down
Sat Oct 7 14:03:40 2023 user.notice firewall: Reloading firewall due to ifdown of wgclient ()
Sat Oct 7 14:03:46 2023 daemon.notice netifd: ovpnclient (14319): Warning: Option ‘wgclient’.masq6 is unknown
Sat Oct 7 14:03:46 2023 daemon.notice netifd: ovpnclient (14319): Warning: Section ‘wgclient2lan’ refers to not existing zone ‘wgclient’
Sat Oct 7 14:04:00 2023 daemon.notice netifd: ovpnclient (16417): Warning: Option ‘wgclient’.masq6 is unknown
Sat Oct 7 14:04:00 2023 daemon.notice netifd: ovpnclient (16417): Warning: Section ‘wgclient2lan’ refers to not existing zone ‘wgclient’
Sat Oct 7 14:12:00 2023 user.notice wgclient-up: env value:SHLVL=2 GL_SERVICE_QUEUE=1 PWD=/
Sat Oct 7 15:21:01 2023 daemon.notice netifd: Interface ‘wgclient’ is setting up now
Sat Oct 7 15:21:01 2023 daemon.notice netifd: wgclient (30933): Error: inet6 prefix is expected rather than "".
Sat Oct 7 15:21:01 2023 daemon.notice netifd: Network device ‘wgclient’ link is up
Sat Oct 7 15:21:01 2023 daemon.notice netifd: Interface ‘wgclient’ is now up
Sat Oct 7 15:21:01 2023 user.notice wgclient-up: env value:T_J_V_ifname=string J_V_address_external=1 USER=root ifname=wgclient ACTION=KEYPAIR-CREATED N_J_V_address_external=address-external SHLVL=2 J_V_keep=1 HOME=/ HOTPLUG_TYPE=wireguard T_J_V_interface=string J_V_ifname=wgclient T_J_V_link_up=boolean LOGNAME=root DEVICENAME= T_J_V_action=int TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin CONFIG_LIST_STATE= J_V_interface=wgclient K_J_V= action ifname link_up address_external keep interface J_V_link_up=1 J_V_action=0 T_J_V_address_external=boolean N_J_V_link_up=link-up T_J_V_keep=boolean PWD=/ JSON_CUR=J_V CONFIG_SECTIONS=global AzireVPN Mullvad FromApp group_4775 group_4094 group_7061 group_8068 peer_2001 peer_2002 CONFIG_cfg030f15_ports=
Sat Oct 7 15:21:02 2023 user.notice mwan3[31192]: Execute ifup event on interface wgclient (wgclient)
Sat Oct 7 15:21:02 2023 user.notice mwan3[31192]: Starting tracker on interface wgclient (wgclient)
Sat Oct 7 15:21:04 2023 user.notice firewall: Reloading firewall due to ifup of wgclient (wgclient)\n"

MT3000 Log file for OpenVPN after connecting to MT2500:
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Rule ‘wan_in_conn_mark’
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Rule ‘lan_in_conn_mark_restore’
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Rule ‘out_conn_mark_restore’
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Zone ‘lan’
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Zone ‘wan’
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Zone ‘guest’
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Zone ‘ovpnclient’
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Set tcp_ecn to off
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Set tcp_syncookies to on
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Set tcp_window_scaling to on
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Running script ‘/etc/firewall.nat6’
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Running script ‘/etc/firewall.swap_wan_in_conn_mark.sh’
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Running script ‘/var/etc/gls2s.include’
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): ! Skipping due to path error: No such file or directory
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Running script ‘/usr/bin/gl_block.sh’
Sat Oct 7 15:23:15 2023 daemon.notice netifd: ovpnclient (4957): * Running script ‘/etc/firewall.vpn_server_policy.sh’
Sat Oct 7 15:23:16 2023 user.notice mwan3[5053]: Execute ifup event on interface ovpnclient (ovpnclient)
Sat Oct 7 15:23:16 2023 user.notice mwan3[5053]: Starting tracker on interface ovpnclient (ovpnclient)
Sat Oct 7 15:23:18 2023 daemon.notice ovpnclient[4957]: Initialization Sequence Completed
Sat Oct 7 15:23:18 2023 user.notice firewall: Reloading firewall due to ifup of ovpnclient (ovpnclient)\n"

I have tried playing with the ‘Block-Non-VPN Traffic’ and or the ‘Global Proxy’/ ‘Auto Detect’ settings with mixed success and failure, see the following:

Wireguard:
Block non-vpn traffic ON and global proxy ON
CAN NOT access remote devices
CAN NOT browse the internet

Block non-vpn traffic ON and auto detect ON
CAN NOT access remote devices
CAN NOT browse the internet

Block non-vpn traffic OFF and Global Proxy ON
CAN NOT access remote devices
CAN browse the internet
ipleak shows the ip address as remote (my home country) but the DNS does not show any results

Block non-vpn traffic OFF and auto detect ON
CAN NOT access remote devices
CAN browse the internet
ipleak shows the ip address as remote (my home country) but the DNS as local (my temporary country)

OpenVPN:
Block non-vpn traffic ON and global proxy ON
CAN NOT access remote devices
CAN browse the internet
ipleak shows the ip address as remote (my home country) but the DNS does not show any results

Block non-vpn traffic ON and auto detect ON
CAN NOT access remote devices
CAN NOT browse the internet

Block non-vpn traffic OFF and Global Proxy ON
CAN NOT access remote devices
CAN browse the internet
ipleak shows the ip address as remote (my home country) but the DNS does not have any results

Block non-vpn traffic OFF and auto detect ON
CAN NOT access remote devices
CAN browse the internet
ipleak shows the ip address and DNS as local (my temporary country)

I have set-up the MT3000 with the config file for connecting through OpenVPN to the Raspberry pi back-up and the results for how this works are:

OpenVPN from MT3000 to Raspberry PI
Block non-vpn traffic ON and global proxy ON
CAN access remote devices
CAN NOT browse the internet

Block non-vpn traffic ON and auto detect ON
CAN access remote devices
CAN NOT browse the internet

Block non-vpn traffic OFF and Global Proxy ON
CAN NOT access remote devices
CAN browse the internet
ipleak shows the ip address and DNS as remote (my home country)

Block non-vpn traffic OFF and auto detect ON
CAN access remote devices
CAN browse the internet
ipleak shows the ip address as local (my temporary country) and DNS as remote (my home country).

*** additional Info***

MT3000 firmware is 4.4.5 release1
MT2500 firmware is 4.4.6 release1

How did you set up port forward? This should be done on your main router if you have one.

Hello alzhao,

Brume (MT2500) is set as my main router, the ISP provided ONT is set in Bridge mode so does not require any additional settings.

Does the MT2500 (VPN server) require any additional port fowarding settings to allow the VPN to work?
I have set-up port forwarding to my required devices… but does the Wireguard or OpenVPN require additional ‘internal’ port forwarding within MT2500 in order to work?

additional port forwarding is not required according to the gl.inet user guides

After a remote check, we found the endpoint device(raspberry pi) has the same tunnel IP range as MT2500 ovpn server, both 10.8.0.0.
so changing one IP should solve this issue.

Hansome,

Thanks for your assistance so far and looks like we lost connection there. I dont have your contact details to contact you directly…

I agree that we can now ping the following IP addresses using either WG or Openvpn (through MT2500 and Raspberry Pi) with Global Proxy turned on and Block Non-VPN Traffic turned on:

192.168.0.99

192.168.0.8

192.168.0.15

Unfortunately, when connected to Openvpn (MT2500 or Raspberry Pi) or Wireguard (through MT2500), I have internet browsing but still can not access remote devices from their web interfaces or their network shares. Which is the main reason I needed help

Web interfaces:

192.168.0.99:1234

192.168.0.8:8080

192.168.0.15:82

can not connect to home router/ server 192.168.0.1 web interface either.

Can we arrange another assistance to look into this further?

Thanks

Thank you to handongming for looking into this for me!

For anyone else that may need to know the end result of this:

The issue appears to be that the home network router (MT2500) uses IP 192.168.0.1 and the remote travel router (MT3000) is on a network where the local router (not accessible by me) is also 192.168.0.1

Once home, I will change the home network to a different IP subnet, eg. 192.168.6.1 (or other random subnet) and hope that I don’t ever need to connect to a router while travelling that also happens to use the same subnet.

Until I make the change on the home network, whenever I need to reconnect to either of the VPN’'s, I must manually add the ip route via SSH on the MT3000.

Hope the above helps anyone else that may be struggling like I did

1 Like