Mostly just a PSA, but will troubleshoot when I get more time.
So I have not had time to troubleshoot this issue, but I maintain a wireguard connection from my RV to my home. I generally backhaul all internet traffic from the X3000 to my home. This has worked well and I can maintain access to the hosts in the RV and the router itself from home.
I knew the risk and it wasn't a big deal, but I upgraded to 4.8 while saving the configuration. Router rebooted, all seemed well, the vpn did not auto connect like it normally does. So I log into the router (using tailscale to another host at my RV) and enable the wireguard connection. This is where things went sideways.
I could still access the devices over the wireguard VPN, but I could not access the router at all. Not via https, not via ssh. The only way I regained access to the router itself at that point was to remove the SIM card and reboot with no WAN so the VPN would not connect.
It will be a minute before I can get back out to the RV to troubleshoot, but I might wait until 4.8 is a stable release. There was no real reason to upgrade from a feature perspective and I am happy to stay on 4.7.4 for now. I will do some testing on my Flint3 before I put it into place to replace my current router once it is more stable as well.
Before I go down this path, does anyone have any explanations on why this might have happened? My first step will be to better understand which options on the VPN have changed to see if there are different ways to do things that need to be changed. I will also rebuild the config from scratch to see if it was just an upgrade / settings issue somewhere.
So where's the PSA? It seems more than premature. You haven't even posted examples of your WG confs never mind logs. Did you define the routes on the endpoint acting as the 'server'? You could be running afoul that v.4.8.0 had its VPN functions reworked now that PBR is a feature.
There's already enough wastes of bandwidth in this forum. Try something more than simple speculation & accusation.
Yeah, v4.8.0 on the Beryl AX is known to have bugs. What of it? How did you determine that applies to your scenario? If you haven't learned firmware versioning isn't sync'd across all devices by now I don't know what to tell you other than I'm glad you're well away from my subnets.
I've got to say here that the "4.8.0-op24" version of the firmware have been working remarkably well for my complicated VPN settings on the Flint 2 when no other previous firmware version could cope. I have a commercial wireguard VPN client on all the time, a Plex server excluded from using VPN and a wireguard server running on the router receiving connection from remote clients to my home LAN and its IP subnet while the VPN client tunnel is running at the same time. I have never had this working more smoothly before and will have to give a lot of credit to the developers on this occasion.
I haven't had time to get back out to the RV to identify the actual issue. I have a X3000 in my RV connecting to a debian wireguard server at my home. I am not using a public vpn provider.
4.7.4 (0704release5) - I have a wireguard vpn connection from RV to my home that routes all traffic over the wireguard tunnel. I can access hosts in my RV directly, and RV hosts can access hosts at home. Everything works as expected. I can access the RV router via the RV subnet address from home or from hosts at the RV without issue. I can also access the wireguard VPN ip from home to the router.
I upgraded to the latest 4.8 beta (7/14/2025) while keeping the settings from 4.7.4. I can access the router from the RV hosts without issue initially. However, once I bring up the wireguard VPN on the router RV, I lose http, luci, and ssh access to the router. I can ping it but that is all from either side of the connection. I went out to the RV and the only way I could get access back to the router was to pull the sim card out and reboot it without WAN. I was then able to access the router and disable the VPN. Every time I connect the VPN I lost connection to the router, even from the local network.
When I get more time I will go back out and try to spend some time testing things, but an in place upgrade did not work for me. It is not a huge deal to wipe it and start over with it, but if I am going to do that, I will wait for a stable release.
Just a note - I am not using IP masquerading on my setup since both subnets are known to one another and routed properly. In my case, I could not even access the 192.168.255.1 address of the wireguard client router from the 192.168.255.0 network when connected. Thanks for checking this @bruce. I will start digging to see what is going on and repeat the test using the firmware you used (4.8.2 819 instead of the version I used before that was released). It is odd that I could ping the router and get a valid response with valid MAC, but could not establish a connection - seeming like it was routing local requests down the VPN instead of handling locally, but that is just a guess.
Hmm i find this kinda unusual: 10.0.1.2/24 doesn't it need it to be 10.0.1.1/24?
If i do this on normal OpenWrt luci is inaccessible when client is on .2, although vpn remains functional, I guess it is not a wrong config but not how I would do it, I know gl does that by default.
And maybe you want to use masquarading in order for port translation to work, without this port forwarding between the wireguard server and lan is not possible.
Edit:
nvm, i think it is the masquarading problem, if /24 was working for you then it should, normally I configure my vpns as site to site vpns, meaning the server has idd 10.0.0.1/24 but a client 10.0.0.2/32 if I started the server on 10.0.0.2/24 i would not be able to access it, I think this kinda reflects now on your client, does that make sense?
I have a separate subnet for the RV and home wireguard connection. I mimicked what my Flint2 had when I moved to my Debian server. I don't need masquerading. My debian server is 10.0.1.1/24 and my RV router is 10.0.1.2/24.
ETA: my debian wireguard server is behind another router and that router port forwards udp 54125 to the debian wireguard server port 51822. My debian server has multiple wireguard interfaces on it.
The short story - it works perfectly on 4.7.4. I can even get to my RV from my phone when traveling. Upgraded to 4.8 and it all fell apart. Downgraded back to 4.7.4, restored the config, everything is working again. Something in the upgrade to 4.8 - either a config change or process change - causes this issue. I just don't know what it is yet.
@bruce - I am happy to dump a working 4.7.4 config if I can clean it out for you to use to test the full upgrade I performed and see if it breaks. That should eliminate most of the variables that might exist.
