Cannot connect Slate router using Wireguard to Android phone

Hi All, I’ve been having no luck at all connecting to the Slate router using a WireGuard VPN connection.
I cannot get simplest of connections working.

Android Phone>>Slate 750s router (connected via wi-fi to an iphone’s hotspot)

Firmware: (latest @ 3.007)
Wireguard app on the Android phone is v0.0.20181001.

I factory defaulted the Slate. So there should not be any other issues.
After connecting the Slate to my iphone’s hotspot via wi-fi. I then followed the guide here WireGuard Client - GL.iNet Docs to set up a wireguard server on the Slate, keeping all the defaults. Pretty simple stuff.

After adding a Client, via the management tab. I clicked the Configurations icon, and transferred the settings to the Android phone via the QRCode and then enabled the Wireguard connection on the Andriod phone.

However, when I try and access any web pages on the Android phone I get nothing, zip!
When I ssh’d into the Slate and ping the phone at 10.0.0.2, all I get back is “ping: sendto: Destination address required”
I’ve checked the Wireguard settings on the Android phone, to make sure the QRCode transfered correctly.

Anyone got any ideas what is wrong?
Thanks

If Slate uses as WireGuard server, it has to have a public IP address. If your Slate access the Internet via WISP, it might have a private IP address, not public IP address.

Hi, I have a Laptop connected to the Slate though one off the LAN ports and can get internet access. So I asume I must have a public IP address.

Not necessarily; you said you’d: “transferred the settings to the Android phone via the QRCode”, but what IP address is the server’s (The Slate’s) peer address being used in the config file? If that address isn’t reachable from the Android device, you won’t be able to connect to it. IOW, try pinging the Slate from the Android device.

It can’t say the Slate has a public IP address. You should attach the Slate to your ISP modem.

The laptop is attached via wifi just for configuring the Slate. I’ve now tried a different config. I’m now using a USB 3G dongle attached to the Slate. I get internet with the dongle attached fine. I then set up the Wireguard server / client.
This time the client is my iPhone, Wifi is turned off and I’m using cellular data. I can confirm it has internet access without the vpn. I then transfer the config over to the phone using the QR code and turn the VPN on. But again it does not appear to connect. I’ve checked the settings and the phone has the public IP/Port and port of the Slate. The public/private keys are correct. If I ssh into the Slate I cannot ping the client on 10.0.0.2. There does not appear to be any initial handshake/connection. I cannot see anything wrong with the settings, or anything I might need to change. I presume the slate opens up port 51820 and configures the firewall.

OpenVPN works fine. I just don’t want to use OpenVPN as it’s way to slow.

Below are my wireguard settings on the Slate
root@GL-AR750S:~# wg
interface: wg0
public key: jCQT…dQw=
private key: (hidden)
listening port: 51820

peer: +AY+A…EU=
allowed ips: 10.0.0.2/32
persistent keepalive: every 25 seconds

These are my client settings on the iPhone

The Endpoint is the same IP address, ans the one on the when i google Whats My IP.

I’ve also checked with the phone providers and they are not blocking any ports.

Thanks
Neal

Does the IP address in endpoint is the same as the IP address you see on admin web? Could you take a screenshot on INTERNET tab? It looks like this.

Should the IP Address shown be a public one?
The modem attached via the USB slot is a ZTE MF730 model. Even though the docs describe it’s a modem, The Slate always tethers the device and it never shows up in the 3G/4G Modem section.

Many Thanks

It is a private IP address, not public IP address. Therefore, the WireGuard client fails to connect your Slate which is act as server.

If it work in tethering mode, it should have its own UI on 192.168.0.1

You can set up port forward in the modem.

But most importantly, make sure your carrier allows you to use as server. This is generally not possible in carriers.

Ok, forgive my noob questions, trying to understand all this.

So these USB dongles are’t pure modems. There modems + router and without forwarding, the packets on port 51820 won’t get though, is that correct? Unfortunately the dongle does not have a port forward config page and is not accepting ssh requests.

Can you get pure USB mobile modem that will provide the Slate with just a public IP. If so, any recommendations?

Do I need the Slate to also have a public IP (rather than private tethered one) if I use the Slate a WireGuard client, and not as a server?

Thanks

Problem is, that’s up to the carrier, unfortunately. Almost every provider (in the US, at least, YMMV) will (CG)NAT all consumer-grade mobile connections (and some even CGNAT IPv6!). You’d have to see if your carrier will allow you to get a static IP for your account, but then you may venture into Enterprise-grade territory and I have no idea what pricing is for that.

Did i get that right: WireGuard server is useless or not usable as additional encryption layer for wireless (without public ip with neccesary ports open on WAN/ISP side)? Why? There has been issues with WPA* and i decided that i want to use the WireGuard server as extra security measure from my mobile device to GL device where “wired network begins” even when i use GL device in WISP mode in hotel, behind their network without ports forwarded (to GL device). So yes, i also expected that after turning WireGuard server on and configurating mobile devices connected to the same device over wireless with QR code work out of the box - even if there is no internet connection on wan side at all…

Well no.

If you are connecting using the wireguard client from a phone in your local network to a remote wireguard server, hosted in a datacenter or using one of the wireguard providers, you can connect using your internet without having to open ports.

You only have to open ports and need a public ip if you want to connect FROM OUTSIDE to your home network with a wireguard server running on your network or router.

Also don’t think that the LAN port in a hotel room or another place is secure. I can sit in the room next to you, use some packet sniffing and ARP injection to capture your data since hotels usually have a switch to deliver the internet to the rooms. Protecting the wifi won’t help if you don’t secure out to the net too.

Like i said, i mean that even without having an remote WireGuard server (or it’s subscription) it should be possible to have wireguard tunnel as short as from GL wireless clients to the GL itself and that’s all(only on scenarios when there is no public ip and open ports- it would be more useful than now, like described in first post). New feature request maybe?

But about remote connection from remote site into device behind in my home network without open and redirected ports: i have seen that for example one of dahua network camera has such “P2P functionality”, that you can connect your android client to the camera even when the ports are closed. As i understood, it worked somehow that the camera itself initialized an connection to some kind of (manufacturer) middle-service and when android client requested an connection the those two were somehow bounded like it was response to the request made by camera itself.

GL has some DDNS functionality and server for that. It would be awesome, when you can implement something similar: GL router initializes outgoing connection to it and when remote client wants to connect then it will be somehow added to already made connection from inside to public network. You can imagine the numbers of clients all over the world, who’s ISP doesn’t offer open ports and public ip with fair price…

GL will make a service like that but it is not ready yet. :slight_smile:

Ok, any information when will i be much happier GL owner than i allready am? :slight_smile:
Will it work with every model which allready support WireGuard server?

No time frame at the moment that i have heard of, just seen Alfie mention it in another thread. He also said that it should work with all routers that can run v3 firmware. :slight_smile:

I’m having the same problem as the original post but I do have an external IP.

Slate router, Mango 3.026, connected to fiber modem via Ethernet.
GL UI reports the IP address as 42.xxx.yyy.zzz. Gateway is 42.xxx.yyy.254.

DDNS gl-ddns 3.0.21: installed and enabled: pnXYZ.glddns.com

DNSWireGuard Server 4.14.63/20181119 running and using default settings.
Client setup using default settings: 10.0.0.2/32; listen 8521; DNS 64.6.64.6,

WireGuard iPhone Client 0.0.20190609.
Add a Tunnel: Client settings transferred to iPhone using QR code; no edits.
Endor: 42.xxx.yyy.zzz:51820; 10.0.0.2/32; Listen 39877; DNS 64.6.64.6

  1. Client settings IP
  • WG Client not connected (cellular, WiFi off): data flows ok
  • WG Client connected (cellular, WiFi off): no data flows
  1. Edit Client settings to DDNS address pnXYZ.glddns.com:51820
  • activate WG Client: error— DNS resolution failure…
  1. Delete Client settings. Reinstall via QR:
  • WG Client not connected (cellular, WiFi off): data flows ok
  • WG Client connected (cellular, WiFi off): no data flows

Any advice?

Note: OpenVPN server and client work correctly using default settings.

Is this loopback Server address the issue?
[address circled; screen shot is of iOS client—> VPN Status—> info ]