Did you try to delete the WG profile and create it from scratch?
Yes, I did remove it and re-import the .conf file I have. It’s puzzling that there is literally nothing about wireguard in the log when trying to run the client on this firmware.
Post output of wg show fr each endpoint.
Redact as required.
root@flint:~# wg show
interface: wgserver
public key:[redacted]=
private key: (hidden)
listening port: 51820
fwmark: 0x80000
peer: [redacted]=
preshared key: (hidden)
endpoint: 192.168.71.137:48285
allowed ips: 10.0.71.2/32, 192.168.118.0/24
latest handshake: 1 minute, 2 seconds ago
transfer: 1.16 MiB received, 13.10 MiB sent
persistent keepalive: every 25 seconds
There is literally no output. I am connected to WiFi in repeater mode, AdGuard is disabled. I re-imported the conf file once again and it’s stuck at “The client is starting, please wait…” while I’m running the command.
root@GL-MT3000:~# wg show
root@GL-MT3000:~#
-
cat /etc/config/wireguardfor all saved confs as Client -
cat /etc/config/wireguard_serverif running as Server
Here’s an example of a Client. MTU may be different (eg: 1420) & preshared keys are optional (but recommended where possible):
config peers 'peer_[redacted]'
option group_id '[redacted]'
option name 'myName'
option end_point '[redacted]:51820'
option private_key '[redacted]'
option public_key '[redacted]'
option presharedkey_enable '1'
option preshared_key '[redacted]'
option persistent_keepalive '25'
option ipv6_enable '0'
option mtu '1320'
option allowed_ips '0.0.0.0/0'
option local_access '1'
option default_metric '0'
option masq '1'
option address_v4 '10.0.0.2/24'
Here it is. I only need to use the VPN client.
config peers 'peer_[redacted]'
option group_id '[redacted]'
option name 'GL.iNet'
option address_v4 '10.8.0.2/24'
option address_v6 ''
option end_point '[redacted]:51820'
option private_key '[redacted]'
option public_key '[redacted]'
option presharedkey_enable '1'
option preshared_key '[redacted]'
option allowed_ips '0.0.0.0/0, ::/0'
option dns '1.1.1.1'
option persistent_keepalive '0'
option mtu '1468'
option local_access '0'
option masq '1'
It looks proper. I wonder if the hotel network is blocking port 51820.
Install nmap & port scan that UDP port of the hotel’s router:
opkg update; opkg install nmap
root@certa:~# nmap 192.168.2.1 -sU -p 51820
Starting Nmap 7.91 ( https://nmap.org ) at 2023-11-13 09:52 EST
Nmap scan report for 192.168.2.1
Host is up (0.0012s latency).
PORT STATE SERVICE
51820/udp open|filtered unknown
MAC Address: [redacted] (GL Technologies (Hong Kong) Limited)
Changing to port 443 or 80 would allow the Wireguard traffic. Especially if the hotel wifi is only allowing https and http traffic.
OP would have to get someone at that endpoint to make such a change, however. It’s a good thing the GL GUI isn’t terribly difficult to instruct someone over a voice call or email using screenshots.
I couldn’t install nmap on the temporary firmware and had to go the longer way with downloading to a USB stick and installing it from there. To make it clear: the setup I’m in right now has two routers I can choose from. Let’s call them TP-Link and Orange.
With 4.4.6 I could only connect to Orange and WG worked fine but TP-Link gave me the wrong IE_HT_CAP entries in the log and I couldn’t connect to it at all.
With the test firmware I can connect to both TP-Link and Orange but the wireguard client does not even start, judging by the complete absence of it in the log.
I performed the nmap scan and TP-Link has 51820 as closed while Orange has it as open|filtered. Wireguard works from neither router with this firmware.
In this scenario I have full control of TP-Link so I can try out whichever settings I want but this will definitely not be the case elsewhere so the solution has to be robust. @JinOhChoi What did you mean by changing to port 443 or 80? Changing Wireguard traffic to it or…?
On your Wireguard Server change the listening port from the default port 51820 and select either 443 or 80. This is a workaround (that may work) in case the hotel has blocked port 51820. Another issue maybe that wherever your endpoint is located. Make sure the Internet Service Provider doesn’t block inbound traffic for ports 443 (https) and 80 (http). Which could also be the case for non business internet connections.
I changed it on my Wireguard server to 443 (works when I connect from my phone which is in the same wifi network) but the MT3000 still won’t connect to it. As I wrote, the VPN client on the MT3000 is not even starting so the port makes no difference whatsoever. What else can we try?
I’m starting to thing there’s a regression in that particular firmware impacting WireGuard. I think GL needs to replicate & confirm your setup.
I’m bowing out of this thread but I’d be interested in reading the solution.
It looks precisely to be the case. WG used to work, connecting to some networks didn’t. Now they fixed the networks but crashed WG 
It seems a bug from Jerry’s firmware.
Need to try the snapshto firmware.
If it’s me you mean, then yes, I’ve also tried the 4.5.0 snapshot FW with the same effect as on 4.4.6 (being unable to connect to some networks).
Hi, any news so far on this issue? Is this on the roadmap for the next FW release?
In another post about captive portals you mentioned that you stopped using these travel routers and instead use a phone for multiuser WiFi. I thought you were running an app on the phone acting as the WiFi host, but here it sounds like a built-in feature of your old phone. Could you post somewhere exactly how you set up this multiuser hotspot on your phone?