Connect GL.iNet to Unifi Dream Machine (UDM) Pro via Wireguard

sruni · January 4, 2025, 9:28pm

I'm trying to give a cheap GL.iNet to family in a different location to hook into their router to allow me to reverse VPN to their location to teleport my TV network traffic to their region. My video provider has started sniffing out known public VPN IP addresses. My family isn't super tech savvy, so having them set up port forwarding so that they are the server isn't really possible. I'm trying something similar to this community post (Site to Site VPN to UNIFI UDM Pro), but wanted to try to enable with Wireguard.

The first part of this setup is to have the GL.iNet router as a client to connect to the UDM Wireguard server. The server was set up and a config file generated (attached). I was able to use this config file along with the official Mac client (find on Apple app store) to connect to the server.

However, when I try to connect with the GL.iNet device, I get the following error:

Sat Jan 4 12:37:47 2025 kern.info kernel: [ 1040.487412] wireguard: wireguard-hotplug IFNAME=wgclient ACTION=REKEY-TIMEOUT

I have tried SSH to both UDM (server) and GL.iNet (client) to directly configure the setup. My buddy claude.ai ran out of tokens trying to help me as well. Here is the respective config on both sides.

Config file (note, both sides have been torn down by now)

[Interface]

PrivateKey = cFNCca[redacted]mqQP2DI2RP/ZqIzB76MAuLsmY=

Address = 192.168.4.2/32

DNS = 192.168.4.1

[Peer]

PublicKey = 32n6dX[redacted]eem/6yIZyQgqClqqFAEiiTnemQ=

AllowedIPs = 192.168.4.1/32,192.168.4.2/32,0.0.0.0/0

Endpoint = [hidden].freeddns.org:9456

SERVER wg show

root@Dream-Machine-Pro-Max:~# wg show all

interface: wgsrv1

public key: 32n6dX[redacted]eem/6yIZyQgqClqqFAEiiTnemQ=

private key: (hidden)

listening port: 9456

peer: MjL2Nyv2[redacted]JQH8OgmQMrMve1rs9Ol7wiI=

endpoint: 192.168.1.234:42702

allowed ips: 0.0.0.0/0

latest receive: 3 seconds ago

transfer: 35.70 KiB received, 104.57 KiB sent

forced handshake: every 10 seconds

CLIENT wg show

root@GL-SFT1200:~# wg show

interface: wgclient

public key: MjL2Nyv2[redacted]JQH8OgmQMrMve1rs9Ol7wiI=

private key: (hidden)

listening port: 45746

peer: 32n6dX[redacted]eem/6yIZyQgqClqqFAEiiTnemQ=

endpoint: [my internet facing IP address]:9456

allowed ips: 0.0.0.0/0

transfer: 0 B received, 296 B sent

persistent keepalive: every 25 seconds

admon · January 4, 2025, 9:28pm

Check our troubleshooting guide: How to troubleshoot WireGuard

sruni · March 24, 2025, 4:37am

Update on the progress. I update my GL.iNet firmware to version 4.3.25 and the exact same config without any change started to work. I have my UDM Pro set up as the server and my GL set as the client and the connection is no longer timing out. There must have been a bug in a past version.

sruni · May 10, 2025, 2:55pm

I had this occur again, and turned out the solution was to just reboot the gl.inet device. I was also finally able to get the reverse routing set up between the two by doing the following:

On the GL.inet (‘client’):

MORE SETTINGS → Advanced (LuCI)
Network → Firewall → Zones → click Edit next to lan → under Covered networks tick wgclient → Save & Apply

Still in LuCI ▸ Firewall ▸ Zones → click Edit next to wan → tick Masquerading and MSS clamping → Save & Apply

Ssh to device:

ssh -o HostKeyAlgorithms=+ssh-rsa root@192.168.8.1

First, let's add the required rules manually with explicit chain positioning

iptables -I FORWARD 1 -i wgclient -j ACCEPT

iptables -I FORWARD 2 -i wlan-sta0 -o wgclient -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

iptables -I FORWARD 3 -i wgclient -o wlan-sta0 -j ACCEPT

Add the NAT masquerade rule

iptables -t nat -I POSTROUTING 1 -o wlan-sta0 -s 192.168.3.0/24 -j MASQUERADE

Now check the rules

iptables -L FORWARD -v -n | head -15

iptables -t nat -L POSTROUTING -v -n | head -10

On the UDM (Seattle side):

Modified WireGuard peer configuration to allow broader IP ranges:

bash

Exported config

wg showconf wgsrv1 > wg.conf

Modified AllowedIPs from 192.168.3.2/32 to:

AllowedIPs = 192.168.3.0/24, 192.168.1.0/24, 0.0.0.0/0

Applied new config

wg setconf wgsrv1 wg.conf

Added routing table for TV traffic:

bash

echo "100 tv_tunnel" >> /etc/iproute2/rt_tables

ip route add default via 192.168.3.2 dev wgsrv1 table tv_tunnel

Added policy-based routing for the TV:

bash

ip rule add from 192.168.1.58 table tv_tunnel priority 100

Added NAT and forwarding rules for TV traffic:

bash

iptables -t nat -A POSTROUTING -s 192.168.1.58 -o wgsrv1 -j SNAT --to-source 192.168.3.1

iptables -A FORWARD -s 192.168.1.58 -o wgsrv1 -j ACCEPT

iptables -A FORWARD -i wgsrv1 -d 192.168.1.58 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT