Flint 2 - Wireguard client stuck at "The client is starting, please wait…"

So, I’ve signed up to a VPN service (****shark) that supports Wireguard.

I have no problem directly connecting my Mac/Phone to any of its available VPN servers using Wireguard protocol, but I simply cannot get it to work on the Flint 2.

I followed the official instruction and created/downloaded the configuration file for GL iNet routers. Flint 2 was connected fine when I am in Hong Kong, but stopped working once Im in mainland China (the Phone/Mac VPN client still works though).

How can this be? Is there some additional rules that the router is running to block outgoing connection Wireguard connection if it detects it’s (WAN IP is) in mainland China? If so, will installing a clean firmeware help?

This is the log:

Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Rule ‘wan_in_conn_mark’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Rule ‘lan_in_conn_mark_restore’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Rule ‘out_conn_mark_restore’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Zone ‘lan’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Zone ‘wan’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Zone ‘guest’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Zone ‘wgclient’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Set tcp_ecn to off
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Set tcp_syncookies to on
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Set tcp_window_scaling to on
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Running script ‘/etc/firewall.nat6’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Running script ‘/etc/firewall.swap_wan_in_conn_mark.sh’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Running script ‘/var/etc/gls2s.include’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): ! Skipping due to path error: No such file or directory
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Running script ‘/usr/bin/gl_block.sh’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Running script ‘/etc/firewall.vpn_server_policy.sh’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): cat: can’t open ‘/tmp/run/wg_resolved_ip’: No such file or directory
Tue Mar 26 19:58:02 2024 daemon.notice netifd: Interface ‘wgclient’ is now down
Tue Mar 26 19:58:02 2024 daemon.notice netifd: Interface ‘wgclient’ is setting up now
Tue Mar 26 19:58:02 2024 user.notice firewall: Reloading firewall due to ifdown of wgclient ()

Wireguard does not work in CN from this router.
By using your Mac / Phone it will use other protocols.

Thanks Admon for your quick reply but I cannot agree to this:

As you can see from my Mac’s VPN client, it is certainly using Wireguard.

What is in this script? :thinking:

Maybe you are happy and found a server that is working this time.
Mostly, WireGuard isn’t supported, and it does not make sense to invest much time into this, imho.

Perhaps @alzhao can say something about it?

The service provider I use have servers available for China connection in 7 countries, Wireguard works on all of them and on any of my devices, except Flint 2.

So my concern isn’t Wireguard, but possibly Flint 2 has built-in some blocking rules.

Precisely - I don’t think the problem is with China blocking Wireguard, it looks like Flint 2 runs some scripts to see if WAN is in an acceptable country first, then double check if WAN is in a blocked country before allowing Wireguard connection. I’ve emailed their official support to see if I can get an answer.

Never ever.

That would make no sense at all.
Just look into the script if you want to know what it does.

The CN fw version does not contain VPN GUI elements at all.

You are wrong. CN blocks most VPNs.

Wireguard is not fully blocked in China. But in most places Wireguard + commercial vpn is blocked.

Even it is not blocked when you started to use that, it will be blocked soon during your use.

1 Like

Thank you for the update, the question I have is why client-side Wireguard works while router-side (Flint 2) WG does not, at the same time, any suggestions?

I’m in fact using a computer with a WG VPN client behind Flint 2 at the moment…

1 Like

Because the App on the PC might utilize different protocols or techniques like ShadowSocks.

Did you change country code in your router? Maybe router detect in China then stop working any vpn.

That’s not how this works.

@alzhao might correct me, but in my opinion it works not based on any settings you can change. The china-version of the router has a “CN” flag inside the EEPROM - so it’s not changeable by users, at least not without knowing where to look. You can’t convert your CN device to an international one, nor the other way around. The CN version will not stop users from using VPN - but you need to utilize luci or shell then, because in the CN version the VPN stuff is simply hidden from the GL GUI.

The CN firewall is pretty powerful and a great piece of computer science. Even if I don’t like why it exists I have to admit that the technique behinds it, is simply awesome. For more information feel free to watch How the Great Firewall discovers hidden circumvention servers - media.ccc.de

Most likely using a modified protocol.

But you can also try different servers. Some servers might work.

1 Like

Thank you, that makes a lot of sense.

There are only 7 servers so will try them all

Guys - just an udpate - I managed to get this to work by contacting the VPN service providers support.

I won’t share any more details in case the post get picks up by google, but feel free to DM me if you have similar challenges.

I’ll also appreciate if the moderator can help me remove the first line of my original post.

So you won’t tell us what the fix is? :gl_emoji_confused:
O-okay. That’s not how forums work, mostly. :smile:

Kinda’ did - by contacting their support, just don’t want Google to pick up the VPN provider from this post and bump it up to the GFW’s priority list :frowning:.

Bottomline is , Flint 2 + Wireguard works (for now) in mainland China. No fancy / complex config / ssh, just need to pick the right provider and get their support to help you. Problem solved in 30 seconds by new config files (plus a minute or so to re-boot the router).

That’s not how the GFW works. They don’t need Google for that.
So I guess the VPN provider has some special servers which are not (yet) detected by the GFW. :smiley: Don’t worry, that’s pretty common.

its the people behind GFW that i’m worried about - they can sign up an account and play things out easily.

Anyway, now I can watch formula 1 on sky and motogp on tnt sports, which I have paid a fortune for, instead of trying to search pirate streams every weekend! NICE!

1 Like