Flint 2 - Wireguard client stuck at "The client is starting, please wait…"

yjc · March 26, 2024, 12:03pm

So, I’ve signed up to a VPN service (****shark) that supports Wireguard.

I have no problem directly connecting my Mac/Phone to any of its available VPN servers using Wireguard protocol, but I simply cannot get it to work on the Flint 2.

I followed the official instruction and created/downloaded the configuration file for GL iNet routers. Flint 2 was connected fine when I am in Hong Kong, but stopped working once Im in mainland China (the Phone/Mac VPN client still works though).

How can this be? Is there some additional rules that the router is running to block outgoing connection Wireguard connection if it detects it’s (WAN IP is) in mainland China? If so, will installing a clean firmeware help?

This is the log:

Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Rule ‘wan_in_conn_mark’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Rule ‘lan_in_conn_mark_restore’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Rule ‘out_conn_mark_restore’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Zone ‘lan’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Zone ‘wan’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Zone ‘guest’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Zone ‘wgclient’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Set tcp_ecn to off
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Set tcp_syncookies to on
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Set tcp_window_scaling to on
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Running script ‘/etc/firewall.nat6’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Running script ‘/etc/firewall.swap_wan_in_conn_mark.sh’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Running script ‘/var/etc/gls2s.include’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): ! Skipping due to path error: No such file or directory
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Running script ‘/usr/bin/gl_block.sh’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): * Running script ‘/etc/firewall.vpn_server_policy.sh’
Tue Mar 26 19:58:01 2024 daemon.notice netifd: wgclient (18031): cat: can’t open ‘/tmp/run/wg_resolved_ip’: No such file or directory
Tue Mar 26 19:58:02 2024 daemon.notice netifd: Interface ‘wgclient’ is now down
Tue Mar 26 19:58:02 2024 daemon.notice netifd: Interface ‘wgclient’ is setting up now
Tue Mar 26 19:58:02 2024 user.notice firewall: Reloading firewall due to ifdown of wgclient ()

admon · March 26, 2024, 12:14pm

Wireguard does not work in CN from this router.
By using your Mac / Phone it will use other protocols.

yjc · March 26, 2024, 1:19pm

Thanks Admon for your quick reply but I cannot agree to this:

As you can see from my Mac’s VPN client, it is certainly using Wireguard.

Renato · March 26, 2024, 1:34pm

What is in this script?

admon · March 26, 2024, 2:29pm

Maybe you are happy and found a server that is working this time.
Mostly, WireGuard isn’t supported, and it does not make sense to invest much time into this, imho.

Perhaps @alzhao can say something about it?

yjc · March 27, 2024, 4:38am

The service provider I use have servers available for China connection in 7 countries, Wireguard works on all of them and on any of my devices, except Flint 2.

So my concern isn’t Wireguard, but possibly Flint 2 has built-in some blocking rules.

yjc · March 27, 2024, 4:40am

Precisely - I don’t think the problem is with China blocking Wireguard, it looks like Flint 2 runs some scripts to see if WAN is in an acceptable country first, then double check if WAN is in a blocked country before allowing Wireguard connection. I’ve emailed their official support to see if I can get an answer.

admon · March 27, 2024, 6:28am

Never ever.

That would make no sense at all.
Just look into the script if you want to know what it does.

The CN fw version does not contain VPN GUI elements at all.

You are wrong. CN blocks most VPNs.

alzhao · March 27, 2024, 6:48am

Wireguard is not fully blocked in China. But in most places Wireguard + commercial vpn is blocked.

Even it is not blocked when you started to use that, it will be blocked soon during your use.

yjc · March 27, 2024, 7:01am

Thank you for the update, the question I have is why client-side Wireguard works while router-side (Flint 2) WG does not, at the same time, any suggestions?

I’m in fact using a computer with a WG VPN client behind Flint 2 at the moment…

admon · March 27, 2024, 7:13am

Because the App on the PC might utilize different protocols or techniques like ShadowSocks.

slesar · March 27, 2024, 7:20am

Did you change country code in your router? Maybe router detect in China then stop working any vpn.

admon · March 27, 2024, 7:29am

That’s not how this works.

@alzhao might correct me, but in my opinion it works not based on any settings you can change. The china-version of the router has a “CN” flag inside the EEPROM - so it’s not changeable by users, at least not without knowing where to look. You can’t convert your CN device to an international one, nor the other way around. The CN version will not stop users from using VPN - but you need to utilize luci or shell then, because in the CN version the VPN stuff is simply hidden from the GL GUI.

The CN firewall is pretty powerful and a great piece of computer science. Even if I don’t like why it exists I have to admit that the technique behinds it, is simply awesome. For more information feel free to watch How the Great Firewall discovers hidden circumvention servers - media.ccc.de

alzhao · March 27, 2024, 7:43am

Most likely using a modified protocol.

But you can also try different servers. Some servers might work.

yjc · March 27, 2024, 8:03am

Thank you, that makes a lot of sense.

There are only 7 servers so will try them all

yjc · March 31, 2024, 3:22pm

Guys - just an udpate - I managed to get this to work by contacting the VPN service providers support.

I won’t share any more details in case the post get picks up by google, but feel free to DM me if you have similar challenges.

I’ll also appreciate if the moderator can help me remove the first line of my original post.

admon · March 31, 2024, 3:24pm

So you won’t tell us what the fix is?
O-okay. That’s not how forums work, mostly.

yjc · March 31, 2024, 3:26pm

Kinda’ did - by contacting their support, just don’t want Google to pick up the VPN provider from this post and bump it up to the GFW’s priority list .

Bottomline is , Flint 2 + Wireguard works (for now) in mainland China. No fancy / complex config / ssh, just need to pick the right provider and get their support to help you. Problem solved in 30 seconds by new config files (plus a minute or so to re-boot the router).

admon · March 31, 2024, 3:27pm

That’s not how the GFW works. They don’t need Google for that.
So I guess the VPN provider has some special servers which are not (yet) detected by the GFW. Don’t worry, that’s pretty common.

yjc · March 31, 2024, 3:29pm

its the people behind GFW that i’m worried about - they can sign up an account and play things out easily.

Anyway, now I can watch formula 1 on sky and motogp on tnt sports, which I have paid a fortune for, instead of trying to search pirate streams every weekend! NICE!