Flint - AX1800 - Wireguard server endpoint question

I’m using firmware 4.1 release6 clean install.
First I enabled DDNS. Then I configured a Wireguard server and created a profile pointing to the DDNS as endpoint. Used the QR code to create the tunnel on the Android phone and all works as expected.

Then I configured a Wireguard client on the router and it works well (advertised speed) with the provider.

So, I have one Wireguard server and one client at this point. Now I cannot connect to the server anymore from my Android device.
I went ahead and created a second profile for the server and this time around the endpoint shows my Wireguard client IP (wgclient) instead of the ISP’s IP (eth0). Certainly this profile doesn’t connect from the Android device.

What am I missing here? If a Wireguard client is enabled on the router the server cannot be accessed anymore? Any suggestion?

I think it is the wg client that is causing your DDNS domain to point to the provider’s server. Do you have “Services from GL.iNet don’t Use VPN” enabled in the global options?

Yes, ‘Services from GL.iNet don’t Use VPN’ is the only option enabled in Global Options.

I have no doubt that the wg client is the issue here. If that’s not enabled the wg and DDNS server work just fine.

Does DDNS work when WireGuard client is enabled?
For example: Can the admin panel be accessed with the domain? Does it resolve to the correct IP when ping?

You have both wireguard client and server running at the same time?

DDNS does not work when the WireGuard client is enabled. For example pinging the DDNS from a different network shows the correct IP address (the ISP). However, if I enable HTTPS access on the DDNS panel that does not work from a different network.
Also, when creating another WireGuard server access profile, the endpoint shows as the WireGuard client IP and ceratinly doesn’t work. If I use the DDNS as endpoint it also does not work.

Correct - that’s where the problem starts.
If only running the server, it can be properly accesses from any of the created profiles on both the endpoint as IP or DDNS.

Sent you a method. Pls help to check if it works.

Yes, the Android device now connects to the server with DDNS as endpoint. The client is active too. So that solved the issue.

I’ll do more testing and let you know if anything changes, but for now it works.

Thank you


I’ve done more testing with this solution. It only partially works; I’ll explain:

  • after adding the fwmark option to the file as suggested, I can access the server even if the Wireguard client is active.
  • however, adding a new profile (client) to the server with the Wireguard client active will still show the Wireguard client IP instead of the ISP’s IP
  • after importing the configuration to the smartphone and changing the endpoint to the ISP IP it works (and it did not before adding the fwmark option)
  • the same applies to the *.glddns.com DDNS - it will show the Wireguard client IP. A 3rd party DDNS configured through LuCI correctly shows the ISP IP and works well.

So, while this works with the mentioned adjustments it’s more like a workaround than a solution.

PS - all the above were tested on Flint with f/w 4.1 stable.

Thank you

Yes you are right.

We have been working on these concerns.