I was able to triage mine. It looks like my other WireGuard clients just “work” from within the network and show connected. If I’m in the NAT’d space for my GL.iNet device it doesn’t work.
Looking at the logs of my server (untangle) side it appears that the iOS clients aren’t really connecting when in the NAT’d space but show it as such on the iOS device. I tethered my GL to my phone so I could come in from the external IP and life is good, it’s working.
I have just found the same issue on my AXT1800.
Connection to Wireguard at home (hosted on AX1800) or Mullvad does not show the issue.
I have created a Wireguard connection profile to Cloudflare WARP (Teams) and the issue appears.
Using the same connection profile and connect from a Ubuntu PC, it just works fine.
Maybe kernel related issue?
Please note Cloudflare WARP wireguard config will expire. I don’t know how it works but mine expires next day.
The “REKEY TIMEOUT” message does not differentiate the reasons. So it is kind of difficult to solve easily.
Oh it will expire? Good to know that. I have tried WARP+ last night and it works. I am trying out WARP+ (Teams) to see the difference.
By the way I have flashed Kernel 5.4 but “REKEY” issue still exists.
https://dl.gl-inet.com/?model=axt1800&type=beta
Does v4.1.0 release come with kernel 4.4, and kernel 5.4 is v4.0.3?
It seems to be a bit confusing.
The author said the key should work permanently:
Still 4.4.60
kernel 5.4 is only for testing purpose now. The release will be using 4.4.60
I suggest to clarify the OpenWRT / GL-WRT version and Kenel version on that page.
It looks like the latest version is:
v4.1.0.with kernel 4.4
v4.1.0.with kernel 5.4
But it is:
v4.1.0.with kernel 4.4
v4.0.3.with kernel 5.4
Only the beta you used which we labeld kernel 5.4 is using 5.4.
All other beta and release is using 4.4.60.
Hello,
Having the same trouble with slateax wg client REKEY TIMEOUT, when it worked it was very fast to connect.
I noticed the wg server had a different client port listed on its show for the routers config.
I changed this to match on the slateax and boom, perf connection.
Hope this helps someone. I dont remember specifying the client port originally. although
much trial and errors getting things to work… If it happens again I will try just removing the listen port from slatax config this seems to be dynamic.
Cheers
Since this topic appears to be getting a lot of attention, I thought I should log back in and restate one of the possible solutions to this. There are others (see Dr-reload’s post above mine).
In my case, I found that copying & pasting the configuration was introducing an unknown and unidentified change to it. I never worked out what exactly it was. However, the solution was to download the configuration file from the wireguard device you’re connecting to (in my case that’s an Unraid server) and upload that file onto your Slate.
Others have reported success using the QR code scanner.
So in summary, uploading config files and QR scans good, copy & paste might be problematic.
Can you explain a little? I am not sure what you changed exactly.
Hi Alzhao,
I changed the ListenPort under the [interface], I remember now I had trouble with the keys
through the UI so I used cli on the router to create the keypair, then the command line on the server
to create the client info, I think I just specified the client ip / pubkey not any port info.
So possibly the orig handshake fills in this info on router, then server changes this port?? not sure
still working great , just spun up another replica wg server eastcoast only changed the ip in the client config on router…I will be watching survivor at 5pm west coast ;p
Cheers
Hello. May you check if “preshared key” is used (exists) in your configuration? If so, try removing it on both server and client config.
Hi y2kbug,
No Pre shared keys, 7 active lines in router config, I specified 4 or 5.
then on server run one command to specify only client(router) virt ip and pubkey.
Then the server saves that configuration.
router config:
[Interface]
Address = 10.0.0.6/32
ListenPort = 29425
PrivateKey = router_priv_key
[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = server_ip:51820
PersistentKeepalive = 25
PublicKey = server_pub_key
Cli on server command:
wg set wg0 peer router_pulic_key allowed-ips 10.0.0.6
Thats it.
Still unclear on listen port for client, how/when that is updated need to look at wg docs
Cheers
The client listen port is just a udp port number that is usable. For the router it needs to fix the port number otherwise it has problems. For pc there is no need.
Can you let me know what is the device on the wireguard server and wireguard client?
What is your device for wireguard server?
The Listen Port should be a port in the Wireguard Client side and should have nothing to do with the server side.
Hi Al,
My vpn is ubuntu 22 with the wireguard server installed via
intructions from man pages. The main config file it has
line to save config, Then when I add a client I only specify
the clients pubkey and the virtual client ip on command line.
This happend again, So I need to log into server and get the new port, deleteting the client listen port on the router
did not work, it was repopulated with the wrong info.
I normally would not screw with this… and fixit on router But I want to play nice with your gui, because I like the vpn on off button.
Cheers
Hi Al,
Ok I can specify the port on the server, but I like the word simple. So less is more … Any way we could turn this into
feature request. Have a toggle for dynamic port.
As other client devices seem to be working good without static.
Wireguards ideas are less client/server more peer/peer
Keep up the good work!
Cheers
How exactly do you think the gl-inet router is supposed to figure out what the “dynamic” server port is? Magic?
You’ve got to specify one endpoint IP/port. You can specify both, but you are required to specify at least one, and it’s got to be the one that is not initiating the connection. Set a fixed port on your Ubuntu server and be done with it.