GL-MT1300 (Beryl) VPN Setup Help Please :(

Here are the logs for when it turns to flashing blue. This “flush 1” thing seems to show up a lot, as well as “start sequence”

Wed Aug 24 19:56:50 2022 kern.warn kernel: [ 1694.921155] 54, flush one!
Wed Aug 24 19:56:50 2022 kern.warn kernel: [ 1695.235584] 5b, flush one!
Wed Aug 24 19:57:22 2022 kern.warn kernel: [ 1726.777021] AP SETKEYS DONE - AKMMap=WPA2PSK, PairwiseCipher=AES, GroupCipher=AES, wcid=1 from E8:2A:44:A1:67:B1
Wed Aug 24 19:57:22 2022 kern.warn kernel: [ 1726.777021]
Wed Aug 24 19:57:22 2022 kern.warn kernel: [ 1726.791205] Rcv Wcid(1) AddBAReq
Wed Aug 24 19:57:22 2022 kern.warn kernel: [ 1726.794484] Start Seq = 00000000
Wed Aug 24 19:57:22 2022 daemon.info dnsmasq-dhcp[2818]: DHCPREQUEST(br-lan) 192.168.8.113 e8:2a:44:a1:67:b1
Wed Aug 24 19:57:22 2022 daemon.info dnsmasq-dhcp[2818]: DHCPACK(br-lan) 192.168.8.113 e8:2a:44:a1:67:b1 LAPTOP-F84GAUJU
Wed Aug 24 19:57:22 2022 user.notice mtk-wifi: new_station e8:2a:44:a1:67:b1 rax0
Wed Aug 24 19:57:22 2022 kern.warn kernel: [ 1726.828634] Rcv Wcid(1) AddBAReq
Wed Aug 24 19:57:22 2022 kern.warn kernel: [ 1726.831877] Start Seq = 00000002
Wed Aug 24 19:57:24 2022 kern.warn kernel: [ 1728.988814] 63, flush one!
Wed Aug 24 19:57:55 2022 kern.warn kernel: [ 1759.884353] Replay Counter Different in pairwise msg 2 of 4-way handshake!
Wed Aug 24 19:57:55 2022 kern.warn kernel: [ 1760.075536] AP SETKEYS DONE - AKMMap=WPA2PSK, PairwiseCipher=AES, GroupCipher=AES, wcid=1 from E8:2A:44:A1:67:B1
Wed Aug 24 19:57:55 2022 kern.warn kernel: [ 1760.075536]
Wed Aug 24 19:57:55 2022 kern.warn kernel: [ 1760.087426] Rcv Wcid(1) AddBAReq
Wed Aug 24 19:57:55 2022 kern.warn kernel: [ 1760.090734] Start Seq = 00000003
Wed Aug 24 19:57:55 2022 user.notice mtk-wifi: new_station e8:2a:44:a1:67:b1 rax0
Wed Aug 24 19:57:55 2022 kern.warn kernel: [ 1760.114596] Rcv Wcid(1) AddBAReq
Wed Aug 24 19:57:55 2022 kern.warn kernel: [ 1760.117889] Start Seq = 00000000

Some of the messages are referenced in this post:

Maybe worth to try the solution in the post to remove the saved repeater wifi SSID’s, now that you have WireGuard working with Ethernet cable only.

I removed the old Wi-Fi’s but it still does not work properly. It definitely only happens though when I have the vpn server running, stays solid white when it’s turned off.

Got any other potential solutions?
Or is there another router I can replace the server beryl with that will work with the client beryl?

It would be worth a complete reset of the router and then reconfigure it from scratch.

Maybe other readers may have ideas also.

Yeah I’ve tried that too. I may just go with another router. Any recommendations?

As you said you connect Beryl to your main router via cable, so it must be something wrong with the cable.

The cable is connected to wan (eth0.2) I think.

Maybe you can just change an cable.

I tried changing the cable and it made no difference. I have the cable in the WAN port of the beryl.

Some additional thoughts, to try to eliminate possibilities:

1. Check if you get the same behaviour with the same WireGuard cconfig on a smartphone running one of the free WireGuard apps (to eliminate the Client Beryl).
2. Switch the Ethernet WAN cable to a different port that is know to work on the Xfinity router and reboot the Xfinity (to eliminate the Xfinity).
3. Switch the use of the two Beryl routers around, so the Client → Server and Server → Client (to eliminate the Server Beryl)

1. It works on my phone, but what is weird is that as soon as I turn on the client router, the server one starts having problems. Even if I have the client VPN disabled as it turns on, it starts flashing blue.

2. Switched ports and restarted router. No impact.

3. The client one won’t even connect to the router the router via Ethernet, so maybe it has a problem.

I’m going to reset both to factory settings and see what happens.

Factory reseted both (held down button for 10 seconds) and the original client Beryl still cannot not even connect to my router via Ethernet. So send that one back I guess?

Update: I was on the phone with Amazon and they both started working properly.

VPN green and no disconnects. Not sure why it just decided to work all of a sudden.

I am a little hesitant to still rely on it though. Thoughts?

By the way, are both Beryl routers running the latest firmware?

Given the strange behaviours you have encountered, I would personally return for exchange at least the Client Beryl.

I don’t specifically own a Beryl, but I believe other Beryl owners are/have used them successfully with WireGuard. I have other GL.iNet routers that work successfully also, although sometimes I have to reboot them.

If you replace them with different router models, then you have to start the setup and testing from scratch and there is no guarantee that other problems will not arise. It depends on how much time and effort you can spend before you need to have everything working.

Never mind, they started disconnecting again. Pretty disappointed tbh. I’ll be getting replacements for both of them tomorrow morning and will test those out.

What does your setup look like? I’ve got about a month to figure this out but I’d liked to get it squared away way ahead of time.

My current main router behind the ISP cable modem/router is the Asus RT-AX88U running 3rd-party AsusWRT Merlin firmware. The Asus is super stable, has never crashed on me, and has integrated OpenVPN client/server. Previously, I also had the Asus RT-AC66U and RT-AC66U B1 models.

All 3 Asus routers do not have WireGuard, but OpenVPN is not a limitation for me because my ISP maximum upload speed is only 30Mbps. I only activate the OpenVPN server and port forwarding when I am away on travel, in order not to have open ports on the Internet more than necessary.

If I wanted to have WireGuard and/or had a much higher upload speed limit, I would consider the recently-released GL.iNet AXT1800 for WireGuard server.

Your AX88U should be getting built-in wireguard in the next few months. And if you are familiar with using third party scripts you can get wireguard up and running right now. I’m currently using WireGuard on my AC86U.

Update: Got 2 brand new Beryl routers. Set the server up and it is still dropping connectivity just on the smartphone test. Maybe it’s my ISP? Pretty frustrated at this point. Thoughts?

What are your thoughts?

Do you experience disconnects, without running WireGuard, when connected directly to the Xfinity router by itself and/or when connected to a Beryl that is connected to the Xfinity?

I think this might be all messed up and we should go back to basics. I think you’ve got addressing conflicts (that’s the Beryl flipping back and forth, flashing blue and erratic connections) and I don’t see enough detail to understand your network.

The Beryl can run a WG server that will accept connections it receives from what it thinks is its WAN connection. That might be the repeater WIFI, or it might be the ethernet cable connected to its WAN port. It builds a tunnel on its WAN side, and it gives IP addresses to devices that connect to it in a range, and routes traffic from those addresses to its own LAN network, either wireless or cable connected to its LAN jacks. That network by default will be 192.168.8.xx. The devices in that network range will not connect to devices on the WAN side of the Beryl. So a threshold question is, before you introduced the Beryl, were you operating a network on the WAN side of the Beryl through another router?

It sounds like the Verizon is not just a modem but a router, and it is handing out to the Beryl an address of 10.0.0.92, with a default gateway of 10.0.0.1, and maybe all your existing devices are in that range. If you want to be reaching devices in that network, then you need to make the Beryl the device controlling your network, not the Verizon.

Now from the screen shot, it looks like the wireguard server is thinking that it too is running a network of 10.0.0.xx, with its own address being 10.0.0.1. That conflicts with the Verizon scheme, and you get the pushing and shoving match between the Verizon and the Beryl that you observe. At least, that’s my working theory.

So first off, I would connect the Verizon LAN port by cable to the Beryl WAN port. Let the Beryl settle with a cable internet connection, not a wifi repeater. Then I would disconnect everything else from the Verizon and connect them instead to the Beryl LAN side. If you can, turn off any Verizon wireless while you are at it. All the devices will be on the 192.168.8.xx network. Now test to make sure you can reach the Beryl admin page, and that all the devices have the internet connections you want. (This looks like it will be double natted for the moment, but don’t mind that).

Second, I would see if you can flip the Verizon into bridge mode, so it feeds the public IP address to the Beryl. If you can, then you don’t need the port forwarding. If you can’t, then you need to do the port forwarding to the wireguard port, so traffic coming into the Verizon on that port is sent to the Beryl (the Verizon won’t know to forward everything to the Beryl otherwise).

Now set up the WG server. If the Verizon is in bridge mode, fine; if not, make sure that the WG server is not adding that Verizon 10.0.0.xx network into its configuration. Move it to something else.

I’m assuming you mean xfinity not Verizon?

And I put the router into bridge mode and it is doing better. Haven’t dropped connections yet. I did have trouble getting the client router to connect to my hotspot though, hard reset it and it worked.

Turning it to bridge mode disabled the regular wifi from the xfinity router and it’s now on the Beryl. So I think that is the same as what you described?

I’m still very weary about this though. It’s working fine now it seems but I wouldn’t be surprised if it stopped working again.