Update: I was on the phone with Amazon and they both started working properly.
VPN green and no disconnects. Not sure why it just decided to work all of a sudden.
I am a little hesitant to still rely on it though. Thoughts?
By the way, are both Beryl routers running the latest firmware?
Given the strange behaviours you have encountered, I would personally return for exchange at least the Client Beryl.
I don’t specifically own a Beryl, but I believe other Beryl owners are/have used them successfully with WireGuard. I have other GL.iNet routers that work successfully also, although sometimes I have to reboot them.
If you replace them with different router models, then you have to start the setup and testing from scratch and there is no guarantee that other problems will not arise. It depends on how much time and effort you can spend before you need to have everything working.
Never mind, they started disconnecting again. Pretty disappointed tbh. I’ll be getting replacements for both of them tomorrow morning and will test those out.
What does your setup look like? I’ve got about a month to figure this out but I’d liked to get it squared away way ahead of time.
My current main router behind the ISP cable modem/router is the Asus RT-AX88U running 3rd-party AsusWRT Merlin firmware. The Asus is super stable, has never crashed on me, and has integrated OpenVPN client/server. Previously, I also had the Asus RT-AC66U and RT-AC66U B1 models.
All 3 Asus routers do not have WireGuard, but OpenVPN is not a limitation for me because my ISP maximum upload speed is only 30Mbps. I only activate the OpenVPN server and port forwarding when I am away on travel, in order not to have open ports on the Internet more than necessary.
If I wanted to have WireGuard and/or had a much higher upload speed limit, I would consider the recently-released GL.iNet AXT1800 for WireGuard server.
Your AX88U should be getting built-in wireguard in the next few months. And if you are familiar with using third party scripts you can get wireguard up and running right now. I’m currently using WireGuard on my AC86U.
Update: Got 2 brand new Beryl routers. Set the server up and it is still dropping connectivity just on the smartphone test. Maybe it’s my ISP? Pretty frustrated at this point. Thoughts?
What are your thoughts?
Do you experience disconnects, without running WireGuard, when connected directly to the Xfinity router by itself and/or when connected to a Beryl that is connected to the Xfinity?
I think this might be all messed up and we should go back to basics. I think you’ve got addressing conflicts (that’s the Beryl flipping back and forth, flashing blue and erratic connections) and I don’t see enough detail to understand your network.
The Beryl can run a WG server that will accept connections it receives from what it thinks is its WAN connection. That might be the repeater WIFI, or it might be the ethernet cable connected to its WAN port. It builds a tunnel on its WAN side, and it gives IP addresses to devices that connect to it in a range, and routes traffic from those addresses to its own LAN network, either wireless or cable connected to its LAN jacks. That network by default will be 192.168.8.xx. The devices in that network range will not connect to devices on the WAN side of the Beryl. So a threshold question is, before you introduced the Beryl, were you operating a network on the WAN side of the Beryl through another router?
It sounds like the Verizon is not just a modem but a router, and it is handing out to the Beryl an address of 10.0.0.92, with a default gateway of 10.0.0.1, and maybe all your existing devices are in that range. If you want to be reaching devices in that network, then you need to make the Beryl the device controlling your network, not the Verizon.
Now from the screen shot, it looks like the wireguard server is thinking that it too is running a network of 10.0.0.xx, with its own address being 10.0.0.1. That conflicts with the Verizon scheme, and you get the pushing and shoving match between the Verizon and the Beryl that you observe. At least, that’s my working theory.
So first off, I would connect the Verizon LAN port by cable to the Beryl WAN port. Let the Beryl settle with a cable internet connection, not a wifi repeater. Then I would disconnect everything else from the Verizon and connect them instead to the Beryl LAN side. If you can, turn off any Verizon wireless while you are at it. All the devices will be on the 192.168.8.xx network. Now test to make sure you can reach the Beryl admin page, and that all the devices have the internet connections you want. (This looks like it will be double natted for the moment, but don’t mind that).
Second, I would see if you can flip the Verizon into bridge mode, so it feeds the public IP address to the Beryl. If you can, then you don’t need the port forwarding. If you can’t, then you need to do the port forwarding to the wireguard port, so traffic coming into the Verizon on that port is sent to the Beryl (the Verizon won’t know to forward everything to the Beryl otherwise).
Now set up the WG server. If the Verizon is in bridge mode, fine; if not, make sure that the WG server is not adding that Verizon 10.0.0.xx network into its configuration. Move it to something else.
I’m assuming you mean xfinity not Verizon?
And I put the router into bridge mode and it is doing better. Haven’t dropped connections yet. I did have trouble getting the client router to connect to my hotspot though, hard reset it and it worked.
Turning it to bridge mode disabled the regular wifi from the xfinity router and it’s now on the Beryl. So I think that is the same as what you described?
I’m still very weary about this though. It’s working fine now it seems but I wouldn’t be surprised if it stopped working again.
Yes of course. I’m a dope. Flashback to earlier problems I’ve had.
I think of most of this as being like paper doll instructions: insert tab 1 into slot 1, then fold along dotted line AA and insert tab 2 into slot 2. So saying “the router” and “client router” and “my hotspot” are all things that make sense to you but are ambiguous to me. That’s why I went on at such length about my thoughts.
Yes. So is the Beryl getting a public IP address on its WAN? That’s good, and now you can activate the DDNS on the Beryl.
My apologies I can see how that could be confusing, here’s a break down:
My router = Xfintity gateway
Client router = Beryl router that will act as the VPN travel router
Server router = Beryl router that acts as the VPN WireGuard server connected to my xfinity gateway
My hot spot = 4g hotspot from my phone that I have the client router connect to in order to test if the VPN is working
I think it’s getting a public IP on the WAN? I’m not sure how to test this. The vpn thing is green and I can can connect to the internet through it.
What does activating the ddns do? And would this be on the client beryl or server beryl?
That’s a lot clearer. thanks.
If the xfinity gateway is in bridge mode, then the WAN address the beryl has might be a public ip address, that is, not an address that starts with 10, or 172. or 192.168. Then the WG client can reach the WG server without port forwarding. If it is not a public ip address, then it will go to the xfinity gateway and you have to provide a route to the Beryl–the xfinity gateway won’t know where to send it.
Most ISPs don’t hand out truly static IPs–yours might change when the lease is renewed. If you activate the ddns service on the Beryl server, it periodically tells GL-Inet what its IP is. Then your WG config can include the name of your Beryl server (which doesn’t change) instead of the IP address (which might). The WG client looks up the actual IP address and then connects to that address.
Good. Some people test from within their network, and that isn’t a fair test.
Putting the Xfinity gateway into Bridge mode bypasses all the router functions that could be causing the disconnects. These may have always been there to some degree, but not noticed until you connected the Beryl/Wireguard. I believe lot of people do successfully run their own router with VPN behind their ISP router without bridging it.
If your WireGuard setup stays stable for some days and you are satisfied with the Beryl becoming your main router, then it would seem the problem is solved 
.
So it looks like this is a public IP right bc it starts with 94?
And then where do I turn on the ddns? I don’t see an option for that anywhere.
Yes. This is a /22 subnet, so your infinity gateway is connected upstream to another router with DHCP handing out 1,024 possible IP addresses.
For ddns, follow the tutorial here: DDNS - GL.iNet Docs
Ok gotcha.
I went ahead and turned on DDNS. How do I set that up with the WireGuard vpn config now? You mentioned it having the name of the server is read of an IP address.
The WG config file is a text file. Export it from your server, and then open it for editing. If the server is defined as an ip, change it to your ddns address.
Sorry for the last reply. But where in the config does my ddns address go? It’s something like xxxx.glddns.com
Putting under Peer endpoint doesn’t work
