GL-MT3000 WireGuard won't connect

I’ve got a GL-MT3000 Beryl AX and want to setup a WireGuard connection to my home.
The router at home is Mikrotik RB3011 that’s also running the WireGuard server and listening on port 13231.
My Android phone has no problem with connecting.

Here’s the config of my Beryl:
[Interface]
Address = 172.16.1.3/32
ListenPort = 51820
PrivateKey = Private key
DNS = 172.16.1.1
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = MY_PUBLIC_IP:13231
PersistentKeepalive = 25
PublicKey = Public Key

Here the log:
Mon Jul 17 17:19:34 2023 daemon.notice netifd: Interface ‘wgclient’ is setting up now
Mon Jul 17 17:21:21 2023 user.notice wireguard-debug: USER=root ifname=wgclient ACTION=REKEY-GIVEUP SHLVL=1 HOME=/ HOTPLUG_TYPE=wireguard LOGNAME=root DEVICENAME= TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin PWD=/
Mon Jul 17 17:21:24 2023 daemon.notice netifd: wgclient (5489): cat: can’t open ‘/tmp/run/wg_resolved_ip’: No such file or directory
Mon Jul 17 17:21:24 2023 daemon.notice netifd: Interface ‘wgclient’ is now down
Mon Jul 17 17:21:24 2023 daemon.notice netifd: Interface ‘wgclient’ is setting up now
Mon Jul 17 17:21:24 2023 user.notice mwan3[5519]: Execute ifdown event on interface wgclient (unknown)
Mon Jul 17 17:21:25 2023 user.notice firewall: Reloading firewall due to ifdown of wgclient ()

I don’t have any clue why it’s not working.
I’ve just updated to the latest firmware 4.2.3, but that didn’t help.

If you need more information, please let me know.
thx,

Roald

Can you SSH into your Beryl AX? There’s a few commands that provide extra info for WG that the GL GUI doesn’t provide (eg: wg show , ip route) . Default IP is 192.168.8.1, passwd same as GL GUI, username root . See

If you can post a redacted version of your Android’s WG conf that’d be helpful too.

(FYI: This forum support Markdown. If you use three ‘backticks’ before & after the output, it’ll be enclosed in a code block. Use single tick for one liners (as demostrated)).

Dear Bring.Fringe18,

The problem is solved, thank you for your time.
Now you properly wanna know what the problem was

With the command ‘wg show’ i saw finally on the ‘Interface: wgclient’ the public key.
In the GUI, you don’t see the public key, only the private one. I used the private key as public key on my Mikrotik RB3011 router, and we all know that doesn’t work.

I don’t know where to report a Bug, but this must be a easy fix for them

Thanks again for your time.
Roald

While I’m glad you got WG online I really don’t think using your private key in a public fashion is advisable. The private key should be just that: private.

Here’s a ‘known good’ configuration of two directly connected GL devices of a Flint acting as a WG Server & a Certa as a WG Client. The [redacted] portions were done manually before posting, of course. If you were to compare that configuration, especially how the keys are portrayed, I think that would help lock down your setup securely:

You’re right, you don’t use a private key for public uses, but I couldn’t get it to work, so i thought they made a fault and mixed public and private. There for I copied the private key to my WG server. The public and private key are not the same if you thought so.

For now it is impossible to setup WG cliënt manually in the GUI, because the public key isn’t visible.
Therefore you need to use a SSH client and the commando ‘wg show’ .

cat /etc/config/wireguard will give you all your WG Client confs in the OpenWrt conf syntax.

opkg update && opkg install nano

Well everything is working now, and thank you for all te info.

Feel free to update the ‘Solution’ for others that stumble upon this thread. Have a good one.

I have the same problem and i don’t know what to do, the same client config on my wireguard client on PC works, on the router it doesnt

Sun Sep 10 15:40:26 2023 user.notice wireguard-debug: USER=root ifname=wgclient ACTION=REKEY-GIVEUP SHLVL=1 HOME=/ HOTPLUG_TYPE=wireguard LOGNAME=root DEVICENAME= TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin PWD=/
Sun Sep 10 15:40:31 2023 daemon.notice netifd: wgclient (7773): [!] Section @forwarding[0] is disabled, ignoring section
Sun Sep 10 15:40:31 2023 daemon.notice netifd: wgclient (7773): [!] Section @forwarding[1] is disabled, ignoring section
Sun Sep 10 15:40:31 2023 daemon.notice netifd: wgclient (7773): [!] Section gls2s option 'reload' is not supported by fw4
Sun Sep 10 15:40:31 2023 daemon.notice netifd: wgclient (7773): [!] Section gls2s specifies unreachable path '/var/etc/gls2s.include', ignoring section
Sun Sep 10 15:40:31 2023 daemon.notice netifd: wgclient (7773): [!] Section glblock option 'reload' is not supported by fw4
Sun Sep 10 15:40:31 2023 daemon.notice netifd: wgclient (7773): [!] Section vpn_server_policy option 'reload' is not supported by fw4
Sun Sep 10 15:40:31 2023 daemon.notice netifd: wgclient (7773): [!] Automatically including '/usr/share/nftables.d/chain-pre/mangle_output/01-process_mark.nft'
Sun Sep 10 15:40:31 2023 daemon.notice netifd: wgclient (7773): [!] Automatically including '/usr/share/nftables.d/chain-post/mangle_output/out_conn_mark_restore.nft'
Sun Sep 10 15:40:34 2023 daemon.notice netifd: wgclient (7773): DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   match-set GL_MAC_BLOCK src
Sun Sep 10 15:40:34 2023 daemon.notice netifd: wgclient (7773): Failed to parse json data: unexpected character
Sun Sep 10 15:40:34 2023 daemon.notice netifd: wgclient (7773): uci: Entry not found
Sun Sep 10 15:40:34 2023 daemon.notice netifd: wgclient (7773): cat: can't open '/tmp/run/wg_resolved_ip': No such file or directory
Sun Sep 10 15:40:34 2023 daemon.notice netifd: Interface 'wgclient' is now down
Sun Sep 10 15:40:34 2023 daemon.notice netifd: Interface 'wgclient' is setting up now
Sun Sep 10 15:40:36 2023 user.notice mwan3[7979]: Execute ifdown event on interface wgclient (unknown)
Sun Sep 10 15:40:40 2023 user.notice firewall: Reloading firewall due to ifdown of wgclient ()

Check for typos/blank spaces that shouldn’t be present.