GL-MT300N-V2 wireguard client does not work

Wireguard client on GL-MT300N-V2 (firmware 4.3.7) does not work.
I am hosting my own wireguard server on digital ocean droplet, other GL routers my family possesses GL-A1300 Slate Plus, 2 x Flint (GL-AX1800), Opal (GL-SFT1200) work with that wireguard server without any issues (I am aware that each client should have separate configuration, and for each router I have separate one).

I tried but it did not help:

  1. Install another firmaware : 3.216 and 4.3.11
  2. Remove ListenPort, and lower MTU to 1300
  3. I checked the router configuration file on my phone wireguard app and it works there fine without any issues (I did not forget to turn it off after check).
  4. I have tried to do this on the router as well iptables -I FORWARD -j ACCEPT

VPN log:

Sun Jun 30 12:20:04 2024 daemon.notice netifd: Interface 'wgclient' is now up
Sun Jun 30 12:20:10 2024 user.notice wgclient-up: env value:T_J_V_ifname=string J_V_address_external=1 USER=root ifname=wgclient ACTION=KEYPAIR-CREATED N_J_V_address_external=address-external SHLVL=2 J_V_keep=1 HOME=/ HOTPLUG_TYPE=wireguard T_J_V_interface=string J_V_ifname=wgclient T_J_V_link_up=boolean LOGNAME=root DEVICENAME= T_J_V_action=int TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin CONFIG_LIST_STATE= J_V_interface=wgclient K_J_V= action ifname link_up address_external keep interface J_V_link_up=1 J_V_action=0 T_J_V_address_external=boolean N_J_V_link_up=link-up T_J_V_keep=boolean PWD=/ JSON_CUR=J_V CONFIG_SECTIONS=global AzireVPN Mullvad FromApp group_9529 group_2496 group_5462 group_714 peer_2001 CONFIG_cfg030f15_ports=
Sun Jun 30 12:20:13 2024 user.notice mwan3[13481]: Execute ifup event on interface wgclient (wgclient)
Sun Jun 30 12:20:13 2024 user.notice mwan3[13481]: Starting tracker on interface wgclient (wgclient)
Sun Jun 30 12:20:19 2024 user.notice firewall: Reloading firewall due to ifup of wgclient (wgclient)
Sun Jun 30 12:20:59 2024 daemon.notice netifd: Interface 'wgclient' has lost the connection
Sun Jun 30 12:21:00 2024 user.notice mwan3[14877]: Execute ifdown event on interface wgclient (unknown)
Sun Jun 30 12:21:06 2024 daemon.notice netifd: wgclient (15141): [!] Section @forwarding[0] is disabled, ignoring section
Sun Jun 30 12:21:06 2024 daemon.notice netifd: wgclient (15141): [!] Section @forwarding[1] is disabled, ignoring section
Sun Jun 30 12:21:06 2024 daemon.notice netifd: wgclient (15141): [!] Section nat6 option 'reload' is not supported by fw4
Sun Jun 30 12:21:06 2024 daemon.notice netifd: wgclient (15141): [!] Section gls2s option 'reload' is not supported by fw4
Sun Jun 30 12:21:06 2024 daemon.notice netifd: wgclient (15141): [!] Section gls2s specifies unreachable path '/var/etc/gls2s.include', ignoring section
Sun Jun 30 12:21:06 2024 daemon.notice netifd: wgclient (15141): [!] Section glblock option 'reload' is not supported by fw4
Sun Jun 30 12:21:06 2024 daemon.notice netifd: wgclient (15141): [!] Section vpn_server_policy option 'reload' is not supported by fw4
Sun Jun 30 12:21:06 2024 daemon.notice netifd: wgclient (15141): [!] Automatically including '/usr/share/nftables.d/chain-pre/mangle_output/01-process_mark.nft'
Sun Jun 30 12:21:06 2024 daemon.notice netifd: wgclient (15141): [!] Automatically including '/usr/share/nftables.d/chain-post/mangle_output/out_conn_mark_restore.nft'
Sun Jun 30 12:21:07 2024 daemon.notice netifd: Interface 'wgclient' is now down
Sun Jun 30 12:21:07 2024 daemon.notice netifd: Interface 'wgclient' is setting up now
Sun Jun 30 12:21:08 2024 daemon.notice netifd: wgclient (15419): sh: 1: unknown operand
Sun Jun 30 12:21:11 2024 user.notice firewall: Reloading firewall due to ifdown of wgclient ()

VPN conf:

[Interface]
Address = 10.0.0.4/32
PrivateKey = <client-private-key>
DNS = 8.8.8.8

[Peer]
AllowedIPs = 0.0.0.0/0
Endpoint = <server-ip>:41194
PersistentKeepalive = 15
PublicKey = <server-pub-key>

Can you confirm that there is no network overlapping at all?

@admon it seems yes, I do not have any other network-related things set up.

@admon Sorry, I found the issue, the cellular ISP was blocking wireguard traffic. Do you have any out-of-the-box solution to obfuscate wireguard traffic?

WireGuard Traffic is mostly obfuscated already - guess they will detect it by port. Try to change the port.

1 Like

Thank you, I use quite random port 41194. I mean real obfuscation like cloack, udp2raw, x-ray, shadowsocks, if there is any guide how to setup any of this on Gl Inet router.

Not supported by the GL firmware, sorry.

And I guess the MT300N isn't powerful for that anyway.

Thank you. Not necessary on MT300N but on Flint for example.

Still not supported by the GL firmware. You will need to go plain OpenWrt then.
(Which will remove the GL GUI)

1 Like

Your ISP or your country?

In my country the wireguard protocol is blocked for mobile data (they block wg handshake as I understand), all ISPs have to comply.

Can we tell the country name?

Hope it is not China.

1 Like

No offense, but I would rather not reveal it.

It would be a killer feature if you add support for such protocols as xray, cloak, wstunnel, and shadowsocks. I think many people need this nowadays.

What country do that?

Have you already tried UDP443 or TCP 443?

Regards

WireGuard does not support TCP.

i know but he can use Wireguard + Proxy to work with TCP 443 like haproxy, udp2raw or udptunnel.
But yes the normal function of wireguard is UDP, in my country i have to use UDP 443 in some ISPs because they block other ports.

Of course you can try, but it's not supported by the standard GL firmware out of the box.