How to troubleshoot WireGuard

Routers
1

Table of Contents

Why WireGuard?

WireGuard is a modern VPN protocol that is at the cutting edge of technology. It is easy to configure and offers high security. WireGuard is integrated into the Linux kernel and is supported by many operating systems. It is faster and more secure than OpenVPN and IPsec.

Unlike OpenVPN, WireGuard offers better multi-thread support, meaning it is better suited for modern processors. On GL.iNet routers, it runs at higher speeds.

I can't find "VPN" in the web interface

If you can't find "VPN" in the web interface, you probably have a firmware version that does not support WireGuard. This is the case if you purchased a device for use exclusively in China. These devices can be recognized by the "CN" in the web interface after logging in.

There is no officially supported way to change the firmware to enable WireGuard. However, using WireGuard in luci is possible.

How should my network be configured?

For WireGuard to function, the IP addresses of devices on the network must be unique. This means the IP addresses of devices on the local network must not conflict with the IP addresses of the other network where you are trying to connect from. In other words, the network (default for GL.iNet routers is 192.168.8.x and 192.168.9.x) should not be used on both sides!

Therefore, you should ensure that only one side uses the default configuration! One of the routers must definitely be reconfigured.

This doesn't work

wg_diagram_fail
wg_diagram_fail908×314 70.2 KB

This works

wg_diagram_success
wg_diagram_success909×294 60.5 KB

Mobile Networks & StarLink

If you use WireGuard over a mobile network or StarLink, you are using CGNAT. This means you do not have a public IP address and therefore cannot receive incoming connections. You can only establish outgoing connections. The router behind the mobile network or StarLink router cannot be used as a server but can be used as a client.

An alternative is to use services like Tailscale or AstroRelay. These services allow devices behind CGNAT networks to communicate with each other. Tailscale is a free service based on WireGuard and offers simple configuration. Not every router supports Tailscale, but most GL.iNet routers can use Tailscale.

If you're unsure whether you're affected by CGNAT, you can test it here.

Port Forwarding

If your GL.iNet router is not directly connected to the internet but is operated behind another router, you need to forward the ports for WireGuard. The ports you need to forward are specified in the WireGuard configuration. By default, these are the ports 51820/udp.

Such a setup also works if the port forwarding is correctly configured:

wg_diagram_behind
wg_diagram_behind664×468 39.1 KB

Dynamic IP Addresses

Most internet connections have a dynamic IP address. This means the IP of your router changes from time to time. If you operate a server that should be accessible via WireGuard, you need to use a dynamic DNS address. These services allow you to access your router with the same name even if the IP address changes.

By default, GL.iNet routers support the service GL.iNet DDNS. This service is free and easy to configure. You can also use other DDNS services if you prefer. Remember to use the DDNS address in the WireGuard configuration to access your router!

Using a DDNS service does not automatically make your router accessible from the internet, so it does not pose a security risk.

Blocked Ports

Some internet providers (hello Spectrum :waving_hand:) block certain ports. If you have connection problems, it might be because your internet provider is blocking the port. In this case, you can try changing the port. It is recommended to try a port like 51825.

Remember to change the port in both the WireGuard configuration and the port forwarding settings if used.

Testing

Please keep in mind that you can't test to connect to the network you are currently part of. So testing requires at least a tethered connection on your travel router. Use your Wi-Fi hotspot on your phone for proper testing.

Since WireGuard uses UDP it's not possible to test if the port is up and running. The only way of proper testing is by connecting using your WireGuard client!

WireGuard Configuration

The WireGuard configuration is simple and is thoroughly described in the GL.iNet help. You can find the relevant guide.

A sample configuration might look like this:

[Interface]
Address = 10.0.0.2/24
PrivateKey = OhE6JnWISeTq1upiASGxJcnNqWmcJcnNqWmc=
DNS = 64.6.64.6
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = xxxxxx.glddns.com:51820
PersistentKeepalive = 25
PublicKey = 3J6JnWISeTq1upiASGxJcnNqWmcsajjkw1213ms=
Section Key Description
Interface Address The IP address of the router in the WireGuard network
Interface PrivateKey The private key of the router
Interface DNS The DNS server to be used
Interface MTU The maximum transmission unit
Peer AllowedIPs The IP addresses accessible through the tunnel
Peer Endpoint The IP address and port of the server
Peer PersistentKeepalive The time in seconds for sending a keepalive
Peer PublicKey The public key of the server

Route all traffic through the tunnel

By default, all traffic is routed through the tunnel. This means all requests from your router are sent through the tunnel to the server. The server then forwards the requests to the internet. As a result, you appear on the internet with the IP address of the server—perfect for bypassing geoblocking or using a different IP address. This is enabled by the line AllowedIPs = 0.0.0.0/0,::/0.

If you only want to access your home network, e.g., to access your NAS, you can restrict the AllowedIPs line to your local network. In our graphical example above, this would be AllowedIPs = 192.168.8.0/24.

Adjust DNS server

In the configuration, you can also adjust the DNS server. By default, UltraDNS (64.6.64.6) is used, but you can use any other DNS server.

The MTU Issue

The MTU (Maximum Transmission Unit) is the maximum size of a data packet that can be sent over the network. The MTU is usually determined automatically, but sometimes problems can arise if the MTU is too large. In this case, you can adjust the MTU in the WireGuard configuration. By default, the MTU is set to 1420, which works in most cases. However, if you have connection problems, you can set the MTU to a lower value, such as 1400.

You can adjust this in the configuration file under [Interface].

UDP and its pitfalls

WireGuard uses the UDP protocol by default. This protocol has the advantage of being faster than TCP since it doesn't require acknowledgments. However, it is also more prone to packet loss. If you have issues with connection quality and adjusting the MTU doesn't help, you can try OpenVPN in TCP mode.

14 Likes
WireGuard no internet for client (both GLiNET)
Can't access local network resources from WireGuard clients
How to get support quickly
GL-SFT1200 wgclient ACTION=KEYPAIR-CREATED
GL-inet und Wireguard Server VPN
WireGuard Issues / Travel Router
WireGuard doesn't connect
Fritzbox 6690 Wireguard
How to set up GLiNet as wireguard client?
Wireguard server not setup properly- AX1800
Wireguard constant issues
WireGuard does not work on Opal
[MT-3000] Beryl AX - Issue with Wireguard after Update
Urgent problem with VPN WireGuard
Brume 2 - cannot connect VPN client to server
Wireguard client won't connect to Flint server
Wireguard server on Slate AX
Flint 2 (GL-MT6000 ) - bug reports - collective thread
WireGuard Client Issue Client unable to connect to server SFT1200 OPAL
What to use OVPN or WG?
Slow upload & download speed
VPN not working with GL-AXT1800
Flint - Constantly need to restart router to get Wireguard working
Slate AX working with home computer but not with work laptop
AXT1800 - Server WG is running, but client can't connect
Connecting home via Wireguard but can't connect devices
GL-A1300 Wireguard Client setup for NAS hosted Wireguard server
Wireguard client (BerylAX) is not connecting to server (BerylAX)
Connecting home via Wireguard but can't connect devices
Problem with Public IP in several ways...
Site to Site VPN - Connected but 0.00 KB/s download speed
Brume 2 set up support
Connecting to through different clients connected to one host
New issue 'Client is starting please wait'
Wireguard Client on Slate AX not connecting
Wireguard network with terrible bandwidth
I am not able to cooonect to mu vpn server from client
Unable to connect to WireGuard server from GL.iNet Opal router
GL-MT3000 with Fritzbox 5590 VPN
Wireguard Client no longer working following factory restart
The client is starting, please wait
Cannot get clients to connect to WG server on AX1800 Flint
Flint 2 (GL-MT6000 ) - bug reports - collective thread
Help with my Gli.net Slate router not getting internet as a wireguard client
Wireguard app works on Android or Mac w/ WG VPN but Beryl router doesn't occasionally
WireGuard Client Handshake Successful, But No Internet Access
Wireguard client not starting
Attempting to use Wireguard VPN client on a GL-AXT180
Unable to start wireguard vpn on GL AXT1800 after the recent firmware upgrade
Is it possible to route all traffic to a remote server through Wireguard
VPN and Wireguard
Need support with setting up the Wireguard Client on AXT1800
AX3000 Wifi 6 router not connecting to VPN
Xfinity Update Killed my WireGuard Servers?
Fix the Wireguard connection issue with Beryl router during Travel.
Router sft1200 (opal) vpn isn't working
Help setting up travel router.
Wireguard Connection is failing
Wireguard Server not working
Slate AX 4.6.8 No Internet with Repeater and VPN
Trouble Connecting Beryl AX Router (GL-MT3000) to WireGuard (Mullvad) and OpenVPN (ProtonVPN) on Firmware v4.6.9
Wireguard vpn from Asus router not working on Beryl AX, but the same vpn config works on the wireguard app
Home VPN server IP set up
Flint 2 wireguard for two different providers
Connect GL.iNet to Unifi Dream Machine (UDM) Pro via Wireguard
Slate AX as wireguard client not connecting to Flint 2 Wireguard Server
Beryl Ax Wireguard VPN Can't Connect
No Internet while VPN is on
DNS resolution Failure 1ormore ENDPOINT DOMAINS
Opal as wg server and Beryl as wg client
User.notice root: disable GRO on wgclient
WireGuard Setup not working
the client is starting please wait error on some wifi networks
Both AXT1800 & MT1300 refuse to connect to Wireguard
AX1800 Flint Wireguard Server breaks internet connection
What Port # 2 Open 4 home 4 vpn server Router 51820?
GL-MT3000 VPN Crawling
VPN client within existing network for NAS access
Using GL-MT3000 as Travel Router with Roku/Hulu
Second travel router showing the wrong IP address
No Exclusive IP Traffic over wireguard to Fritzbox
Unable to set up WireGuard client
GL.iNet MT3000 will not connect to WireGuard server
Trying to Set Up Wireguard Server, what am I doing wrong?
|VPN| Connecting into FortiClient VPN
GL.i NET GL-XE3000 Puli
Brume 2 Setup failed - Help required
WireGuard Server on Flint 2 Not Connecting Externally, Works Locally with 192.168.8.1
Randomly stuck on "connecting" to Flint 2 WireGuard server - need help diagnosing
Slate AX Wireguard VPN cannot connect
Cannot access router after 4.8 upgrade and vpn connection
VPN Wireguard Server to access devices in original LAN
VPN Tunnel issues
Change Geo location country in MT-3000 Beryl on 4.8.0 Beta
MT-3000 WireGuard issues
Brume 2 Wireguard interface error
VPN server Port Forwarding Closed URGENT
Wireguard VPN client shows yellow
Opal GL-SFT1200 wireguard client connect error rekey timeout
Yet another Wireguard setup fail
Wireguard Client - Says Connected, But No Internet
Cant do the 2 router setup. Multiple errors
VPN to mirror my home address
Setting up routers for abroad work
WireGuard Setup not working
Slate AX as wireguard client not connecting to Flint 2 Wireguard Server
Mango dropping WiFi
Site to site VPN with MT2500A and GL-X300B
WireGuard client cannot connect to my personal server (but works with others)
Slate AX Router Wire Guard VPN Client The client is starting, please wait...
SFT1200 not updating package sources
Problem connecting to home router with WireGuard
VPN Server issue Flint & Opal
VPN is not connecting
Vpn not connecting
WireGuard does not work on Opal
GL-MT300N-V2 - VPN server issue
Brume 2 VPN connection issues
Vpn not connecting
Beryl AX with Wire guard - Connection Refused
Operation timed out : Wireguard connection issues
Port Forwarding / Access to services on Remote Computer
"Error: "inet6 prefix is expected rather than "" GL-BE9300
Glinet WG server with Glinet client not working, but 5G hotspot works
Two slate ax routers client - server wireguard up no internet
3

Thanks @admon! Appreciate the post.

1 Like
4

Thanks @admon! Great contribution as always.

1 Like
5

Thanks for guide! Well done @admon :+1:t2:

6

@admon as good as always! Thanks :smiling_face:

7

Thanks @admon for the tutorial! If an ISP uses CGNAT, but also provides an ipv6 address, can a wireguard server be configured to use native ipv6 instead of having to use tailscale?

8

This will still be dependent on your ISP. Some ISPs don't allow incoming connections even on IPv6. If that is the case, it will not work to have the server behind CGNAT. You will just have to see if your ISP allows incoming connection requests.