Issue with WireGuard Connection on GL.iNet Device

I am encountering an issue where my GL.iNet device is unable to establish a WireGuard VPN connection to a WireGuard server hosted on my Speedport router. I am able to connect to the same server without issues using the WireGuard mobile app, but the GL.iNet device fails to establish the connection. Below are the details of the issue:

  • Device Model: GL-MT300N
  • Firmware Version: v4.7.4
  • WireGuard Server IP: The IP address of the WireGuard server hosted on my Speedport router

WireGuard Client Configuration:
* Interface: wgclient
* Endpoint: MYIP:53280
* Allowed IPs: 0.0.0.0/0
* Persistent Keepalive: 25 seconds

LOGS:

root@network:~# logread -f
Tue Jun 3 23:46:05 2025 daemon.notice netifd: Interface 'wgclient' is setting up now
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[4489]: exiting on receipt of SIGTERM
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10157]: Connected to system UBus
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10164]: started, version 2.85 cache disabled
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10164]: DNS service limited to local subnets
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10164]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10164]: UBus support enabled: connected to system bus
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq-dhcp[10164]: DHCP, IP range 192.168.8.100 -- 192.168.8.249, lease time 12h
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10164]: using only locally-known addresses for domain lan_chgd
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10164]: using nameserver 1.0.0.1#53
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10164]: using nameserver 1.1.1.1#53
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10164]: read /etc/hosts - 4 addresses
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10164]: read /tmp/hosts.vpn/lan_hosts - 1 addresses
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq-dhcp[10164]: read /etc/ethers - 0 addresses
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: Connected to system UBus
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: started, version 2.85 cachesize 150
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: DNS service limited to local subnets
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: compile time options: IPv6 GNU-getopt no-DBus UBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth cryptohash DNSSEC no-ID loop-detect inotify dumpfile
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: UBus support enabled: connected to system bus
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq-dhcp[10443]: DHCP, IP range 192.168.8.100 -- 192.168.8.249, lease time 12h
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq-dhcp[10443]: IPv6 router advertisement enabled
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: using only locally-known addresses for domain test
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: using only locally-known addresses for domain onion
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: using only locally-known addresses for domain localhost
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: using only locally-known addresses for domain local
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: using only locally-known addresses for domain invalid
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: using only locally-known addresses for domain bind
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: using nameserver 1.0.0.1#53
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: using nameserver 1.1.1.1#53
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: using only locally-known addresses for domain lan
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: read /etc/hosts - 4 addresses
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq[10443]: read /tmp/hosts/dhcp.cfg01411c - 1 addresses
Tue Jun 3 23:46:05 2025 daemon.info dnsmasq-dhcp[10443]: read /etc/ethers - 0 addresses
Tue Jun 3 23:46:55 2025 daemon.info dnsmasq-dhcp[10443]: DHCPREQUEST(br-lan) 192.168.8.150 8c:53:e6:c8:5a:8b
Tue Jun 3 23:46:55 2025 daemon.info dnsmasq-dhcp[10443]: DHCPACK(br-lan) 192.168.8.150 8c:53:e6:c8:5a:8b LAPTOP
^Croot@network:~# sudo wg show
interface: wgclient
public key: KEY
private key: (hidden)
listening port: 35253
fwmark: 0x8000

peer: KEY
preshared key: (hidden)
endpoint: 84.190.204.221:53280
allowed ips: 0.0.0.0/0
transfer: 0 B received, 1.88 KiB sent
persistent keepalive: every 25 seconds
root@network:~#

Observation:

When I disable the firewall I could connect to the VPN server!

Hello,

May I know what device's firewall is, GL router or the VPN server? If the GL router, what the firewall rule is?

BTW, as the log you attached in thread did not find any issue, please PM me the issue syslog file.

When I disable the glinet router firewall: /etc/init.d/firewall stop

It seems like there are some misconfiguration in the firewall, that even cause err: iptables: Bad rule (does a matching rule exist in that chain?).

These errors are coming from the new firmware version v4.7.4

Stop the firewall service first

/etc/init.d/firewall stop

Restore the default firewall config

cp /rom/etc/config/firewall /etc/config/firewall

Restart the firewall service

/etc/init.d/firewall start

Hello,

Thank you for your feedback and the solution.

I would like to clarify the device model again, the MT300N you mentioned above, but this model does not have v4.7 firmware. May I know what the model is?

The 2 syslog you sent, we did not find the WireGuard VPN client issue, just only saw the

Please export the syslog from GL GUI > System > Log > Export Log for export the entire log

Hello,

Please find bellow the required information.

  • Model: GL.iNet GL-MT3000
  • Architecture: ARMv8 Processor rev 4
  • OpenWrt Version: OpenWrt 21.02-SNAPSHOT r15812+912-46b6ee7ffc
  • Kernel Version: 5.4.211

Syslog has been sent via PM.