I am trying to set up a VPN Server using the Flint and Slate AX routers. I also have a router from my ISP(AT&T) that I have to use. I’ve put the ISP’s router (BGW320-500) in IP Passthrough mode and turned off the wifi on the ISP’s router.
I setup a Wireguard Server on my Flint and tried to port forward from the ISP’s router. I’m pretty sure the port forwarding hasn’t been successful. Should I have my Flint connected to my ISP’s router through ethernet?
Also, I setup a Wireguard client on my Slate AX, but it doesn’t seem to be working. I copied the configuration over from the config I created on the Flint router.
I am feeling stuck and frustrated that I am currently unable to use my new routers. Please provide me with some assistance.
Try setting Bridged Mode on the AT&T router, instead of IP Passthrough Mode. They are different and bridge mode puts the Flint router on Internet directly with a public IP address, without requiring any port forwarding.
Connect the Flint router WAN port to the AT&T router LAN port using an Ethernet cable. Set up DDNS and create a new WireGuard Server configuration file for the Slate AX client device.
I do not work for and I am not directly associated with GL.iNet
Has anybody figured this out!? I have the same setup and the same issue. I see the handshakes going between the client(my phone with the wireguard app) and the server my flint router but there is no access to the Internet. Seems like quite a few people have the same issue.
Hey @bring.fringe18@LupusE , thank you for all the replies. Sorry I was out of town. Just got back and ran all the commands, here is the results:
root@GL-AX1800: curl http://ipecho.net/plain; echo
107.201.230.59
root@GL-AX1800: ping -c2 1.1.1.1; ping -c2 cloudflare.com
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: seq=0 ttl=56 time=8.423 ms
64 bytes from 1.1.1.1: seq=1 ttl=56 time=8.097 ms
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 8.097/8.260/8.423 ms
PING cloudflare.com (104.16.132.229): 56 data bytes
64 bytes from 104.16.132.229: seq=0 ttl=56 time=8.103 ms
64 bytes from 104.16.132.229: seq=1 ttl=56 time=7.832 ms
--- cloudflare.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 7.832/7.967/8.103 ms
root@GL-AX1800: nmap 192.168.8.1 -sU -p 51820
Starting Nmap 7.80 ( https://nmap.org ) at 2023-11-18 09:22 MST
Nmap scan report for console.gl-inet.com (192.168.8.1)
Host is up.
PORT STATE SERVICE
51820/udp open|filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 2.44 seconds
I also tried running nmap on the AT&T router that is used as a dummy router to do IP Passthrough from:
root@GL-AX1800: nmap 192.168.1.254 -sU -p 51820
Starting Nmap 7.80 ( https://nmap.org ) at 2023-11-18 09:25 MST
Nmap scan report for 192.168.1.254
Host is up (0.0013s latency).
PORT STATE SERVICE
51820/udp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
If 192.168.1.254 is your public IP (Internet/WAN side) of the ATT router/modem/whatever, then port 51820 is closed. See my aforementioned post for an example how it looks when it’s open. You can confirm your public IP address via ipleak.net .
Can you log onto the ATT router/modem/whatever via some sort of GUI & look for a setting for ‘bridged mode’ or ‘DMZ’? The former will put the device more in line with a modem… which we want. DMZ should give options to mark a specific device on your network to be ‘outside’ of the ATT router/modem/whatever’s firewall. That’s the second best choice if there’s no bridging. The Flint will act as the firewall/router exposed directly to the Internet rather than being ‘behind’ (therefore blocked by!) the ATT router/modem/whatever.
(In case you can’t tell I rather dislike these all-in-one ‘combo units’ ISPs provide; they’re more trouble than they’re worth. Gimme a modem; just a modem, damnit!)
We have a CLIENT-SERVER setup. The client is reaching out for the server and got hopefully an answer.
The wireguard client can be installed on a router or on a device (laptop/mobile/IoT thing/…). This is the device that needs to have access to the unsecure internet. From the device with the wireguard client, you try to reach out for the wireguard server with nmap.
The wireguard server can be in the same network (LAN). but I doubt the connection will be established… It is a tunneling through the internet (WAN).
First you have a wireguard server, and you need the IP of this device: root@SERVER: curl http://ipecho.net/plain; echo
Now you know the WAN IP the server is listening.
Next you are switching to the client, you try to reach the VPN server as the VPN client would do it: root@CLIENT: nmap [IP from command before] -sU -p 51820
Now you should get a STATE: open. If not you need to analyze why.
Check if wireguard SERVER is listening: root@SERVER: nmap -tulpen |grep 51820
Check if the SERVER can reach the Internet: root@SERVER: ping -c2 cloudflare.com
Check if Portforwarding on transfer router is working.
Just look at google. I don’t know the AT&T modems/routers.
Check if the CLIENT can reach the Internet: root@CLIENT: ping -c2 cloudflare.com
Thanks everyone! I realized I was getting myself a wrong setup. I didn’t actually need a second home router. Ended up buying a Raspberry PI 4 and setting everything up in 20 minutes.
I don’t think that was the issue. There were three (!) IP’s posted related to your WG endpoint ITT. Only one of them was the public facing (WAN)/Internet one & it wasn’t determined if it had the necessary UDP port open.
I’d reconsider setting it up again on the GL devices if the speed of the RPi4 doesn’t match close to their advertised WG specs.