Manual Wireguard client does not connect, works on other devices (PiVPN) — Beryl GL-MT1300

cataclysmic · February 20, 2021, 4:33pm

Got a new GL-MT1300 in order to serve as a Wireguard client hotspot on my PiVPN Wireguard server. Can’t get it to work.

Looking in the forums I see another issue specifically on the GL-MT1300. As well as other reports of issues on other routers when using PiVPN Wireguard servers (1, 2).

The server and the client configurations work great on mobile devices and desktop I have tested on. When I input manually, or via .conf file, or via QR code using the GL.iNet app, it does not work. It spins on “connecting” and then the button changes to “abort.”

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Address = 10.6.0.8/24
DNS = 4.2.2.6, XXX.XXX.70.25

[Peer]
PublicKey = eORRje665wbNMXkUWYreV8II9Ockx9UJ2bFHpW$
PresharedKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Endpoint = XXXXX.mynetgear.XXX:15797
AllowedIPs = 0.0.0.0/0, ::0/0

I tried removing the IPv6 entry under allowed IPs in both the server variables and in the conf file, as I read GL.iNet does not play nice with IPv6. I tried removing the two DNS entries in the server config, leaving it at just one DNS entry.

alzhao · February 24, 2021, 11:19am

Can you add one ListenPort in [Interface]?

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Address = 10.6.0.8/24
DNS = 4.2.2.6, XXX.XXX.70.25
ListenPort = 25794

cataclysmic · February 27, 2021, 4:18pm

Thanks @alzhao

I reverted back to a PiVPN-configured OpenVPN server to see if I could get the Beryl to connect to any VPN server. During this process I realized I had mistakenly not forwarded the correct ports on the server side for the initial Wireguard setup mentioned above.

The OpenVPN server did work after realizing my port forwarding mistake.

I then tried to again to configure a Wireguard server with PiVPN and see if the Beryl would now connect with the port forwarding issue fixed.

In the GL.iNet web interface it now will show as connected, but shows only a few bytes of upload data. I cannot access the web through the router when it’s connected, nor can I connect to local IPs on the other side of the VPN. (I have tested the Wireguard config and server does work properly with an iOS device.)

To your suggestion above, @alzhao, the server appears to provide a ListenPort upon connection. I did try pre-filling it with the port you mentioned — it made no difference.

I also have removed the “, ::00/0” part of the AllowedIPs entry on the Beryl so as to avoid IPv6 issues.

Client .conf:
[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXX=
Address = 10.6.0.8/24
DNS = 209.244.0.3, 209.244.0.4

[Peer]
PublicKey = ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ=
PresharedKey = YYYYYYYYYYYYYYYYYYYYYYYYYYYY=
Endpoint = XXXXXXXXX.mynetgear.com:51820
AllowedIPs = 0.0.0.0/0, ::0/0

Server prefs:
PLAT=Raspbian
OSCN=buster
USING_UFW=0
IPv4dev=eth0
dhcpReserv=1
IPv4addr=192.168.1.XX/24
IPv4gw=192.168.1.1
install_user=pi
install_home=/home/pi
VPN=wireguard
pivpnPORT=51820
pivpnDNS1=209.244.0.3
pivpnDNS2=209.244.0.4
pivpnHOST=XXXXXXXX.mynetgear.com
INPUT_CHAIN_EDITED=0
FORWARD_CHAIN_EDITED=0
pivpnPROTO=udp
pivpnDEV=wg0
pivpnNET=10.6.0.0
subnetClass=24
ALLOWED_IPS=“0.0.0.0/0, ::0/0”
UNATTUPG=1
INSTALLED_PACKAGES=(unattended-upgrades)

alzhao · February 28, 2021, 3:34am

Not sure if somewhere makes trouble about UDP.

Or just change server port and try.

cataclysmic · February 28, 2021, 1:47pm

Thanks for your help, I tried UDP port 15797 as well and had the same issue.

What do mean that the UDP may be causing the issue? What kind of workaround did you have in mind — TDP?

Can I run a traceroute or pull something from the router’s logs that would help you see why the router won’t pass internet over this connection?

Appears to be the same issue as this other thread, with the router showing as a connected client but no internet connection a minuscule amount of download data (link).

PiVPN is almost certainly the easiest way to set up a personal Wireguard server on any Linux machine, including a Raspberry Pi. I think it makes a lot of sense for GL.iNET to support it out of the box — or with minimal modifications that we can document here in the forums. As I mentioned in the first post, several others have had issues getting GL.iNET to play nice — this is definitely something that people are buying these routers for.

PiVPN Github (link).

Riho-shuu · March 3, 2021, 3:08am

Hi cataclysmic,

Do you mind sending me the configuration to let me have a try?

My email: marin.zhou@gl-inet.com

funfun · March 7, 2021, 2:47pm

I had a similar issue with my WG-client configuration. The problem was solved by setting “mtu = 1280” in both sides (server and client).

Hope this helps you too!

belnas · May 11, 2021, 2:07pm

same issue here:

Same wireguard configuration works on one device (iphone),
but fails to connect on Beryl. (shows orange dot, no internet)

so, it seems like an issue from GL.Inet side…

any advise?

here the configs:

:::: Server configuration shown below ::::
[Interface]
PrivateKey = xxx
Address = 10.6.0.1/24
MTU = 1280
ListenPort = 51820

begin user1

[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 10.6.0.2/32
PersistentKeepalive=25

end user1

begin user2

[Peer]
PublicKey = xxx
PresharedKey = xxx
AllowedIPs = 10.6.0.3/32
PersistentKeepalive=25

end user2

USER1.conf

[Interface]
PrivateKey = xxx
Address = 10.6.0.2/24
MTU = 1280
DNS = 10.6.0.1

[Peer]
PublicKey = xxx
PresharedKey = xxx
Endpoint = xxxx.ddns.net:51820
AllowedIPs = 0.0.0.0/0, ::0/0

USER2.conf

[Interface]
PrivateKey = xxx
Address = 10.6.0.3/24
MTU = 1280
DNS = 10.6.0.1

[Peer]
PublicKey = xxx
PresharedKey = xxx
Endpoint = xxxx.ddns.net:51820
AllowedIPs = 0.0.0.0/0, ::0/0

funfun · May 11, 2021, 6:58pm

Can you double check your “server” ListenPort and your Endpoint’s?

The persistent keepalive setting should also go in the client configs and not in the server.

What do you see on the server side wjen you try to connect with the beryl?

Also, can you set a well known DNS (eg. 1.1.1.1) first to discard potential sources of problems?

belnas · May 12, 2021, 7:38am

thanks for the suggestions,

listenport and endpoints are the same 51820
same behaviour with 1.1.1.1 dns
the server (pivpn) doesn’t see any connection attempt

the strange thing is that the very same user1.cnf file works flawlesly when used in another device (wireguard iphone app).

don’t know what to try next

funfun · May 22, 2021, 2:17pm

Can you verify (e.g. with netcat or nmap) that you actually have connectivity to that UDP port from the Beryl itself?

It is very strange… I’ve used several different custom wireguard configs in the beryl without issues.

cataclysmic · October 20, 2021, 10:11am

Hi @Riho-shuu @alzhao, Do you know if this was the issue fixed in firmware V3.203?

" * Fixed the problem that when WireGuard’s Allowed IPs are not set with global proxy address, router will be unable to access the internet."

Or was that a different issue? Thank yoi

alzhao · October 20, 2021, 3:09pm

I have no idea of what is this.

exohunt · November 7, 2021, 2:41pm

Same problem with Wireguard client on 3.203

mattbridges · January 9, 2022, 10:16pm

Realise this is old but I was having the same issue (using pivpn as well) turns out I needed to copy the preshared key over as well (wasn’t picking it up with the qr code). Not sure if this will help.

chaserpeek · January 13, 2022, 9:22pm

I have same problem. Some people have solved this issue ? Thanks.

cataclysmic · April 3, 2022, 9:38pm

@mattbridges just to confirm are you hosting a Wireguard PiVPN server and accessing it from your travel router as a client? Or are you using OpenVPN? Thanks

mattbridges · April 5, 2022, 8:23am

Yes that’s it, hosting a pivpn server and accessing it from my travel router as a client.

ruse · October 7, 2022, 2:24am

I have the same issue. Anyone got this working?