[MT-3000] Beryl AX - Issue with Wireguard after Update

Hello,

I have been using my Beryl AX (MT-3000) for quite a while and have always been satisfied with it. However, i have now noticed that since the update to v4.7.0, there is a problem with Wireguard and my Fritz!Box 7530 AX (Wireguard Server). The connection can be established and i can also reach my internal network devices, but i can no longer access websites, etc.
I then deleted the connection completely and set it up again. When importing the config (generated by the Fritz!Box), my Beryl AX always shows me an error: incorrect parameter, but it does not indicate which parameter is incorrect.

I then did a complete downgrade to version v4.6.2 and was able to import the config without an error message. Wireguard also works as expected here. I don't know exactly when this error occurs, but for me version v4.6.2 is the last working one.

Here is my config that the Fritz!Box has created and i have changed a bit:

[Interface]
PrivateKey = EOLdsxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Address = 192.168.xxx.202/24
DNS = 192.168.xxx.1

[Peer]
PublicKey = bMzqxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
PresharedKey = Isebxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
AllowedIPs = 192.168.xxx.0/24,0.0.0.0/0
Endpoint = xxxxxx.de:55xxx
PersistentKeepalive = 25

This config works with version v4.6.2 but not with v4.7.0.

Please check the current version.
Thank you very much!

Hi,

did you manually input/fill in the VPN configuration, or directly upload the VPN profile?

Please try directly uploading the VPN profile, since the 4.7.0 has aware issue, at some point, manually input/fill in the VPN Configuration may have parameter verification errors. It will be improved in the next version firmware.

I can confirm the bug with the parameter validation. I have tried both importing and manual input.

As already mentioned, there is also an issue with the connection itself. When i received my Beryl AX, it had firmware version v4.5.0 installed. I set everything up, including Wireguard, and it worked without any problems. During this time, i always made the updates that were available. On one of my last trips (a version prior to v4.7.0 was definitely installed), i noticed that the VPN connection to my home network was established and i could also reach my network devices, but i could not connect to the Internet.

When i got back home, i wanted to investigate the problem and first updated to version v4.7.0. When i then imported the config, however, i received the same error: Connection to the home network yes, to the Internet no. When i entered it manually, one parameter was always shown as invalid, but as i said, not which one. I looked to see on which trip the problem with Wireguard did not exist and downgraded to that version, which in my case was v4.6.2. On my trip last week everything worked as expected. So there is definitely not only a problem with the parameter validation, but also with the connection setup itself.

Is AllowedIPs and Address maybe the same network?
Since you censored your private IPs (which isn't necessary) I can't tell.

The networks are not the same :wink:

We are aware of the issue, it caused by the configuration file containing the PresharedKey field, and issue with parameter validation.

Please do not paste to import, directly upload the profile to import.

Next firmware version will improve this. Thank you.

1 Like

Is this also the reason for the problem with the connection establishment? Will this also be fixed in the new version?

No problem about establishing connection.

Maybe you need to check it:

Interesting, i can only tell you that after version v4.6.2 there is definitely the problem i described. I have not made any changes to the configuration.

A completely new connection behaves in the same way. After downgrading to v4.6.2 and importing the configuration file (i never simply added the values by copy & paste), the connection was established as expected and the home network and Internet was accessible.

Could you please share your VPN profile with me, I manage to check this profile in my router with v4.7.0. If you like to share, please PM me the profile file.

Or PM me the syslog which in the v4.7.0 VPN connects issue.

This has been my issue. If I remove the PresharedKey from both client config and from the related [peer] in the server config, the connection fully establishes, and I'm able to work with it.

However, if the PresharedKey is left on the server side config, Beryl connects but never establishes. It just hangs indefinitely.

Uploading the client config file (rather than typing it in via the UI or using the dialog) works for me.

1 Like

I have manually updated from version v4.6.2 step by step for testing.
I was able to clearly determine that the described behavior with the faulty connection already occurs from version v4.6.8. I have sent you the log files from v4.6.4 and v4.6.8 via PM.

That's good to know!
Since the Fritz!Box creates the configuration, i can't influence it.

Thanks.

There is no problem of the WGClient VPN connection from the 4.6.8 syslog, but the websites?

What the DNS address is, point to the VPN server (Fritz!Box)?

Yes, it´s the internal ip of the Fritz!Box (Wireguard Server).

I have also noticed that the problem with parameter validation probably already existed before v4.7.0. The Fritz!Box creates a file called wg_config.conf, if i import this, then the WG connection in Beryl AX is also named like this. With v4.6.4 i could rename the connection, with v4.6.8 not. It shows the same behavior as with v4.7.0, it´s not possible to save because a parameter is supposedly invalid.

Hello,

The MT3000 has v4.7.4 beta firmware and it available to update, and it already improve the parameter validation issue, please try this firmware and test it one more. If available, please do not 'keep settings' to upgrade.

The issue about parameter validation existed on v4.7.0 firmware, the early version has not this.

I have tested the beta v4.7.4 and can confirm that both problems (parameter validation and connection establishment) no longer exist!

But i have to disagree with you, in my tests i was able to prove that the problem with parameter validation already occurred in v4.6.8. This is because i always used the same WG configuration file for my tests. I cannot say whether it is the same problem as in v4.7.0. But in v4.6.4 the configuration file was accepted without error and in v4.6.8 the message regarding the faulty parameter appeared.

1 Like

Hello
I had this problem too after updating to 4.7.0 /invalid params...

But now wireguard works by making a profile on the router side.

I have windscribe vpn

  1. I deleted the phone profile (profiles in phone)
  2. I went to the web edition and made a new profile "windscribe" on the router side. (vpn/WireGuard Client/new group)
  3. Then i load the config file i created on my vpn providers windscribe web page.
  4. Get to the phone, changing to "profiles in router", find manual profile winsdcribe, enable and OK!
    Now the wireguard is running from the router profile.
    i have beryl ax 4.7.0
    I hope i helped.

Dont know which is beter, phone or router profile but it worked.
(if i make an update, the router-side profiles are deleted? or am i ok? )

That is good way to do on the v4.7.0, thanks for your share.

If you upgrade the firmware with "keep settings", the router configuration including the VPN profile will be saved.
You can try to upgrade the firmware version to beta v4.7.4, this issue is already improved.

https://dl.gl-inet.com/router/mt3000/beta

1 Like