My GL-MT6000 Flint 2 with WireGuard Server is connected but the client (mobile) cannot connect to it

I’m trying to setup a wireguard client via mobile app and connect to the server at home using GL-MT6000 Flint 2.

Via VPN Dashboard:
The WireGuard Server is enabled, with No Clients
The WireGuard Client (mobile) shows is active but there is no internet.

How to establish an internet connection on client mobile and server ?

References:

Steps:

  1. Make sure Internet Service Provider assigns you a public IP address:
    https://tool.gl-inet.com/ip - OK
    https://ip.gs/ - Supported

  2. Network Topology

    • Have a main router, then the GL.iNet router is under the main router
      Setup a port forwarding on the main router
  • Dynamic DNS
    Enable DDNS - Enabled
    HTTPS Remote Access - Enabled
    SSH Remote Access - Enabled
  1. Setup WireGuard Server

[Interface]
Address = 10.1.0.2/24
PrivateKey =
DNS = 8.8.8.8
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0,::/0, 192.168.< mainmodem >.0/24, 192.168.< GL-MT6000 >.0/24
Endpoint = :51820
PersistentKeepalive = 25
PublicKey =
PresharedKey =

WireGuard Server Options
Remote Access LAN - Enabled
IP Masquerading - Enabled
MTU - Blank
Client to Client - Disabled

  1. Check Wireguard Client App - IOS
  • OK, Activated but still no Internet

Very strange config for server. In section Interface you must write "Listen port = " and this UDP port forward on main router. On Peer section you dont need take endpoint port, it may be randomly. Then AllowedIP 0.0.0.0/0 - you allready include all others IPs.
Also can you please post config of client without sensetive information.
WireGuard is a stateless technology, even if you see server work, it doesent mean anywhere.

The Wireguard client Listen Port is automatic. A random Listen port is generated after it is being set to Active Status. Are you suggesting to provide a static value ?

UDP port forward on main router.
I’ve configured the main router to have UDP port forward on the internal host ip of my GL-MT600 with 51820 as the internal port number.

On Peer section you dont need take endpoint port, it may be randomly.

  • I’m using the dynamic dns of the main public ip of the internet provider linked in my main router.

Then AllowedIP 0.0.0.0/0 - you allready include all others IPs.

  • I found in other forum topic recommending to specify it. Nevertheless , tried both still not working.

Could you be able to recommend other steps to check and fix is this issue?

Check your firewall. Mine is like this:

image

Thanks, i tried it but still am getting a “Handshake did not complete after 5 seconds” in my wireguard client mobile app log.

Below is the list of configurations I’ve made in the GL-MT6000 modem:

/cgi-bin/luci/admin/network/firewall/zones

*Note, unlike yours, I do not have an options to add: Allow forward to destination zones : wgserver

/cgi-bin/luci/admin/network/firewall/forwards

/cgi-bin/luci/admin/network/firewall/rules

I’ve also tried to delete and add back again the wireguard client profile just to make certain that the keys in the configuration file are correct. Likewise, restarted the wireguard server multiple times.

Could you be able to recommend other steps to check and fix this issue?

You don’t need to tweak firewall manually.
Please use the following command on MT6000 to determine if traffic reaches MT6000.

opkg update
opkg install tcpdump
tcpdump -i eth1 -s0 -n port 51820