My GL-MT6000 Flint 2 with WireGuard Server is connected but the client (mobile) cannot connect to it

I’m trying to setup a wireguard client via mobile app and connect to the server at home using GL-MT6000 Flint 2.

Via VPN Dashboard:
The WireGuard Server is enabled, with No Clients
The WireGuard Client (mobile) shows is active but there is no internet.

How to establish an internet connection on client mobile and server ?

References:

Steps:

1. Make sure Internet Service Provider assigns you a public IP address:
   https://tool.gl-inet.com/ip - OK
   https://ip.gs/ - Supported

2. Network Topology

   • Have a main router, then the GL.iNet router is under the main router
     Setup a port forwarding on the main router

• Dynamic DNS
  Enable DDNS - Enabled
  HTTPS Remote Access - Enabled
  SSH Remote Access - Enabled

3. Setup WireGuard Server

[Interface]
Address = 10.1.0.2/24
PrivateKey =
DNS = 8.8.8.8
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0,::/0, 192.168.< mainmodem >.0/24, 192.168.< GL-MT6000 >.0/24
Endpoint = :51820
PersistentKeepalive = 25
PublicKey =
PresharedKey =

WireGuard Server Options
Remote Access LAN - Enabled
IP Masquerading - Enabled
MTU - Blank
Client to Client - Disabled

4. Check Wireguard Client App - IOS

• OK, Activated but still no Internet

Very strange config for server. In section Interface you must write "Listen port = " and this UDP port forward on main router. On Peer section you dont need take endpoint port, it may be randomly. Then AllowedIP 0.0.0.0/0 - you allready include all others IPs.
Also can you please post config of client without sensetive information.
WireGuard is a stateless technology, even if you see server work, it doesent mean anywhere.

The Wireguard client Listen Port is automatic. A random Listen port is generated after it is being set to Active Status. Are you suggesting to provide a static value ?

image721×435 49.9 KB

UDP port forward on main router.
I’ve configured the main router to have UDP port forward on the internal host ip of my GL-MT600 with 51820 as the internal port number.

image886×377 16.1 KB

On Peer section you dont need take endpoint port, it may be randomly.

• I’m using the dynamic dns of the main public ip of the internet provider linked in my main router.

Then AllowedIP 0.0.0.0/0 - you allready include all others IPs.

• I found in other forum topic recommending to specify it. Nevertheless , tried both still not working.

Could you be able to recommend other steps to check and fix is this issue?

Check your firewall. Mine is like this:

Thanks, i tried it but still am getting a “Handshake did not complete after 5 seconds” in my wireguard client mobile app log.

Below is the list of configurations I’ve made in the GL-MT6000 modem:

/cgi-bin/luci/admin/network/firewall/zones

image957×107 8.18 KB

*Note, unlike yours, I do not have an options to add: Allow forward to destination zones : wgserver

image629×671 42.8 KB

/cgi-bin/luci/admin/network/firewall/forwards

image952×83 6.76 KB

/cgi-bin/luci/admin/network/firewall/rules

image975×101 6.3 KB

I’ve also tried to delete and add back again the wireguard client profile just to make certain that the keys in the configuration file are correct. Likewise, restarted the wireguard server multiple times.

Could you be able to recommend other steps to check and fix this issue?

You don’t need to tweak firewall manually.
Please use the following command on MT6000 to determine if traffic reaches MT6000.

opkg update
opkg install tcpdump
tcpdump -i eth1 -s0 -n port 51820

GL.iNet GL-MT6000 v4.6.0-op24
Architecture
ARMv8 Processor rev 4
OpenWrt Version
OpenWrt 24.0 r26550+32-eea666d583
Kernel Version
6.6.32

Screenshot 2024-08-11 0816392524×1392 169 KB

Screenshot 2024-08-11 0817151496×1297 65.5 KB

anyone know what package missing here?

No package missing.

GL uses some special connector to modify wireguard config - that's why "protocol not supported" is shown.