I’ve been using my Opal router as Wireguard server and accessing internet through my home network connection while abroad just fine. I set up port forwarding on my ISP router so no problems here.
Now I’m trying set up WG server abroad where I am and trying to run WG client in my opal router.
So both ends will be running WG server and client providing tunnel connection on each end.
I transfer WG config so it’s conneting. Giving timeout error in the logs.
I opened another port 41495 in my ISP router which sits in front of opal router. This is the port in WG client config
I opened port forwaring also in my away router which is keenetic.
Any idea why it’s not working?
Or is there any easier way to achieve what I’m trying to do?
REKEY-TIMEOUT usually means: WireGuard sent handshake packets but did not receive a valid reply. So this is almost always routing/NAT/port/key mismatch, not an “authentication login” problem.
The biggest thing: do not think of the WireGuard client port as something you must forward. The port you forward is the server/listener’s UDP port.
For this setup, do this:
Pick only one side as the reachable “server”
Example: Away/Keenetic side runs WG server on UDP 41495.
Home/Opal runs WG client and connects to away-public-ip:41495.
On the away/Keenetic router:
Forward UDP 41495, not TCP.
Forward it to the actual WireGuard server device.
Confirm the Keenetic WAN IP is a real public IP, not CGNAT.
On the Opal WG client config:
Endpoint = away-public-ip-or-ddns:41495
PersistentKeepalive = 25
AllowedIPs should include only what you want routed through the away side.
Do not run two competing WG tunnels for the same routes
If both ends are “server and client” at the same time, you can create routing conflicts.
For site-to-site, one tunnel is enough. WireGuard is peer-to-peer; “server/client” is mostly UI language.
Check subnet conflicts
If both homes use 192.168.1.0/24, routing will break or behave strangely.
Change one side to something like 192.168.50.0/24.
Verify public reachability
On the Keenetic side, compare WAN IP with whatismyip.
If they differ, the away side is behind CGNAT. Port forwarding will not work.
In that case use Tailscale/ZeroTier, or a VPS WireGuard relay.
Most likely mistake in the pasted case: they opened port 41495 on the ISP router in front of the Opal because it appears in the WG client config. That is not useful if Opal is the client. The port must be forwarded on the side being used as the WireGuard Endpoint/server.
Easiest clean solution: make only one side the WG server, make the other side the WG client, enable PersistentKeepalive = 25, and avoid overlapping LAN subnets.
I understand WG is actually a tunnel and I was wishful. I connected a wireless client to Opal but traffic didn’t route through WG tunnel. Is there any way to make this happen?
Or can I add another peer to WG connection on Keenetic side?
I’m actually trying to bypass Netflix household restriction for my apple tv here so netflix will see as it’s coming out of other location.
This is what I have for keenetic wg server configuration - very limited.
