I am not tech savvy at all and desperate for help! I have been trying to connect a Beryl to my home router (server) and then I want to connect a second Beryl as client, but I cannot even get pas the first step! I have tried it with both Open VPN and Wireguard but no luck. I have tried different values for the internal IP in the Firewall as well.
Firewall port forward: cc9 TCP/UDP wan 1 lan 70.77.7.32 1194 Enabled
WireGuard Server status: Allow Access Local Network
IP Address
10.0.0.1
Local Port
51820
Ok - just to be a little more clear, you have two Beryl routers, one which you want to have at home acting as a VPN server, and the other you want acting as a client, is that correct? And you have Beryl 1 behind a router provided by your ISP, yes?
Ok - So for starters, in your port forwarding screenshot (from your home router), you’re going to want the port number to be 1194, not 1. If there’s a setting for TCP vs UDP, you’re going to want to select UDP.
You can delete the port forwarding in the Beryl - the GL.iNet people take care of that for you.
See if changing the port forward on your ISP router works first. It also may be helpful to connect the client device to a different network (phone tethering or something).
Oh my gosh it worked!! Thank you so much! I’ve been up all night trying to figure this out because clearly I’m an amateur!
It connected with OpenVPN, not WireGuard. But the connection is extremely slow, to the point where the Client Beryl won’t connect. Speed is hovering around 20 kB/s and this is the error message for the Client Beryl connection:
Network unreachable, restarting
SIGHUP[soft,network-unreachable] received, process restarting
I don’t think it’s working yet. The “network unreachable” tells me the client isn’t finding its way to the server Beryl. Let’s walk through the steps:
Your home connection from the internet (Shaw Cable in Canada?) goes through a modem to your Home Router. Those two things may be combined into one unit, and it would be helpful to know the brand/model to fine tune this. Your home router needs to have a routable public IP address, which I’m hoping is the 70.77.7.32 address. More on that later. Let’s just call that the public ip address and come back and edit out the numbers later for security reasons.
Assuming that the public ip address is the Home Router WAN address, then on its LAN side it has a private IP address, which might be 10.xx.xx.xx address or something else. If you plug the Beryl WAN port into one of the Home Router LAN ports, the Beryl will get a WAN port address in that private range of 10.xx.xxx.xx. Now, in the Home Router, we want to reserve that address for the Beryl, so it doesn’t change.
Now, on the Home Router, you want to forward a port (call it 1194 for the moment) in the Home Router, so something that rings that port on your Public IP will be forwarded to the same port on the Beryl WAN address. In this way, when you try to make a connection from out in the interwebs, the client Beryl will ring the Home Router, which forwards the request to the Beryl to answer.
The next step is to get the Beryl OpenVPN server working, and export the configuration file to the Beryl OpenVPN client device. If these 4 steps are in place, you may not make a successful connection but you should get a better error result.
Now, Shaw Cable may from time to time shift your public IP address, but probably not for weeks or months. You will want to set up a DDNS service to deal with that, but that’s down the road.
Also, you are using 10.0.0.1/24 as internal subnet, which may conflict with the Beryl’s wireguard and openvpn subnet. You need to change either your main router’s subnet, or change Beryl’s wireguard and openvpn configuration.
I think the official documentation may skip over/mix up a few steps on the point the OP is having difficulty. I’ve never used my devices as a server behind a router so I’m not sure.
When the Gl-iNet router behind another router exports the configuration file (without DDNS running), does it not export a file that has “remote [GL-iNet WAN Address] 1194”; that WAN address is likely to be a private IP. You would need to edit the configuration file to substitute the other router’s public IP address, at the least. Or can it identify the public ip address and stick it in instead?
The 3.x documentation on this point says to edit the config file to replace the ddns address with the public ip address–the example then goes on to show the opposite, replacing the public ip address with the ddns address. But it is really a question of editing the config file so that the remote statement points to a ddns address or a static public ip, and not a private ip address.
If the GL-Inet router has the ddns service running, I assume it tracks the public IP address of the front-facing router. Yes? So all that would be needed would be to reverse #2 in the documentation. An alternative would be to explore ddns on the front facing router or a reverse proxy.
Firmware 3.x on the GL-iNet router does export the configuration file with the Public IP address, not the private IP address. Firmware 4.x also exports the Public IP address, but allows you to choose to export the DDNS domain name.
It looks like the following statement is reversed, but, interestingly, the graphics are correct (attention: @alzhao):
2. Edit the configuration to replace DDNS url with your public IP address.
The OP is currently using the Public IP address 70.77.7.32 and, once VPN is at least working, should switch to using DDNS (no harm whether or not the 70.77.7.32 is dynamic or dedicated).
