Setting up Wireguard VPN Fails

mrfreedeer · December 28, 2025, 8:02pm

Hello,

I’m pretty new to all of this, but in essence I tried using VPN using the Wireguard client. I’m using Surfshark, but currently I’m pushing the VPN configuration settings through the app.
I generated conf settings that I can use and connect without issues with my phone.

This is the log, I don’t really understand the issue:

Sun Dec 28 19:05:43 2025 user.notice nat6: Firewall config="wgclient1" zone="wgclient1" zone_masq6="1".
Sun Dec 28 19:05:44 2025 daemon.info dnsmasq[16133]: read /tmp/hosts/dhcp.wgclient1 - 3 addresses
Sun Dec 28 19:05:44 2025 user.notice nat6: Firewall config="wgclient1" zone="wgclient1" zone_masq6="1".
Sun Dec 28 19:05:45 2025 daemon.notice netifd: Interface 'wgclient1' is now down
Sun Dec 28 19:05:45 2025 user.notice firewall: Reloading firewall due to ifdown of wgclient1 ()
Sun Dec 28 19:05:45 2025 user.notice nat6: Firewall config="wgclient1" zone="wgclient1" zone_masq6="1".
Sun Dec 28 19:05:50 2025 daemon.notice netifd: Interface 'wgclient1' is setting up now
Sun Dec 28 19:05:50 2025 user.notice nat6: Firewall config="wgclient1" zone="wgclient1" zone_masq6="1".
Sun Dec 28 19:05:50 2025 user.notice nat6: Found firewall zone_name="wgclient1" with zone_masq6="1" zone_masq6_privacy="1".
Sun Dec 28 19:05:50 2025 user.notice nat6: Setting up masquerading nat6 for zone_name="wgclient1" with zone_masq6_privacy="1"
Sun Dec 28 19:05:50 2025 user.notice nat6: Ensuring ip6tables chain="zone_wgclient1_postrouting" contains our MASQUERADE.
Sun Dec 28 19:05:50 2025 user.notice nat6: Ensuring ip6tables chain="zone_wgclient1_input" contains our permissive DNAT rule.
Sun Dec 28 19:05:50 2025 user.notice nat6: Ensuring ip6tables chain="zone_wgclient1_forward" contains our permissive DNAT rule.
Sun Dec 28 19:05:50 2025 user.notice nat6: Done setting up nat6 for zone="wgclient1" on devices:
Sun Dec 28 19:05:51 2025 daemon.warn dnsmasq[18892]: no servers found in /tmp/resolv.conf.d/resolv.conf.wgclient1, will retry
Sun Dec 28 19:05:51 2025 daemon.info dnsmasq[18892]: read /tmp/hosts/dhcp.wgclient1 - 3 addresses
Sun Dec 28 19:05:51 2025 daemon.info dnsmasq[18891]: read /tmp/hosts/dhcp.wgclient1 - 3 addresses
Sun Dec 28 19:07:35 2025 user.notice wireguard-debug: USER=root ifname=wgclient1 ACTION=REKEY-GIVEUP SHLVL=1 HOME=/ HOTPLUG_TYPE=wireguard LOGNAME=root DEVICENAME= TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin PWD=/
Sun Dec 28 19:07:36 2025 user.notice nat6: Firewall config="wgclient1" zone="wgclient1" zone_masq6="1".
Sun Dec 28 19:07:36 2025 user.notice nat6: Found firewall zone_name="wgclient1" with zone_masq6="1" zone_masq6_privacy="1".

Could anyone help me with this? I tried a lot of other forum posts, including lowering MTU to 1200

will.qiu · December 29, 2025, 7:45am

Hi,

Could you please help clarify the following:

What is the router model, and which firmware version is currently installed?
The logs do not appear to show any related errors. Could you describe the exact issue you’re experiencing? For example, does the Admin Panel > VPN > VPN Dashboard indicate a connection failure, or does it show as connected but not working as expected?
If possible, please share a few screenshots so we can better understand the situation.

We’ve also attached Surfshark’s configuration guide for your reference.

mrfreedeer · December 29, 2025, 9:19am

Hi,

What is the router model, and which firmware version is currently installed?

It's an MT-3000 with firmware 4.8.1.

Could you describe the exact issue you’re experiencing?

From the VPN dashboard, I would click the on toggle. And it says connecting, but it's stuck there.

It never fully connects, regardless of VPN location. I also tried OpenVPN with same results. I attached some screenshots for reference.

will.qiu · December 29, 2025, 11:14am

Can the same WireGuard profile be used on devices (such as mobile phones) connected to the same network as the MT3000?

If possible, please share the device with us via GoodCloud following this tutorial so we can investigate the issue further.
Technical Support via GoodCloud - GL.iNet Router Docs 4

Please send the MAC address and WebUI login password via private message for remote access.

elorimer · December 29, 2025, 2:50pm

There does look to be the "no server found" error at 17:05:51.

mrfreedeer · December 29, 2025, 6:25pm

I shared the login details through private message.
The wireguard profile I was able to use on my phone while connected to the same WiFi.

As Elorimer pointer outz there seems to be a "no server found" error at 17:05:51.
Is this something that could happens because of a mistake when setting things up?

will.qiu · December 30, 2025, 4:21am

This message refers to VPN DNS configuration and is not directly related to VPN connectivity issues.

When a VPN connection is active, the router automatically extracts DNS settings from the VPN configuration file and writes them to
/tmp/resolv.conf.d/resolv.conf.wgclient1, allowing LAN devices to use the VPN-provided DNS servers.

If the VPN connection fails to establish properly, or if the configuration file does not define any DNS servers, the system may log DNS-related warnings. These messages are expected in such cases and do not impact the VPN’s normal functionality.