Slate AX + Slate AX VPN Issue

soudy2 · November 20, 2023, 10:23pm

Im trying to setup a Wireguard Server and Wireguard Client.

2x Slate AX ( GL-AXT-1800) ( Also, have Brume 2 & Mango if needed).

Existing home router: ( TP-Link Archer AX1800 or it can be a Netgear AC1750 R6350).

ISP: Fiber

I already attempted to configure both using a ton of previous threads/walk throughs.

I think I am getting snagged at the port forwarding on the home router or im getting confused on the IP config between the Slate AX’s maybe causing conflict?

Server gets established and green but unable to connect via phone or travel Ax/PC.

Goal: Keep one Slate AX at the house, the other Slate AX comes with me when I travel.

Home Router:

Dynamic IP from ISP
Port Forward: 51820
Port Forward on TCP/UDP then just only UDP.
Ethernet from LAN going to the WAN Port of Slate AX Server.
Static IP assigned for Slate AX Server w/ port forward.

Slate AX Server:

Default: 10.0.42.1/24

Local Port: 51820(current)

DDNS enabled

v4.4.6

http://192.168.8.1/

No port forwarding configured on server, just on home router port forwarding the static IP of Slate AX Server w/ 58120 port udp only

Global Options:

VPN Cascading : enabled
Block non-VPN Traffic: ?
Allow Access WAN: prob wont need
Services from GL.iNet Use VPN: ?

----- AX Client Config Below----

Slate AX Client:

http://192.168.5.1/

v4.4.6

Global Options:

Block Non-VPN traffic : ?

Allow Access WAN : ? prob not needed?

Services from GL iNet use VPN: ?

Questions:

The Kill switch is configured in global options in server or client ax?
IP Masqeradin on which Slate? Client or Server?
Port : 51820, i heard can be throttled from ISP? is there another lowkey one thats preferred?
MTU : Tried adjusting down to 1280, 1300, does this need to match server/client MTU?

bring.fringe18 · November 20, 2023, 10:39pm

SSH into whatever device is to act as the Server (see below for links). Check the WG port is open on the public IP/WAN/Internet side:

opkg update; opkg install nmap curl
curl http://ipecho.net/plain; echo or visit ipleak.net
nmap $publicIPHere -sU -p 51820

soudy2 · November 22, 2023, 8:53pm

Hey quick update

I had to call my isp to place my IP outside of the NAT.

Which allowed the port forwarding to work.

I am now able to establish a connection but the speed is very slow, 5kb up/down

I am testing on a Mint/Tmobile hotspot connection and tested a few different MTU settings.
MTU
S: 1280 C:1280 156b/28kb
S: 1300 C:1300 6kb down/1mb up
S: 1320 C:1320 1kb down / 158kb up
S: 1340 C:1340 2kb down/ 244kb up
S: 1360 C:1360 156b/26kb
S: 1380 C:1380 312b/21kb
S: 1400 C:1400 188b/37kb
S: 1420 C:1420 380b/86kb
S: 1440 C:1440 1kb/170kb
S: 1460 C:1460 760b/104kb
S: 1480 C:1480 284b/31kb
S: 1500 C:1500 252b/38kb

I will be testing from another residental wifi network later today but im curious about these settings below

Slate AX Server
Global Options

VPN Cascading: yes or no?

Wireguard Options

Allow Remote LAN : probably N
IP Masquerading: yes or no?
MTU : Testing diff ones

Slate Client

Global Proxy or Auto Detect?

Global Options

Block Non VPN Traffic: will eventually be yes
Allow WAN: prob gonna be no
Services from Gli use VPN: ??

WG Client Options

Allow Remote Access LAN : prob gonna be No?
IP Masquerading: ?
MTU : still kinda testing

Any insight on what those settings need to be?

bring.fringe18 · November 24, 2023, 11:01am

On my WG Server I have IP Masquerading on. VPN Cascading wouldn’t apply unless your WG Server device was itself to be a WG Client to a VPN provider (eg: Mullvad, Nord VPN, Express VPN, etc.).

“Services fr GL” refers to such processes like their DDNS service. My WG Client has IP Masquerading on.

soudy2 · November 25, 2023, 2:03am

Thank you for that info but im still only getting 150b/3kb up/down.

It shows a green connection but I dont have internet when connecting to the Server Slate.

I am testing from a tmobile/mint cell hotspot to test (& Local coffee shop), I read the lower MTU works on this mint/tmobile carrier better, but tested alot of variations with no change on the speeds.

Since the up/down is virtually non-existent, it seems its still a bad config issue i think.

I recently just changed my Slate Server IPv4 IP to 10.20.0.1. Instead of the 10.0.0.1 and produced new WG profiles and just been tweaking MTU. ( also mocked the above config in regard to IP masq., server vpn cascading etc.

Also, do I need to setup port forward on my Slate AX Server ? Currently I just have port forward on my ISP TP-Link Router–> Slate AX Server but not → Slate AX Client

is there any other config needed on the Slate AX Server itself? Not WG configs and not DDNS(its already enabled).

Is there like a config export I can send to export all my config settings? not sure what the next area to check is.
Thanks!

Also note, when scanning my WAN IP, it says port: open|filtered.
Ive been reading that means it didnt get a response.
any commands i can ssh to get to the bottom of this? plz let me know which commands need to be on the ISP router, Slate AX Server or Slate AX Client. ( also let me know if i should be doing these commands while ON the WireGuard?)

alzhao · November 25, 2023, 8:29am

Your settings are fine. Don’t need to do more in ports forward and vpn options.

Make sure IP Masquerading is on which should be the default value.

Here is more steps to check.

Try other ports other than 51820. Maybe not making any difference.
Try mtu 1280 on both server and client. Not only in one side.
Try OpenVPN which use TCP. Not sure if Wireguard udp is throttled.
The use the config directly on phone. This will know if the problem is only server side or both side.

soudy2 · November 25, 2023, 8:48pm

Thank you,

I adjusted the MTU to 1280 on both server and client.

I will adjust the port fwd to another port and try that later today.

I was able to connect on my phone via the WG app and on cell network but I was not able to load any sites or anything. It said 1 device connected on the WG Server dash but the speeds were only 500 bytes down and 20kb up and nothing loaded.

The home network of the ISP router and both slates is a fiber connection and gets 600MB down/up consistently.

Im going to try the local coffee shop again shortly and put the MTUs on both Server/client back to default, which i think is like 1400.

what else should i be doing to try to narrow down what this issue is related to?

bring.fringe18 · November 25, 2023, 10:21pm

To find the best MTU increase fr 1280 incrementing by 10. Max is 1420. Don’t forget to disc/reconnect between changes.

alzhao · November 27, 2023, 4:49am

You haven’t try the openvpn in tcp protocol. Can you try?

soudy2 · November 27, 2023, 3:06pm

hey team,

So instead of using the TP-Link Router as the ISP router.
I completely removed the TP-link router from the network.

The Slate AX Server is now directly plugged into the wall, which I will use the 5ghz wifi as the home network wifi and run the VPN server as well.

Let me know if this setup may cause any leaks in my VPN IP etc.\

OpenVPN works when I connect and transfers around 20mb down/ 20 mb up - which is alright but the home speeds are around 900MB down and 900MB up. So hopefully can still get the WG VPN to work.

I will continue to test later today on the WG setup without the TP link router.

If the TCP OpenVPN setup works but the UDP Wireguard setup does not, does this point to something specific blocking WG?
Thanks

soudy2 · November 28, 2023, 1:42am

Since my Slate server is directly into the wall and not using my old TP-link as the main router which had the port forwarding.

when port forwarding on the slate ax, what do i set these fields to?

Protocol: UDP
External Zone : LAN, WAN, guest, wgserver, ovpnserver ?
External Port: 51820

Internal Zone: LAN, WAN, guest, wgserver, ovpnserver ?
Internal Port: 51820

Should I only do UDP? or should I add another separate one for just TCP?

Thanks!

bring.fringe18 · November 29, 2023, 12:40am

WG is UDP only.

If you’re using the GL GUI → VPN → WireGuard Server to set things up, all port forwarding is handled for your ‘behind the scenes’.

You should check to make sure your ISP/Public IP/Internet IP allows incoming connections to port 51820… otherwise you’ll never reach the Slate AX WG Server.

alzhao · November 29, 2023, 4:59am

As Slate AX is the main router, to work as vpn server, you do NOT need to set up any porforward on it.

Enabling vpn server is sufficient enough.

bring.fringe18 · November 29, 2023, 10:28pm

Hopefully OP isn’t behind CGNAT. @soudy2, you may need to contact your ISP to find out. Their ‘front facing’ routers could be blocking incoming connections to you Public IP.