Slate Router and Wireguard VPN the client is starting, please wait..

I have connected the GL-inet Opal router to an ISP router to port forward and then have connected the GL-inet Slate Travel router to the Opal via WIreguard VPN; I get through all of the steps to port forward but the Slate Travel router keeps getting stuck when I try to enable the Wireguard under VPN Client. It says “the client is starting, please wait…” and then never does anything. Here is the log:

Fri Mar  8 09:51:19 2024 daemon.notice netifd: wgclient (11040): nat6: Done setting up nat6 for zone="wgclient" on devices:
Fri Mar  8 09:51:19 2024 daemon.notice netifd: wgclient (11040):  * Running script '/etc/firewall.swap_wan_in_conn_mark.sh'
Fri Mar  8 09:51:19 2024 daemon.notice netifd: wgclient (11040):  * Running script '/etc/firewall.vpn_server_policy.sh'
Fri Mar  8 09:51:19 2024 daemon.notice netifd: wgclient (11040):  * Running script '/var/etc/gls2s.include'
Fri Mar  8 09:51:19 2024 daemon.notice netifd: wgclient (11040):    ! Skipping due to path error: No such file or directory
Fri Mar  8 09:51:19 2024 daemon.notice netifd: wgclient (11040):  * Running script '/usr/bin/gl_block.sh'
Fri Mar  8 09:51:19 2024 daemon.notice netifd: wgclient (11040): Failed to parse json data: unexpected character
Fri Mar  8 09:51:19 2024 daemon.notice netifd: wgclient (11040): uci: Entry not found
Fri Mar  8 09:51:19 2024 daemon.notice netifd: wgclient (11040): cat: can't open '/tmp/run/wg_resolved_ip': No such file or directory
Fri Mar  8 09:51:19 2024 daemon.notice netifd: Interface 'wgclient' is now down
Fri Mar  8 09:51:19 2024 daemon.notice netifd: Interface 'wgclient' is setting up now
Fri Mar  8 09:51:19 2024 user.notice firewall: Reloading firewall due to ifdown of wgclient ()
Fri Mar  8 09:51:19 2024 user.notice sysctl: net.ipv6.conf.wgclient.accept_ra = 2
Fri Mar  8 09:51:20 2024 user.notice nat6: Firewall config="wgclient" zone="wgclient" zone_masq6="1".
Fri Mar  8 09:51:20 2024 user.notice nat6: Found firewall zone_name="wgclient" with zone_masq6="1" zone_masq6_privacy="1".
Fri Mar  8 09:51:20 2024 user.notice nat6: Setting up masquerading nat6 for zone_name="wgclient" with zone_masq6_privacy="1"
Fri Mar  8 09:51:20 2024 user.notice nat6: Ensuring ip6tables chain="zone_wgclient_postrouting" contains our MASQUERADE.
Fri Mar  8 09:51:20 2024 user.notice nat6: Ensuring ip6tables chain="zone_wgclient_input" contains our permissive DNAT rule.
Fri Mar  8 09:51:20 2024 user.notice nat6: Ensuring ip6tables chain="zone_wgclient_forward" contains our permissive DNAT rule.
Fri Mar  8 09:51:20 2024 user.notice nat6: Done setting up nat6 for zone="wgclient" on devices:

Help, please!

Have you made sure that your port forward is working? Which port did you forward?
What ISP do you use and are you sure that there is no CGNAT?

I believe the port forwarding is working, is there a specific way to check? (Sorry I am new to all of this) So I enabled DDNS on the Opal router which I believe address the NAT issue.

It does not. There is no built-in feature to address the NAT issue.
If NAT is in use, you can’t Wireguard. At least not without having an relay service like AstroRelay.

It’s not really possible to test if the port forwarding works, unfortunately.

True.

FALSE!

You can check if the WG UDP port is open and reachable from the Internet or not. After enabling the WG server on the Opal and create a port forwarding rule, execute the following steps:

1 - check that the port is listening on the Opal as follow:


# netstat  -tupln | grep 51820
udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 :::51820                :::*

2 - Then on your Slate (or any online machine), install and run Nmap as follow:

$ nmap -sU -p U:51820  192.168.8.1
Starting Nmap 7.80 ( https://nmap.org ) at 
Nmap scan report for console.gl-inet.com (192.168.8.1)
Host is up (0.00076s latency).

PORT      STATE  SERVICE
51820/udp closed unknown
MAC Address: 94:83:XX:XX:XX:XX (GL Technologies (Hong Kong) Limited)

The above result shows the STATE as closed since the WG port is either closed (WG server is disabled) or not reachable form the Internet.

$ nmap -sU -p U:51820  192.168.8.1
Starting Nmap 7.80 ( https://nmap.org ) at
Nmap scan report for console.gl-inet.com (192.168.8.1)
Host is up (0.00079s latency).

PORT      STATE         SERVICE
51820/udp open|filtered unknown
MAC Address: 94:83:XX:XX:XX:XX (GL Technologies (Hong Kong) Limited)

The above result shows the STATE as open|filtered meaning the WG port is reachable form the Internet.

Dang, of course. Didn’t think about nmap on the other router.
Good point here.

It depends on what the router does with packages not fitting into the port forwarding. So it’s not a really true test if you don’t know about the result. If the firewall will drop packages instead of denying them, the result should be the same.

Open|Filtered : The scanner cannot distinguish between an open port that doesn’t respond to the specific probe sent and a port that is being silently dropped by a firewall. Both scenarios result in no response to the probe.