[SOLVED] GL-AR750 (Certa): WireGuard Client: Endpoint connects but devices do not

Firmware: 3.216 (2023-03-21 17:32:40)
WireGuard provider: Surfshark
Connected devices: Linux laptop (Cat 5E), Android phone (2.4G); Win 10 laptop

Hello all,

This router is behind another router ( which has a functioning Surfshark endpoint. I know it’s not an issue on Surfshark’s side because the upstream router has been using its WG profiles/endpoints for over a week, if not more.

I’ve updated the Certa to the latest firmware but seem to be in a spot of bother. It’s a fresh install, no kept settings. I uploaded/pasted in my WG profiles. I followed the instructions per v3 Docs on ‘Setup WireGuard on GL.iNet router.’

SSH’ing into the Linux laptop & executing curl echo.net/plain; echo returns an endpoint IP as expected. However trying to simulate web browsing, (eg: curl static • gl-inet • com/www/images/press/GL-iNet_logo_white • svg) does get an IP for the site in question, connects (eg: static • gl-inet • com)||:443) but nothing further happens. I’m looking a prompt doing nothing as I type this.

There is no firewall on the Linux laptop. I haven’t tested the Android phone’s connection as that’s Wi-Fi… so I didn’t want to complicate matters.

I enabled VPN Policies, adding the Linux laptop, Android phone to it. All three toggles are enabled. The two devices MACs are the only ones allowed to use the VPN. All three device MACs show in /tmp/dhcp.leases.

I retest. Only the Win 10 laptop, being outside of the VPN Policy, is able to pull down that SVG. I restart the Linux laptop’s NetworkManager to clear any DNS cache & retest. No change.

There’s nothing added to the Certa other than the Surfshark WG profiles. All other radios are off. LuCI can be installed if needed.

What am I missing? GL-iNet’s Youtube video on the matter makes it look like a ten second setup process.


interface: wg0
public key: y[REDACTED]=
private key: (hidden)
listening port: 58369

peer: W[REDACTED]=
allowed ips:
latest handshake: 55 seconds ago
transfer: 26.57 MiB received, 2.41 MiB sent
persistent keepalive: every 25 seconds

route -ne

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface U 0 0 0 wg0 UG 0 0 0 eth0 U 0 0 0 wg0 UGH 0 0 0 eth0 UGH 0 0 0 eth0 UGH 0 0 0 eth0 UGH 0 0 0 eth0 U 0 0 0 wg0 U 0 0 0 br-lan U 0 0 0 eth0 UGH 0 0 0 eth0 UGH 0 0 0 eth0 UGH 0 0 0 eth0

cat /tmp/resolv.conf

search lan

cat /tmp/resolv.conf.auto

# Interface wan
search local.lan

cat /tmp/resolv.conf.vpn


cat /etc/config/dhcp

config dnsmasq
option domainneeded ‘1’
option boguspriv ‘1’
option filterwin2k ‘0’
option localise_queries ‘1’
option rebind_protection ‘1’
option rebind_localhost ‘1’
option local ‘/lan/’
option domain ‘lan’
option expandhosts ‘1’
option nonegcache ‘0’
option authoritative ‘1’
option readethers ‘1’
option leasefile ‘/tmp/dhcp.leases’
option nonwildcard ‘1’
option localservice ‘1’
option resolvfile ‘/tmp/resolv.conf.vpn’

config dhcp ‘lan’
option interface ‘lan’
option start ‘100’
option limit ‘150’
option leasetime ‘12h’
option force ‘1’
option dhcpv6 ‘disabled’
option ra ‘disabled’

config dhcp ‘wan’
option interface ‘wan’
option ignore ‘1’

config odhcpd ‘odhcpd’
option maindhcp ‘0’
option leasefile ‘/tmp/hosts/odhcpd’
option leasetrigger ‘/usr/sbin/odhcpd-update’
option loglevel ‘4’

config dhcp ‘guest’
option interface ‘guest’
option start ‘100’
option leasetime ‘12h’
option limit ‘150’
option dhcpv6 ‘disabled’
option ra ‘disabled’

config domain ‘localhost’
option name ‘console.gl-inet.com
option ip ‘’

[ NB. I don’t understand why there’s an artificially induced limitation of only two links when dealing with typewritten technical matters. I prefer to provide sources as much as possible. ]

Log into the Creta via the web interface and change the WireGuard tunnel’s MTU to 1320 and see if that works. This is how I got WireGuard working on my Creta.

1 Like

Thanks for the response. Interesting. Can that be done at Network > Interfaces within LuCI? I’m connected to WG as described above but I do not see a ‘wg0’ interface under Network > Interfaces > Interfaces.

I assume that’s where the MTU should be adjusted given the existence of the ‘Override MTU’ option found under Interfaces » LAN » $interface » Advanced Settings.

Should I be concerned there’s no ‘wg0’ interface showing within LuCI?[0]

  1. How to properly change wireguard MTU

Right, so it seems the MTU in question is adjustable per WG profile via GL-iNet’s GUI, VPN, Wireguard Client, Management, <profile’s ‘down arrow’>, Interface, MTU.

Setting 1320 as prescribed does it indeed. Thank you, doczenith1.

1 Like