Successful VPN Server and Client (GL.iNet; WireGuard), TLS Handshake Fail on Company VPN

I have successfully established a VPN server and client using two GL.iNet routers with WireGuard, but when I try to connect to my company VPN, the TLS handshake fails. Here are the details of my set up.

VPN Server: GL.iNet GL-AR-750 (Creta)

  • Plugged into the hybrid modem/router (Arris Touchstone DG3450) via ethernet cable into the GL.iNet GL-AR750 WAN port.
  • Port forwarding set up between the Arris modem/router and the GL.iNet router for port 51820.

VPN Client: GL.iNet GL-E750 (Mudi)

  • Wireguard profile exported from the GLi.Net GL-AR750 admin portal

Company VPN

  • OpenVPN GUI on computer
  • Port 1194

I can connect my computer to the Gli.Net router that is used as the client and access the internet without issue via wifi and internet. However, when I then try and also connect to my company’s OpenVPN server via the OpenVPN GUI on my computer, there is a TLS handshake fail.

What can I do to resolve this issue so I can simultaneously connect to my home VPN with WireGuard as for my internet connection, as well as my company’s OpenVPN server which is required to access internal sites?

Additionally, when I use my VPN client to connect to an AirVPN server with a WireGuard configuration file, I do not have this issue. Only when connected to my home VPN server does the TLS handshake fail when trying to simultaneously connect to OpenVPN.

Please post the full log (router + client) so we can have a look into this issue.

As in the logs to my travel router being used as the client and the failed OpenVPN connection? I am not near my router being used as my server so I do not have access to that one.

More logs = better, but start with the client one then.

Here is the log to my client (Mudi):

Fri Jun 7 13:16:49 2024 daemon.notice netifd: Interface 'wgclient' is now up
Fri Jun 7 13:16:56 2024 user.notice wgclient-up: env value:T_J_V_ifname=string J_V_address_external=1 USER=root ifname=wgclient ACTION=KEYPAIR-CREATED N_J_V_address_external=address-external SHLVL=2 J_V_keep=1 HOME=/ HOTPLUG_TYPE=wireguard T_J_V_interface=string J_V_ifname=wgclient T_J_V_link_up=boolean LOGNAME=root DEVICENAME= T_J_V_action=int TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin CONFIG_LIST_STATE= J_V_interface=wgclient K_J_V= action ifname link_up address_external keep interface J_V_link_up=1 J_V_action=0 T_J_V_address_external=boolean N_J_V_link_up=link-up T_J_V_keep=boolean PWD=/ JSON_CUR=J_V CONFIG_SECTIONS=global AzireVPN Mullvad FromApp group_7255 group_222 group_9541 group_9745 peer_2001 peer_2002 group_8622 peer_2003 peer_2004 group_2990 peer_2005 CONFIG_cfg030f15_ports=
Fri Jun 7 13:17:07 2024 user.notice mwan3[4509]: Execute ifup event on interface wgclient (wgclient)
Fri Jun 7 13:17:08 2024 user.notice mwan3[4509]: Starting tracker on interface wgclient (wgclient)
Fri Jun 7 13:17:13 2024 user.notice firewall: Reloading firewall due to ifup of wgclient (wgclient)
Fri Jun 7 16:57:35 2024 user.notice mwan3[18490]: Execute ifdown event on interface wgclient (unknown)
Fri Jun 7 16:57:35 2024 daemon.notice netifd: wgclient (18491): [!] Section ovpnclient (ovpnclient) is disabled, ignoring section
Fri Jun 7 16:57:35 2024 daemon.notice netifd: wgclient (18491): [!] Section ovpnserver (ovpnserver) is disabled, ignoring section
Fri Jun 7 16:57:35 2024 daemon.notice netifd: wgclient (18491): [!] Section wgclient (wgclient) is disabled, ignoring section
Fri Jun 7 16:57:37 2024 daemon.notice netifd: wgclient (18491): [!] Section safe_mode_mark_save (safe_mode_mark_save) option 'extra' is not supported by fw4
Fri Jun 7 16:57:37 2024 daemon.notice netifd: Interface 'wgclient' is now down
Fri Jun 7 16:57:45 2024 daemon.notice netifd: Interface 'wgclient' is setting up now
Fri Jun 7 16:57:46 2024 daemon.notice netifd: wgclient (19245): sh: 1: unknown operand
Fri Jun 7 16:57:54 2024 user.notice firewall: Reloading firewall due to ifdown of wgclient ()
Fri Jun 7 16:58:05 2024 daemon.notice netifd: Network device 'wgclient' link is up
Fri Jun 7 16:58:05 2024 daemon.notice netifd: Interface 'wgclient' is now up
Fri Jun 7 16:58:08 2024 user.notice mwan3[20180]: Execute ifup event on interface wgclient (wgclient)
Fri Jun 7 16:58:10 2024 user.notice mwan3[20180]: Starting tracker on interface wgclient (wgclient)
Fri Jun 7 16:58:11 2024 user.notice wgclient-up: env value:T_J_V_ifname=string J_V_address_external=1 USER=root ifname=wgclient ACTION=KEYPAIR-CREATED N_J_V_address_external=address-external SHLVL=2 J_V_keep=1 HOME=/ HOTPLUG_TYPE=wireguard T_J_V_interface=string J_V_ifname=wgclient T_J_V_link_up=boolean LOGNAME=root DEVICENAME= T_J_V_action=int TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin CONFIG_LIST_STATE= J_V_interface=wgclient K_J_V= action ifname link_up address_external keep interface J_V_link_up=1 J_V_action=0 T_J_V_address_external=boolean N_J_V_link_up=link-up T_J_V_keep=boolean PWD=/ JSON_CUR=J_V CONFIG_SECTIONS=global AzireVPN Mullvad FromApp group_7255 group_222 group_9541 group_9745 peer_2001 peer_2002 group_8622 peer_2003 peer_2004 group_2990 peer_2005 CONFIG_cfg030f15_ports=
Fri Jun 7 16:58:16 2024 user.notice firewall: Reloading firewall due to ifup of wgclient (wgclient)

I was more into the OVPN logs of your PC, tbh :wink:

I’m wondering if it could be a server issue as ive set up my WireGuard homeVPN server with address 10.0.0.3/24, but the AirVPN server that doesn’t have an issue has the address 10.181.3.66/32.

That could be an issue if the OpenVPN network of your company uses 10.0.0.0/24 or /16 - which is by default on some firewalls, afaik.

Can you lower the openvpn mtu to 1380 or even lower to 1280?

I’ve tried so many things and still get the TLS handshake error.

-Changed the WireGuard home VPN server address to avoid IP and sublet overlap
-Enabled bridge mode on my modem/router combo
-Disabled bridge mode and set up DMZ
-Lowering MTU to 1320, and then 1280 in my .conf file on the router acting as a client

If I connect my computer directly to the GL.iNet router acting as a WireGuard server as my source of internet, I can then use the OpenVPN software on my computer to connect to my company VPN. But when I connect my computer to my GLi.Net router acting as a VPN client (which is connected to the GL.iNet router acting as a server), I always get the TLS handshake error.

I cannot figure out if the problem is on my server router, client router or both. It is very strange that I can connect my computer to the router acting as a client, have that router connect to AirVPN via WireGuard (using port 51820), and then connect my company VPN using the OpenVPN software on the computer, but can’t do so with my own WireGuard server.

Any other suggestions of what I can configure to make this work?

Current set up:

-Arris DG3450 modem/router combo with port forwarding to GL.iNet router acting as a WireGuard Server for both ports 51820 and 1194
-GL.iNet router connected to modem/router combo via WAN port
-GLi.Net router acting as a WireGuard client connected to my computer for internet access (internet works, only issue is that I cannot connect to my company VPN with the installed OpenVPN software)
-Company VPN uses port 1194
-Ports 51820 and 1194 open on both GL.iNets routers (server and client)

You need to lower the mtu of your company vpn, not the router. Otherwise it did something on the contrary.

Why you open 1194 as well, which should not be necessary. Pls don't toucch 1194 port at all, on both server and client.

Thank you. The company VPN is 1500. Should I then raise it on my GL.iNet router? The WireGuard config file for AirVPN that works has MTU set at 1320.

I will undo all of the adjustments made for port 1194.

lower your company vpn mtu to 1280

Unfortunately I cannot make edits to the company VPN

Can you control your computer?

Check out this method Can't connect to Windows L2TP VPN through GL-X3000 / Spitx AX

Thank you. If I understand correctly, I should try to lower the MTU on my windows computer?

Should I set the MTU to 1280 on my GL.iNet client device as well then (in WireGuard Client options or in the config file?

Just lower the mtu of the Windows.

I tried lowering “Wi-Fi,” “OpenVPN Tap-Windows6,” and “OpenVPN Data Channel Offload,” but I still get the TLS handshake failure.

I’m thinking it has to be something with my server or client router since I can connect to the AirVPN server (using the same client router).

As the compare test 'AirVPN' and it works in your router, so you suppose to check the VPN server configuration.

Yes, I believe it is something to do with the server, or perhaps the connection between server and client.

If I connect directly to the server without a client, the issue I am experiencing does not arise.