Trying to Set Up Wireguard Server, what am I doing wrong?

Technical Support for Routers
1

Hello, so I've posted a few fairly pointed questions on here but I figure I'm going to go all out and just ask... what am I missing?

I'm trying to create a Wireguard Server at Home that I can VPN to when I'm away from home. Therefore, I have 2 GLiNET routers going on (let's call it the ServerRouter and ClientRouter).

My ServerRouter setup:

  1. Xfinity modem, ethernet cable connected to ServerRouter on WAN port.
  2. Xfinity modem is NOT in Bridge Mode
  3. Xfinity's device setting for ServerRouter device connection is set as DHCP <-- does this need to be Reserved IP?
  4. The ServerRouter successfully connects to internet via Ethernet
  5. (however, the IP address showing for this connection is 10.x.x.x which might be CGNAT?? maybe??)
  6. ServerRouter's DDNS is turned ON
  7. I create a Wireguard Server Profile, using the DDNS Domain
  8. ^that server profile is uploaded to ClientRouter

My ClientRouter Setup:

  1. Wireguard Client, with the Wireguard profile from the ServerRouter, turned ON
  2. Block Non-VPN Traffic turned ON
  3. ClientRouter's Internet is in Repeater Mode, connected to my WIFI network (from the Xfinity modem)

I'm still not getting traffic. The logs on both routers are as follows:

ServerRouter logs

Fri Mar 7 02:12:36 2025 daemon.notice netifd: Interface 'wgserver' is setting up now
Fri Mar 7 02:12:36 2025 daemon.notice netifd: Interface 'wgserver' is now up
Fri Mar 7 02:12:36 2025 daemon.notice netifd: Network device 'wgserver' link is up
Fri Mar 7 02:12:46 2025 user.notice firewall: Reloading firewall due to ifup of wgserver (wgserver)

ClientRouter logs

Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Rule 'safe_mode_mark'
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Rule 'safe_mode_mark_save'
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Zone 'lan'
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Zone 'wan'
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Zone 'guest'
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Zone 'wgclient'
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Set tcp_ecn to off
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Set tcp_syncookies to on
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Set tcp_window_scaling to on
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Running script '/etc/firewall.nat6'
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Running script '/etc/firewall.swap_wan_in_conn_mark.sh'
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Running script '/etc/firewall.vpn_server_policy.sh'
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Running script '/var/etc/gls2s.include'
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): ! Skipping due to path error: No such file or directory
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): * Running script '/usr/bin/gl_block.sh'
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): Failed to parse json data: unexpected character
Thu Mar 6 19:55:28 2025 daemon.notice netifd: wgclient (10195): cat: can't open '/tmp/run/wg_resolved_ip': No such file or directory
Thu Mar 6 19:55:29 2025 daemon.notice netifd: Interface 'wgclient' is now down
Thu Mar 6 19:55:29 2025 daemon.notice netifd: Interface 'wgclient' is setting up now
Thu Mar 6 19:55:29 2025 user.notice firewall: Reloading firewall due to ifdown of wgclient ()

2

Seems like port forwarding is missing? You need to tell your ISPs router that the WG port needs to be forwarded to your router. Shouldn't be CGNAT, seems more likely that it's your internal IP network, since your ISPs router isn't in bridge mode right now - as you said.

3

Hello,

According to the description of your configuration process, please continue to check the following questions:

ServerRouter:

  1. In Xfinity modem, port forwarding needs to be configured, to expose the WireGuard server port of ServerRouter to the public Internet.

  2. It is best to reserve IP for ServerRouter in Xfinity modem.

  3. Make sure that the WAN of Xfinity modem is a public network IP (not request be a static public network IP, dynamic also OK). If Xfinity modem WAN is 10.x.x.x, it may be CGNAT.
    Without the public network IP, VPN connection cannot be implemented.

ClientRouter:
Clientrouter cannot be connected to Xfinity modem network (do not under same as the server), it is supposed to connect to another network, like connects to the phone hotspot through repeater.

Here are guidelines to refer to:

4

Just an observation from someone with just enough knowledge to be dangerous - I've always understood the modem to just provide access to the internet and the device your ISP sees that determines the IP they issue you... I bought my own modem (Arris SB8200) for my Xfinity service, but it's just that - a modem with zero routing or intelligence. There is no port forwarding etc required. My Flint 2 MT6000 wan port connects to my modem and provides all the routing.

It sounds like your Xfinity 'modem' is one of those all-in-one modem/router/wifi devices? If that's the case there may be a way to disable all the uneeded functionality from the Xfinity device so your GL router gets that role instead. OR, save some rental money and replace the (usually crappy) Xfinity gear with your own modem. ISP's usually provide gateway devices catered to the 'average dumb consumer' and often either lack features more advanced users may want or even worse, block them from working.

I've got WireGuard running on my Flint 2 and it works like a charm. I don't think I had to do much of a setup other than create a vpn user and create the config file. I'm using GL's built in DDNS option as my Xfinity service is dynamic rather than static. And when I'm away from home, the WG client connects virtually instantly to my home network - it's sooo much faster than the Openvpn setup I used to use.

5

Thanks, I believe I got it to work yesterday after I replaced the Xfinity modem with an ARRIS SB8200. Funny enough, if I do that Public IP test with this ARRIS modem, the IP addresses come back the same (public static IP?). I wonder why that is.

Yes, that and not connecting my ClientRouter to the wifi network (I connected via Repeater to my Hotspot to make sure it works) helped.

6

Although most home internet customers have a dynamic plan, the reality is that once your ISP issues you an IP they very rarely change it. I have a dynamic address as well and I think I've observed my IP address being the same for a very long time. I'm not knowledgeable about how their infrastructure works, but I suspect that the cable drop to your physical location might be associated with some type of switch from their main (usually fiber) backbone, and that drop is assigned an IP.

In any event, because your service IS dynamic your ISP reserves the right to change your IP at any time. So you have to be proactive about that and use a DDNS service in case they decide to change your IP. Unless they think you are running some kind of commercial service from your account, they tend to leave things alone - but if they suspect you are serving out some kind of business traffic or otherwise consuming loads of traffic they will probably move your IP around to demotivate you lol.

The SB8200 is a good choice - mine has been very reliable and I don't believe I've had a single issue with it. And I think it's rated for gigabit service, so it's more than enough for my 400/35 plan (see my recent thread about Xfinity upgrading everyone's service).