Unable to Connect via WireGuard

bring.fringe18 · 2023-07-08T02:25:58.658Z

Is your peer’s endpoint, hj82918.glddns.com:51820 a different GL device @ a remote location, hence its name, Home IP?

If so you may need to setup a port forward to it, to the WG Server device, to allow :51820 to ‘flow through’ if it’s behind another router or a ISP modem that has router-like functionality. I’m assuming Home IP has a WG Server running on it, of course.

Ideally you want the ISP’s modem to be just that, a modem, not a Wi-Fi access point or router itself. Depending on the model it could be a matter of putting the GL device on the ‘DMZ’ but its best to set the modem to ‘bridged mode’ if it’s possible.

It’d also be helpful to check a DDNS Test, just to be sure:

docs.gl-inet.com

Dynamic DNS - GL.iNet Router Docs 4

Documentation for GL.iNet Router Productions

defbeat7 · 2023-07-08T03:34:28.421Z

So here is what I am trying to do. Use Home IP Address While Traveling with GL.iNet AX Slate, Opal, and WireGuard® VPN - YouTube

I followed all the steps from here and called my ISP to have the port opened and they have opened it already. I have both devices shown in the video. My Opal DDNS would be Opal ID DDNS Address: hj28981.glddns.com

bring.fringe18 · 2023-07-08T03:36:40.371Z

Standby; I’m about to watch that video now. I’d still do the DDNS Test meanwhile.

bring.fringe18 · 2023-07-08T04:13:51.742Z

Right. I just pinged your ddns address:

root@GL-AXT1800:~# ping -c2 hj82918.glddns.com
PING hj82918.glddns.com ([redacted]): 56 data bytes
64 bytes from [redacted]: seq=0 ttl=44 time=76.975 ms
64 bytes from [redacted]: seq=1 ttl=44 time=76.674 ms

--- hj82918.glddns.com ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 76.674/76.824/76.975 ms

So we know your Opal (acting as the WG Server}, more specifically its publicly facing IP, is online just as we’d expect. That doesn’t assure me :51820 is open to flow through to it though. I could probe it but that might raise some alerts to your ISP so I’m not excited to do that.

Can you please ssh into the device acting as the WG Client (eg: Slate AX per that YT video)? Its default IP is 192.168.8.1. There’s software available to install to scan for open ports on other computers but they only run from the command line hence we can do that once logged into the Slate AX.

(opkg update && opkg install nmap)

Here’s what it looks like when I scan my VPS provider’s WG server:

root@GL-AXT1800:~# nmap -sU -p 51820 37.98.121.77
Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-08 01:08 ADT
Nmap scan report for unn-37-98-121-77.datapacket.com (37.98.121.77)
Host is up (0.042s latency).

PORT      STATE         SERVICE
51820/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1.55 seconds

Note how it says the WG port, 51820, is open. That’s what we’d be looking for when scanning the IP for your hj82918.glddns.com.

OpenWrt Wiki – 15 Aug 17

SSH access for newcomers

SSH access for newcomers One of the methods to manage OpenWrt is using command-line interface over SSH. OpenWrt listens for incoming SSH connections on port 22/tcp by default. To “ssh into your router”, you can enter the following command in a...

mobaxterm.mobatek.net

MobaXterm free Xserver and tabbed SSH client for Windows

The ultimate toolbox for remote computing - includes X server, enhanced SSH client and much more!

defbeat7 · 2023-07-09T02:29:40.738Z

This is what I get when I ping it once I SSH into it.

root@GL-SFT1200:~# nmap -sU -p 51820 hj28981.glddns. com.
Starting Nmap 7.70 ( https:// nmap. org ) at 2023-07-09 10:28 CST
Nmap scan report for hj28981.glddns. com. ()
Host is up (0.0023s latency).
rDNS record for : GL-AXT1800.attlocal .net

PORT STATE SERVICE
51820/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds

bring.fringe18 · 2023-07-09T02:34:21.331Z

(I would suggest redacting your IP… & I’ll go back & obfuscate your ddns address to be on the safe side. Note your ddns address is also in that screenshot.)

To confirm: that nmap scan was executed from the GL device that’s to act as the WG Client, correct? If so the ~~port forward~~ open port certainly looks properly set.

From the Client device, can you post the results of wg show?:

root@GL-AXT1800:~# wg show
interface: wgclient
  public key: [redacted]=
  private key: (hidden)
  listening port: 37692

peer: [redacted]=
  endpoint: 37.91.121.99:51820
  allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 33 seconds ago
  transfer: 5.17 GiB received, 654.82 MiB sent
  persistent keepalive: every 25 seconds

I’ll ask the same from the WG Server (Opal). Don’t forget to redact as required.

(If you enclose the output between three ‘backticks’ at the beginning & end (the key by the 1 key), the formatting will be easier to read)

defbeat7 · 2023-07-09T02:40:46.354Z

Yea it was, I used the IP you provided.

bring.fringe18 · 2023-07-09T02:42:59.437Z

Apologies; I edited my post since you just made that post. Could you refresh? I’d like to see what, if anything, reports back from the WG display tools. It shows slightly more information that what’s given using the GL GUI’s VPN Dashboard.

defbeat7 · 2023-07-09T02:48:14.481Z

root@GL-AXT1800:~# wg show
interface: wgclient
public key: BvnIhVf0zzpO0iPqB9Qn8teixGBGHDmsaEsGvOoWKDY=
private key: (hidden)
listening port: 58819

peer: qfOj2Fr4TMksxXcEai0/Qq/CDT8asRLyvQqA0aEAkj0=
endpoint: :51820
allowed ips: 0.0.0.0/0, ::/0
transfer: 0 B received, 1.16 KiB sent
persistent keepalive: every 25 seconds

bring.fringe18 · 2023-07-09T02:56:18.307Z

GL DDNS: hj82918.glddns.com (obfuscated)
Opal (GL-SFT1200): LAN IP 192.168.8.1, Role: WG Server
Slate AX (GL-ATX1800): LAN IP unknown, WAN IP unknown, Role: WG Client

What’s your LAN IP for the Slate AX (GL GUI → Network → LAN → Router IP Address)?
What IP address is your Opal assigning to the Slate AX as a Opal Wi-Fi Client (GL GUI → Clients)?

defbeat7 · 2023-07-09T03:09:16.510Z

Question #1 192.168.8.1
Question #2 So when I go to Clients in the OPAL I dont see Slate AX on there. I see the laptop I used, my phone and my other desktop and the IPS vary. Under WireGuard Server in the OPAL device I see Slate AX CLient IP being 172.58.100.112

defbeat7 · 2023-07-09T03:50:46.267Z

Ok so I just went to Slate AX (GL GUI → VPN → VPN Dashboard → and click on the configuration file I see the following address hj28981.glddns.com:51820 and when I SSH into Slate AX and run the following it shows it as closed there.

root@GL-AXT1800:~# nmap -sU -p 51820 hj28981.glddns .com
Starting Nmap 7.80 ( https://nmap .org ) at 2023-07-08 22:48 CDT
Nmap scan report for hj28981.glddns .com (107.222.107.3)
Host is up (0.00030s latency).
rDNS record for 107.222.107.3: GL-AXT1800.attlocal .net

PORT STATE SERVICE
51820/udp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

bring.fringe18 · 2023-07-09T03:59:59.020Z

I think your two routers are conflicting based on their LAN IPs. This could block WG in a collision if so. Can you set your Opal to 192.168.18.1 instead of its default .8.1?

(GL GUI → Network → LAN → Router IP Address)

defbeat7 · 2023-07-09T04:07:15.757Z

Done, I was able to SSH into it as well to confirm the IP change.

bring.fringe18 · 2023-07-09T04:10:27.003Z

GL DDNS: hj82918.glddns.com (obfuscated)
Opal (GL-SFT1200): LAN IP 192.168.18.1, Role: WG Server
Slate AX (GL-ATX1800): LAN IP unknown, WAN IP unknown, Role: WG Client

defbeat7:

GL-AXT1800.attlocal .net

Based on the result of your last nmap probe for your ddns it appears your Slate AX is connected to your ATT modem. Is this the case?

If so which device do you intend to act as the WG Server? The Opal or Slate AX? The Opal, correct? If so that should be the one connected as ATT ISP → Opal WAN.

defbeat7 · 2023-07-09T04:19:17.684Z

Yes the SlateAX is hardwired to the modem and so is the Opal. The Opal will stay behind and the SlateAX is the one I will take with me when I travel.

bring.fringe18 · 2023-07-09T04:21:30.370Z

Okay, let’s disconnect the Slate AX’s Ethernet cable & set it to act as a Repeater of the Opal. We’re going to dry run this as if you’re at a friend’s house using their Wi-Fi to connect out to your GL DDNS via the Slate AX.

GL GUI → Internet → Repeater → Connect

repeater_-_current897×261 9.38 KB

[Feature Request] GL GUI: Button for Repeater's Connect vs Link Technical Support for Routers

Hello, I think it would be an improvement for Firmware 4.2.x’s GUI if there was a button instead of an easily overlooked link for Repeater functionality. Current [2023-07-08 14_37_15-GL.iNet Admin Panel - Chromium] Purposed [repeater_-_purposed]

defbeat7 · 2023-07-09T04:24:29.849Z

Disconnected it and connected it as repeater.

bring.fringe18 · 2023-07-09T04:26:36.083Z

Great. Can you ssh into the Slate AX & post the associated IPs it has? I’m looking to check for IP conflicts w/ the Opal, just to be sure.

ip a | grep 192

defbeat7 · 2023-07-09T04:29:24.153Z

root@GL-AXT1800:~# ip a | grep 192
inet 192.168.9.1/24 brd 192.168.9.255 scope global br-guest
inet 192.168.8.1/24 brd 192.168.8.255 scope global br-lan
inet 192.168.18.206/24 brd 192.168.18.255 scope global wlan-sta0