Unable to Use VPN Server on MT2500 (Brume 2)

insolvent · October 22, 2023, 4:01am

Just bought the MT2500 (Brume 2) and the AXT1800 (Slate AX) to use as a travel VPN setup to my home. Trying to set up with the Brume as the home server and the slate as the travel client.

Unable to connect to the Brume through the VPN tunnel (tried Wireguard at first, but OpenVPN seems to not work either). Brume is connected to main router and I was testing the VPN connections through the slate on my cellular hotspot, as well as with the Wireguard app on my phone.

Here are the connection logs from the Slate when attempting to connect:

Sat Oct 21 23:46:11 2023 daemon.notice netifd: wgclient (3450):    * Rule 'out_conn_mark_restore'
Sat Oct 21 23:46:11 2023 daemon.notice netifd: wgclient (3450):    * Zone 'lan'
Sat Oct 21 23:46:11 2023 daemon.notice netifd: wgclient (3450):    * Zone 'wan'
Sat Oct 21 23:46:11 2023 daemon.notice netifd: wgclient (3450):    * Zone 'guest'
Sat Oct 21 23:46:11 2023 daemon.notice netifd: wgclient (3450):    * Zone 'wgclient'
Sat Oct 21 23:46:11 2023 daemon.notice netifd: wgclient (3450):  * Set tcp_ecn to off
Sat Oct 21 23:46:11 2023 daemon.notice netifd: wgclient (3450):  * Set tcp_syncookies to on
Sat Oct 21 23:46:11 2023 daemon.notice netifd: wgclient (3450):  * Set tcp_window_scaling to on
Sat Oct 21 23:46:11 2023 daemon.notice netifd: wgclient (3450):  * Running script '/etc/firewall.nat6'
Sat Oct 21 23:46:11 2023 daemon.notice netifd: wgclient (3450):  * Running script '/etc/firewall.swap_wan_in_conn_mark.sh'
Sat Oct 21 23:46:12 2023 daemon.notice netifd: wgclient (3450):  * Running script '/etc/firewall.vpn_server_policy.sh'
Sat Oct 21 23:46:12 2023 daemon.notice netifd: wgclient (3450):  * Running script '/var/etc/gls2s.include'
Sat Oct 21 23:46:12 2023 daemon.notice netifd: wgclient (3450):    ! Skipping due to path error: No such file or directory
Sat Oct 21 23:46:12 2023 daemon.notice netifd: wgclient (3450):  * Running script '/usr/bin/gl_block.sh'
Sat Oct 21 23:46:12 2023 daemon.notice netifd: wgclient (3450): uci: Entry not found
Sat Oct 21 23:46:12 2023 daemon.notice netifd: wgclient (3450): cat: can't open '/tmp/run/wg_resolved_ip': No such file or directory
Sat Oct 21 23:46:12 2023 daemon.notice netifd: Interface 'wgclient' is now down
Sat Oct 21 23:46:12 2023 daemon.notice netifd: Interface 'wgclient' is setting up now
Sat Oct 21 23:46:12 2023 user.notice mwan3[3597]: Execute ifdown event on interface wgclient (unknown)
Sat Oct 21 23:46:13 2023 user.notice firewall: Reloading firewall due to ifdown of wgclient ()

Additional logs on separate run that I forgot to add to this earlier run:

Sun Oct 22 01:03:57 2023 user.notice wireguard-debug: USER=root ifname=wgclient 
ACTION=REKEY-GIVEUP SHLVL=2 HOME=/ HOTPLUG_TYPE=wireguard LOGNAME=root 
DEVICENAME= TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin PWD=/

Relevant info:

Both devices on 4.4.6
Linksys EA7300 is my main router
Port forwarding rule is setup on the Linksys with 51820 (the default vpn port I have) as the ext and int port and the Brume’s IP as the IP address
DDNS is setup and in the Wireguard client config as below

[Interface]
Address = 10.20.0.2/24
PrivateKey = {{REDACTED}}
DNS = 64.6.64.6
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = {{REDACTED}}.glddns.com:51820
PersistentKeepalive = 25
PublicKey = {{REDACTED}}

Here are some logs from the Brume on start of Wireguard server:

Sun Oct 22 00:00:38 2023 daemon.notice netifd: Interface 'wgserver' is setting up now
Sun Oct 22 00:00:38 2023 daemon.notice netifd: Interface 'wgserver' is now up
Sun Oct 22 00:00:38 2023 daemon.notice netifd: Network device 'wgserver' link is up
Sun Oct 22 00:00:39 2023 user.notice mwan3[4397]: Execute ifup event on interface wgserver (wgserver)
Sun Oct 22 00:00:39 2023 user.notice mwan3[4397]: Starting tracker on interface wgserver (wgserver)
Sun Oct 22 00:00:41 2023 user.info mwan3rtmon[4100]: Detect rtchange event.
Sun Oct 22 00:00:41 2023 user.notice firewall: Reloading firewall due to ifup of wgserver (wgserver)
Sun Oct 22 00:00:41 2023 authpriv.notice sudo:     root : PWD=/ ; USER=root ; GROUP=nonevpn ; COMMAND=/usr/lib/ddns/dynamic_dns_updater.sh -- stop
Sun Oct 22 00:00:43 2023 authpriv.notice sudo:     root : PWD=/ ; USER=root ; GROUP=nonevpn ; COMMAND=/usr/lib/ddns/dynamic_dns_updater.sh -- start
Sun Oct 22 00:00:43 2023 user.notice ddns-scripts[5154]: glddns: PID '5154' started at 2023-10-22 00:00

alzhao · October 22, 2023, 12:37pm

Can you check if your main router has a public IP?

Check if the ddns points to your public IP.

insolvent · October 22, 2023, 1:08pm

Yes, it has a public IP and the DDNS points to the same address.

admon · October 22, 2023, 1:47pm

Celluar networks often use carrier-grade NAT, which means there is no „real“ public IP - so it could be the issue here.

alzhao · October 22, 2023, 1:56pm

Did a remote check. The main router get 100.x IP which seems a carrier grade network.