VPN client mode working in 3.216 but not 4.3.21

Technical Support for Routers VPN, DNS, Leaks
1

I have several Mango and Creta running 3.216 firmware the following config:
Wireguard client, VPN, and devices connecter to the LAN (security video recorder connected to Cloud)
This config is not working with version 4.3.21 : the device will not connect to it's Cloud. Same issue with other devices usually working (SIP phone).
I've the issue with a Creta and an Opal

I've noticed both have very different interface and VPN behavior, but could not figure what is wrong. Any clue ?

2

Hello,

  1. WireGuard(WG) client can establish a connection with WG server in 3.216, but isn't in 4.3.21? Please export syslog and PM me.

  2. The router cannot connect to GoodCloud. Is the router displayed in GoodCloud offline, or is it impossible to bind to GoodCloud after the router GL GUI enabled GoodCloud?

  3. Please upgrade them to the firmware version of v4.x.x before setup. The interface of v4 will be consistent, but if you cannot connect this isue, I want to get syslog for R&D analysis.

BTW, could you please draw a network topology figure for clear know your connections.

4

Hello, please let me clarify:
In both configuration, Wireguard client is connected.
In both configuration, device is up in Goodcloud (once for 4.x I activated the "use VPN for Goodcloud"*, should be set by default imho)

The issue is for the clients connected on the Glinet devices. Everything external being identical, with 4.x the devices cannot connect correctly, as if there were some additional firewall rules (maybe on OpenWRT side) that would block the trafic that was allowed in 3.x

Every device I upgraded to 4.x (ou received in 4.x) have the issue.

However, my knowledge of Openwrt, firewall or linux network administration are too weak to troubleshoot further. So I hope someone had a similar issue and/or could help troubleshoot.

Hope this is clear now :slight_smile:

  • More context: the device and Wireguard VPN is used to "escape" a restrictive corporate network : the devices (security camera, SIP phone) on Glinet LAN cannot communicate toward their servers due to corporate firewall rules. The VPN tunnel on 3.x devices allows this. However Creta (2 LAN ports) is discontinued, and replacement Opal seems only available with 4.x firmware
5

I got it.

When the Mango and Creta enabled the WireGuard (WG) client in 3.216, security video recorder can be connected to its cloud and is available to work, including SIP phone.
Then, upgrade to 4.3.21, WG client was also enabled, but the above client encountered issues that could not be connected. My understanding right?

I just checked the firmware server and it seems that there is no v4.3.21, it should be v4.3.18.

And your network topology like this, right?
Internet - Mango/Creta with WG client - security video recorder/SIP phone

Please SSH to router (on v4.3.18), and execute this command, and test the clients one more time:
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

6

Thanks Bruce. I'll try this.
The 4.3.21 version is on Opal; I can't remember which version I had on Creta, because I downgraded it, but it was definitely a 4.x version.

1 Like
7

Update:

echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

didn't help. Is it reboot resilient ?

8

No.
You can check by print it

cat /proc/sys/net/netfilter/nf_conntrack_helper

Could you provide the relevant software and tools, we want to reproduce this locally.