Wireguard client (BerylAX) cannot connect to wg server (Brume2) after moving the server to another residential area

Hello,

My problem is almost identical to the following one.

However, my backstory is a bit different.

The Wireguard server is Brume2. It was already connected to home internet router, where I had already set up port forwarding.

On Wireguard client (BerylAX) I uploaded the config file, successfully connected to the server, no problem, worked perfectly. This was at the 1st residential area.

Due to unrelated problems, I had to move the Wireguard server to the 2nd residential area. Once there, I repeated the steps for Wireguard server - connect to home internet router, set up port forwarding - and was expecting the same result.

However, now Wireguard client can't connect. Same error as in the link above.

I tried generating another config file at the 2nd residential area, even though I felt that was not the issue. Still nothing.

I thought it was maybe the issue with the residential area, so I moved it to the 3rd one. Then the 4th one. Repeated the same steps that worked for the 1st residential area. Failed. I hard reset the Wireguard server, setup from scratch, generate a new config file, upload it to the Wireguard client. Failed.

Also tested through Wireguard client on my phone. Failed at handshake.

I'm dumbfounded, why the same steps worked for the 1st residential area, while for the 2nd, 3rd and 4th one they don't. Please help.

Wireguard server's logs:

Fri Mar 28 02:45:30 2025 daemon.notice netifd: Interface 'wgserver' is setting up now
Fri Mar 28 02:45:30 2025 daemon.notice netifd: Interface 'wgserver' is now up
Fri Mar 28 02:45:30 2025 daemon.notice netifd: Network device 'wgserver' link is up
Fri Mar 28 02:45:30 2025 user.notice firewall: Reloading firewall due to ifup of wgserver (wgserver)
Tue Jul 29 08:17:21 2025 daemon.notice netifd: Network device 'wgserver' link is down
Tue Jul 29 08:17:22 2025 user.notice firewall: Reloading firewall due to ifdown of wgserver ()
Tue Jul 29 08:17:22 2025 daemon.notice netifd: Interface 'wgserver' is now down
Tue Jul 29 08:17:22 2025 user.notice firewall: Reloading firewall due to ifdown of wgserver ()
Tue Jul 29 08:17:31 2025 daemon.notice netifd: Interface 'wgserver' is setting up now
Tue Jul 29 08:17:31 2025 daemon.notice netifd: Interface 'wgserver' is now up
Tue Jul 29 08:17:31 2025 daemon.notice netifd: Network device 'wgserver' link is up
Tue Jul 29 08:17:31 2025 user.notice firewall: Reloading firewall due to ifup of wgserver (wgserver)

Both devices firmware upgraded to highest version (4.7.4 Brume2, 4.8.0 Beryl)

Find out if the ISPs serving residential areas 2-4 are using CGNAT. If so all incoming ports will be blocked in the WAN side network. You'd have to switch to TailScale in order to have a proxy act as a MITM to negotiate the VPN establishment/handshake.

...or setup up a VPS to act as your own WG or HeadScale server.

It looks like you've hit the jackpot.

Residence 1 - no CGNAT
Residence 2 - CGNAT
Residence 3 - CGNAT
Residence 4 - can't check

Could be the case because R1 is a house and R2-4 are apartment blocks.

I'll edit this message later to confirm if this was the case, thank you for sharing the lead.

Edit:

Confirmed, Residence 1 re-connected without issues.

You're probably going to want this:

Be aware it looks like HeadScale, and presumably TailScale, isn't PQC ATM[1] should that matter to you.

1. ' Does Tailscale use wireguards psk feature between peers connections,' u/ra66i, 2023 May 04, r/Tailscale

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.