Wireguard client not routing any traffic on GL-MT3000

Hi there,

I recently purchased this router, and I LOVE IT! I was using all sorts of other workarounds, but this one, so compact and so versatile is fantastic.
Anyway, everything works great, my OpenVPN tunnel is working flawlessly but the wireguard client does not route any traffic to the server besides the link network.
So, from a computer connected to the MT3000, if I ping the tunnel end on the server is working fine, and I see on the server the packets arriving. If I ping the other interface of the server, it doesn’t work, and it is not because of the ipv4_forwarding on the server; It is the MT3000 not routing anything to the tunnel because there is nothing that I see coming on the server side.
The IP networks on the client and on the server side are different and the IP on the WAN is from a different class as well.
The routing table on the MT-3000 looks normal, but the traffic is not forwarded through the tunnel (?!)
I don’t know what else to look to make it work. Do you have any more suggestions?
Thank you

If you are on fireware 4.5, you can export log, to get debug information. If not, please paste your redacted wireguard.conf file and command output of the following:

ip route
wg

My firmware is 4.4.6

Here are the logs when I connect to the wireguard server:

Wed Jan 17 12:38:47 2024 daemon.notice netifd: Interface ‘wgclient’ is setting up now
Wed Jan 17 12:38:53 2024 daemon.notice netifd: Network device ‘wgclient’ link is up
Wed Jan 17 12:38:53 2024 daemon.notice netifd: Interface ‘wgclient’ is now up
Wed Jan 17 12:38:53 2024 user.notice mwan3[12400]: Execute ifup event on interface wgclient (wgclient)
Wed Jan 17 12:38:53 2024 user.notice wgclient-up: env value:T_J_V_ifname=string J_V_address_external=1 USER=root ifname=wgclient ACTION=KEYPAIR-CREATED N_J_V_address_external=address-external SHLVL=2 J_V_keep=1 HOME=/ CONFIG_mac_mac= HOTPLUG_TYPE=wireguard T_J_V_interface=string J_V_ifname=wgclient T_J_V_link_up=boolean LOGNAME=root DEVICENAME= T_J_V_action=int TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin CONFIG_LIST_STATE= J_V_interface=wgclient K_J_V= action ifname link_up address_external keep interface J_V_link_up=1 J_V_action=0 T_J_V_address_external=boolean N_J_V_link_up=link-up T_J_V_keep=boolean PWD=/ JSON_CUR=J_V CONFIG_SECTIONS=global AzireVPN Mullvad FromApp group_7544 group_511 group_9829 group_1187 peer_7766 peer_3044 CONFIG_cfg030f15_ports=
Wed Jan 17 12:38:53 2024 user.notice mwan3[12400]: Starting tracker on interface wgclient (wgclient)
Wed Jan 17 12:38:56 2024 user.notice firewall: Reloading firewall due to ifup of wgclient (wgclient)

Here are the outputs of the commands you indicated:

root@GL-MT3000:~# ip route
0.0.0.0/1 dev wgclient scope link
default via 172.20.10.1 dev eth2 proto static src 172.20.10.10 metric 30
128.0.0.0/1 dev wgclient scope link
172.20.10.0/28 dev eth2 proto static scope link metric 30
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
root@GL-MT3000:~#

root@GL-MT3000:~# wg
interface: wgclient
public key: KM0000000005Cjc8uq3ktndM8Rl+XGJybt000000000=
private key: (hidden)
listening port: 55787
fwmark: 0x80000

peer: eJ5FMnmO+000000000BqcLkbFobciqkyIX000000000=
endpoint: my-public-ip:51921
allowed ips: 10.8.0.0/24, 192.168.8.0/24
latest handshake: 1 minute, 25 seconds ago
transfer: 23.25 KiB received, 308 B sent
persistent keepalive: every 25 seconds

The client config is this:

[Interface]
Address = 10.8.0.2/24
PrivateKey = <private_key>
DNS = 8.8.8.8
MTU = 1380

[Peer]
AllowedIPs = 10.8.0.0/24, 192.168.8.0/24
Endpoint = my-host-name:51921
PersistentKeepalive = 25
PublicKey = eJ5FMnmO+000000000BqcLkbFobciqkyIX000000000=

And here are some tests done from a computer directly connected to the router while VPN is on:

alex@Alexs-MacBook-Pro ~ % ifconfig | grep 192.168.8
inet 192.168.8.141 netmask 0xffffff00 broadcast 192.168.8.255

I can easily ping the router:

alex@Alexs-MacBook-Pro ~ % ping 192.168.8.1
PING 192.168.8.1 (192.168.8.1): 56 data bytes
64 bytes from 192.168.8.1: icmp_seq=0 ttl=64 time=31.773 ms
64 bytes from 192.168.8.1: icmp_seq=1 ttl=64 time=4.930 ms
^C
— 192.168.8.1 ping statistics —
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 4.930/18.352/31.773/13.421 ms

I can ping the wireguard interface on the router:

alex@Alexs-MacBook-Pro ~ % ping 10.8.0.2
PING 10.8.0.2 (10.8.0.2): 56 data bytes
64 bytes from 10.8.0.2: icmp_seq=0 ttl=64 time=94.372 ms
64 bytes from 10.8.0.2: icmp_seq=1 ttl=64 time=97.923 ms
^C
— 10.8.0.2 ping statistics —
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 94.372/96.148/97.923/1.775 ms

I can ping the wireguard interface on the server:

alex@Alexs-MacBook-Pro ~ % ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1): 56 data bytes
64 bytes from 10.8.0.1: icmp_seq=0 ttl=63 time=48.012 ms
64 bytes from 10.8.0.1: icmp_seq=1 ttl=63 time=54.174 ms
^C
— 10.8.0.1 ping statistics —
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 48.012/51.093/54.174/3.081 ms
alex@Alexs-MacBook-Pro ~ % ping 192.168.1.1

But I cannot ping anything beyond that … and I cannot see any packet coming to the server.

PING 192.168.1.1 (192.168.1.1): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
— 192.168.1.1 ping statistics —
4 packets transmitted, 0 packets received, 100.0% packet loss
alex@Alexs-MacBook-Pro ~ % ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
92 bytes from console.gl-inet.com (192.168.8.1): Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 c349 0 0000 3f 01 9e46 192.168.8.141 8.8.8.8

^C
— 8.8.8.8 ping statistics —
3 packets transmitted, 0 packets received, 100.0% packet loss
alex@Alexs-MacBook-Pro ~ %

Please edit the client config, change this setting to:

AllowedIPs = 0.0.0.0/0,::/0

Which allows all traffic to pass through the tunnel.

When is 4.5 going stable again, @hansome ?

This solved it.

Thank you so much!