Wireguard client port forwarding help please

Routers
1

Hi all,

I live in the UK and my ISP provider and router is from the company, Sky. I am trying to set up port forwarding so I can go and work abroad without being detected.

I have a Flint 1 intended to remain in the UK and a Beryl AX3000 intended for travel router. I have been primarily following Justin Pruett’s video to set up port forwarding: https://www.youtube.com/watch?v=LXbDg1v65Qs

When setting up the Wireguard Client on my Beryl AX3000, I get the following error message when starting the WireGuard Client file:

Sun Dec 7 12:23:06 2025 user.notice wireguard-debug: USER=root ifname=wgclient1 ACTION=REKEY-GIVEUP SHLVL=1 HOME=/ HOTPLUG_TYPE=wireguard LOGNAME=root DEVICENAME= TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin PWD=/

Sun Dec 7 12:23:08 2025 daemon.notice netifd: Interface 'wgclient1' is now down

Sun Dec 7 12:23:08 2025 daemon.notice netifd: Interface 'wgclient1' is setting up now

Sun Dec 7 12:23:08 2025 user.notice firewall: Reloading firewall due to ifdown of wgclient1 ()

Sun Dec 7 12:24:54 2025 user.notice wireguard-debug: USER=root ifname=wgclient1 ACTION=REKEY-GIVEUP SHLVL=1 HOME=/ HOTPLUG_TYPE=wireguard LOGNAME=root DEVICENAME= TERM=linux SUBSYSTEM=wireguard PATH=/usr/sbin:/usr/bin:/sbin:/bin PWD=/

Hoping someone can assist with this? Thank you.

2

AFAIK, Sky does not allow port forwarding and uses CGNAT.
I might be wrong since I don't live in the UK.

If that's the case, you need to use a tunnel service like Tailscale or AstroWarp.

3

Hi, thanks for the reply.

However, it doesn’t seem correct, I think. They even have a link on the Sky website on how to do port forwarding: Set up Port Forwarding | Sky Help Business | Sky.com | Sky Help Business | Sky.com

4

So you set up the ISPs router with correct portforwarding? What values did you set there?

5

Best is to login on the sky router.

Give the Beryl a static ip because you want to ensure the lan ip does not change.

Then define a portforward on sky router:

inbound: wan
inbound port: port for wireguard
to/rewrite/destination: Beryl ip
port: wireguard port.

In Beryl:

Inbound: wan
Inbound port: the wireguard port
to/rewrite/destination: wgserver ip
dest zone wgserver

^ choose for both protocol udp, you dont want tcp as for security :slight_smile:

It is also possible with just a traffic rule in OpenWrt but imho it did not worked always for me.

And to allow ports from wgserver for other things, you just replace wan for wgserver.

If thats what you have done it should be a ok setup, if it fails you may be behind a closed port or cgnat.

In case of suspicioun of a broken config, make the wgserver and its peers very simple, remove preshared key, and start from scratch.

3 Likes
6

forum 2
forum 2887×273 39.4 KB

These are part of my settings. Hope this is correct.

7

forum 1
forum 11037×454 41.2 KB

8

Looks fine so far.

192.168.0.2 is the address of the Flint's WAN port, correct?

9

Thanks for your detailed reply. I’ll have to look up how to do this. I’m quite the novice when it comes to all things networking. I have a Google Meet booked with the Home to Remote Guys on Tuesday night and am trying to do as much as I can myself before then, to ensure that they can fix what’s left and ensure it’s good in one meeting hopefully.

1 Like
10

Yes that’s right :slight_smile:

11

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.