Wireguard Client Will Not Connect to VPN

kasitrol · 2021-08-21T22:39:00.274Z

Last week I purchased two GL – SF 1200 routers from GL’s website. I opened one of the routers and configured it with Wireguard client after upgrading the firmware to 3.203. It connected successfully and I browse the Internet with it for about an hour. I checked the IP and found out that the VPN was working as it should’ve been. Later that day I powered down the router and did not powered back on for two days. When I did powered on the VPN Wireguard client failed to successfully connect to my VPN provider. I tried to connect several times but without success. I use Keepsolid Unlimited as my VPN provider. I downloaded two more configuration files from two different servers and manually install them as well. I was not able to connect with either one of them and the original unchanged client still did not work. I saw similar post on this forum from people who experienced somewhat the same problems but from different VPN providers. I hope someone can shed a light on this problem. I personally think it’s a firmware problem but that’s just my opinion. I had a similar problem from a GL Travel router purchased from Amazon. GL.iNet GL-AR300M Mini VPN Travel Router, Wi-Fi Converter, OpenWrt Pre-Installed, Repeater Bridge, Hotspot, 300Mbps High Performance, 128MB Nand Flash. I returned it as defective but now I have a repeat of the same problem. The travel router worked once as a Wireguard client and failed to work again when when re connected after powering down. I would appreciate any help you can provide.

Happi · 2021-08-22T08:17:15.939Z

First thing to note about Keepsolid is that their Wireguard is a bit flaky - your configurations may change without notice and will need to be regenerated in your management panel (they are aware of this “glitch” and are working on it, supposedly). However, it looks as though you have already done this.
So, your problem is most likely a time sync. problem. I have the very same on my Beryl - after a power down (overnight) my Wireguard client only reconnects after syncing the time in Luci (it does not sync correctly in the GL GUI). I am on 3.203 Beta5 but it appears to be a bug on 3.201 as well:

OpenVPN Client Disconnect and Wrong Router Time Technical Support for Routers

My OpenVPN client disconnects every few days or somtimes even more frequesntly with a TLS error and I notice that the router time is a few minutes behind actual time. Even if I re-select a time zone or re-sync the time to the computer via the setting in the GL–iNet web interface, the time remains off by a few minutes. It seems wrong router time is known to cause TLS errors in OpenVPN. If I unplug and replug the router, then the client reconnects and I see that the time is exactly correct again. …

kasitrol · 2021-08-22T16:12:13.602Z

Thanks for the information. I will try to sync the time with Luci and see if that works in this router. I have sent an inquiry to GL-iNet and I am waiting for a response from them. I will see what they have to say and report back when or if I get a reply. In the meantime I will try the time sync.

kasitrol · 2021-08-22T22:46:49.459Z

I took the router back to factory default and started from scratch. I synced the time with router and then I I went to KeepSolid and created a brand new wireguard config file. I created a config for a server in Illinois and connected the wireguard client and it worked. I also installed an earlier config from Washington but did not renew it on Keepsolid. I ran the old config for Washington and I experienced the same abort issue. I then tried the new Illinois config and bingo—it connected. I am writing this post using my Illinois VPN connection.

Following your advice “Keepsolid is that their Wireguard is a bit flaky - your configurations may change without notice and will need to be regenerated in your management panel”

I can’t say for sure I solved the problem if I power down the router but for right now I am connected.

I am going to not power down this router for a few days and see if I loose the connection or not or if the problem re-surfaces.

Thanks for all your help

alzhao · 2021-08-23T12:28:44.193Z

Waiting for you me upgrade.

kasitrol · 2021-08-23T14:54:03.055Z

GL.iNet Technical Support support@gl-inet.com
To:
kasitrol

Mon, Aug 23 at 1:56 AM

Hi kasitrol,

I never use keepsolid wireguard. Can you check if the router’s time is correct? Go to more settings->time zone. If the router’s time is different from your pc pls fix it. If the router has Internet, it should be able to sync with time server. But you may need to disconnect wireguard first to achieve this.

You can also remove the wireguard config from the router and set up again. Some vpn service providers has limitations in total number of config keys.

Alfie Zhao

I am working on a permanent solution from another source who tells me:

WireGuard basics > Time synchronization:

Time synchronization
WireGuard is time sensitive and can refuse to pass traffic if the peer’s clock is out of sync. It’s recommended to rely on NTP for all peers. The issue could be caused by incorrect NTP configuration, or race conditions between netifd and sysntpd services, specifically when RTC is missing. Setting time forward on the client side can work around the problem.

Web interface instructions

Installing packages
Navigate to LuCI → System → Software and install the packages luci-proto-wireguard and luci-app-wireguard to manage WireGuard using LuCI.
Generating keys
Generate a key pair of private and public keys.

wg genkey | tee wg.key | wg pubkey > wg.pub
Use the wg.key file to configure the WireGuard interface on this router.
Use the wg.pub file to configure peers that will connect to this router through the WireGuard VPN.
3. Restarting services
Navigate to LuCI → System → Startup → Initscripts and click to network → Restart.

Setting up network
To create a new WireGuard interface go to LuCI → Network → Interfaces → Add new interface… and select WireGuard VPN from the Protocol dropdown menu.
Monitoring status

An alternative method:

Disable gateway redirection for the router itself.
Set up PBR 3 to route LAN traffic to the VPN.

Perhaps you don’t understand, but syncing time once in not enough.
If your router is missing RTC, then time will desync sooner or later depending on the hardware.
And this can lock the VPN connection until you manually set client time forward or restart the server.
That’s why you need to implement one of the workarounds mentioned above.

I will get back to you when I know more. I hope this helps.

Kasitrol

alzhao · 2021-08-24T04:22:50.672Z

It should just be routing policy issue. NTP is blocked before wireguard is connected. If time cannot be sync Wireguard will not connect.

So remove NTP from using Wireguard to connect to the Internet should solve this problem.

kasitrol · 2021-08-24T15:19:48.455Z

At the present time I am in a hold pattern. I connected the router two days ago and re-installed a wireguard client configuration and I was able to connect. I am currently writing this post through the wireguard client vpn. I have not powered the router down since this was done so the time seems to be synced. I have no problem using it as my main router if it will stay connected to vpn. Last night I installed a 2nd wireguard client and I was able to connect to my vpn as well. Both clients seem to be working when I alternate between them.

I have installed and activated Luci on this router but I am new to Luci and I do not understand the Luci structure in detail. How would I remove NTP from using Wireguard to connect to the Internet? Is there a script I can execute in Luci? I am new to all this so any help you provide would be greatly appreciated. I was also communicating on the Openwrt forum but I was told that GL-inet’s version of openwrt was different from the original openwrt firmware and I should communicate through this forum as there may be differences that might cause issues in the GL-inet router.

UPDATE: I just checked one of my clients and it now no longer connects and I get the abort button. I was able to connect to the other client but I don’t know for how long.

I don’t know if this is the keep solid issue or it has to do with the timing. When I compared the time to my browser it was the same. At this point I don’t know if inactivity on one client using Keepsolid Unlimited configuration overnight made that client in operable.

I do know that Keepsolid Unlimited has been known to be flaky but in this case I don’t know if that is the issue here or GL Inet time sync is the issue. I can download a new configuration on the same server I had before and see if that takes care of the problem. Will see!

I am using Windows as an interface between the router and this pc

Happi · 2021-08-25T07:53:51.674Z

If your time is correct, then this will be a Keepsolid problem - regenerate your config and try again.

For your info. the latest official firmware for the Beryl (3.203-0809) appears to have fix this (time sync) problem. I loaded it three days ago and my Wireguard connected automatically when I booted in the morning.

kasitrol · 2021-08-25T16:03:02.416Z

I connected to a KeepSolid Wireguard Illinois server last night and left it connected all night. I disconnected from that server and tried a second server with a different config that I had installed yesterday and one that had worked all day long but when I tried to reconnect to it this morning I got the abort issue instead of connect. I then went back to the Illinois server and it reconnected without a problem but the Dallas server would not connect. This seems to repeat itself in an overnight setting.

It seems to be some sort of glitch and I’m not sure who is at fault. I have contacted KeepSolid and they report no outages on any of their servers.

I checked the time this morning in the router and agreed with the time on my browser. I am going to report this issue back to GL and see if they have any idea what is going on. I’ll do the same with KeepSolid. I will let you know what I find out. I may check the firmware to see if there has been an update from my current version.

I am also curious how to work through Lucy. I have set up the Lucy interface but I’m not sure how to make changes through Lucy. Do you have any information how to do that? Would you happen to have an example of a script and with directions on how to run it in Lucy?

Since I am unable to currently solve the problem I am grasping at straws. Any help you could provide would be appreciated.

I’ll let you know what I find out.

kasitrol · 2021-08-26T14:47:21.386Z

This is the latest update from GL-Inet support followed by update from KeepSolid Unlimited:

GL.iNet Technical Support support@gl-inet.com

Thu, Aug 26 at 4:32 AM

Hi kasitrol,

To check time you can just use “date” command in ssh. It has nothing to do with Luci

As I said, it should be a routing policy problem. When you reboot the device it may not be able to update time because vpn is not connected and blocking ntp protocol.

We are fixing this in 3.210 firmware.

Alfie Zhao

I reported to KeepSolid that when comparing config files for the same Wireguard server in Dallas and Illinois they changed in less than 24 hours. Each time I have to re-configure the Wireguard client in the GL router.

Keepsolid Technical support latest email:

Alex Piehanov (Support Team)

Aug 26, 2021, 14:13 GMT+3

Hi John,

Thank you for the update.

I have forwarded your issue to our technical department.
We will reply to you as soon as they assist.

Thanks for your patience and understanding.

–
Best regards,
Alex Piehanov
Customer Support Team

Latest Email from KeepSolid Unlimited VPV customer support:

Alex Piehanov (Support Team) support@keepsolid.com
To:
John

Thu, Aug 26 at 7:01 PM

Alex Piehanov (Support Team)

Aug 27, 2021, 3:00 GMT+3

Hi John

Thank you for contacting us.

First of all, I’d like to apologize for the inconvenience, this is not the experience we want you to be having.

Just received a response from our Technical department.
They confirm that currently we are facing temporary issues with Wireguard VPN configurations indeed.
Our technical engineers are aware of this and working on fixing it as soon as possible.

In the meantime,
I recommend that you try to create VPN configurations via any other VPN protocol besides Wireguard.
(For example, using OpenVPN).

Thank you for your understanding.

–
Best regards,
Alex Piehanov
Customer Support Team

alzhao · 2021-08-27T10:37:00.387Z

I don’t think it is good to post content of personal emails.

kasitrol · 2021-08-27T20:29:31.520Z

OK, I won’t do that in the future. I just thought that the email would convey what was happening in more accurate details than if I summarize the content . No harm was meant.

kasitrol

woodpecker · 2021-08-28T10:40:50.620Z

Why don’t you just run your own Wireguard server using a cheap cloudserver, I’ve never understood why people pay so much for these crappy VPN services that don’t work properly.

kasitrol · 2021-08-28T18:41:04.003Z

I am new to this so I am not sure how to do this or which cloud server to to go with. If you have any recommendation I would appreciate it if you would share them. Also do these services provide details how to set up a server on their service?

woodpecker · 2021-08-28T19:26:10.721Z

I use Upcloud, I have multiple servers but use a separate $5 one to run my own Wireguard, OpenVPN and dynamic dns server etc, they have a guide here, there maybe some providers that are even cheaper…

upcloud.com

How to get started with WireGuard VPN – UpCloud

eric · 2021-08-28T20:03:25.462Z

Oracle’s cloud service has a free tier that allows you to run multiple Linux virtual private server instances with up to two public IP addresses that works great as VPN servers. For over a year I have been running multiple VPN protocols including Wireguard, OpenVPN and SoftEther on Ubuntu 20.04 server instances on the Oracle cloud, at no cost. Using their new free-tier multi-CPU ARM based servers can support multiple VPN clients with no problems and they give you up to 10TB of network data transfer per month for free.

Using Google and Youtube you can find multiple sites explaining how to setup a Ubuntu server on the Oracle cloud, and then other sites will show you how to install VPN software on a Ubuntu server.

kasitrol · 2021-08-29T14:11:29.663Z

I appreciate all of the information you provided. I am going to look into this and see what I need to do to set up a server.

manuelchocolat · 2021-08-30T03:26:01.966Z

Hi,

I set up an open VPN server on my GL Inet router that is connected directly to my USA home ISP then i downloaded the file and upload it to my other GL inet router from another country as a client. the client router refused to establish the connection and every time i activate the server on it my internet went down please help me

alzhao · 2021-08-30T04:12:09.939Z

manuelchocolat:

I set up an open VPN server on my GL Inet router that is connected directly to my USA home ISP then i downloaded the file and upload it to my other GL inet router from another country as a client. the client router refused to establish the connection and every time i activate the server on it my internet went down please help me

You should use a new post thread and post some details. You can also send the config to support at gl-inet.com and that may be better.