I configured my Flint 2 as a WireGuard server a while ago, and established tunnels successfully. Now I had to reset the router, and re-configure the WireGuard profile. After transferring the WireGuard profile to a client, the situation looks like this:
I can establish a tunnel while the client is in the LAN/WLAN – so the WireGuard configurations on both ends match.
I can access the router’s public IP from a mobile network via nc (with my WireGuard port) and via ping.
I cannot establish a WireGuard tunnel from a mobile network between client and router. The connection attempt does not seem to reach the router.
Why does the connection from outside fail, and why did it work before (for months)?
IMHO, you can't nc your WireGuard port because WireGuard is UDP and will not answer when there is no real handshake. There is no way of checking if WireGuard is active via port probing.
Try my test directly on your router to check if you are still reachable: https://cgnat.admon.me
I was under the impression that configuring and activating the WireGuard server on the router modified the firewall accordingly. I did not open the port manually before the reset (when the WireGuard configuration did work). Edit: Confirmed, there is a rule wgserver2lan. But for the wgserver interface, LuCi says “Unsupported protocol type.” After installing the missing bits of luci-proto-wireguard, this message is still there (but as I wrote in my original post, the WireGuard tunnel works from within the LAN).
Yes, you’re right. But I can ping the router’s public IP, so it is accessible in principle, and as I replied to lfalonso, the router’s firewall should allow connections to the WireGuard port when the VPN server is active.
Problem solved. It was caused by my mobile ISP’s switch to a new (IPv6) APN. After manually reverting to the old APN, I can successfully connect via WireGuard.