WireGuard no internet for client (both GLiNET)

whywontitwork · June 2, 2024, 12:34pm

Hi guys,

I know this is a common issue but I am flummoxed and would love some help.

I have a remote Opal router (client) and local Flint 2 router (server) which I am trying to set up as a WireGuard server. The Opal has been connected to another WireGuard server at work successfully, so I’m just trying to change it to my home router.

After setting up the profile, I am able to connect (either on the Opal or using a test account on my iPhone) and the Flint 2 shows a connected client, but I can’t get any traffic to flow and certainly no internet connection for the Client.

I’ve checked IP ranges don’t conflict, I’ve set the DNS to 1.1.1.1 just in case, I’ve changed the MTU, and I’ve tried to confirm that the firewall isn’t blocking. Nothing helps. The Flint 2 is the main router, so is not behind any other router so no need for port forwarding.

Config is this:


[Interface]
Address = 10.1.0.3/24,fd00:db8:0:abc::3/64
PrivateKey = CNboDuA64NwERFGIIPaH1ysUVVAOxvOlbUPeT8aprVY=
DNS = 1.1.1.1
MTU = 1420

[Peer]
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = xxx.xxx.xxx.xxx:51820
PersistentKeepalive = 25
PublicKey = mhljOSD5/XUTrfg43EtxgAozr8AtAxxTb1/0m+SmcFE=

Can you help?! Happy to share logs files if that’s useful.

admon · June 2, 2024, 12:36pm

Can you confirm that you read all points in this thread How to troubleshoot WireGuard and none of them apply?

whywontitwork · June 2, 2024, 5:42pm

Yes I have gone through each of them and, as far as I'm aware, tested / confirmed all points without success.

Server: Flint 2
LAN 192.168.199.0/24
WireGuard 192.168.20.0/24 (have also tried in the 10.x.x.x range)

Client Opal
LAN 192.168.11.0/24

The server log is as follows:

Sun Jun  2 18:37:22 2024 user.notice nat6: Firewall config="wgserver" zone="wgserver" zone_masq6="1".
Sun Jun  2 18:37:22 2024 user.notice nat6: Found firewall zone_name="wgserver" with zone_masq6="1" zone_masq6_privacy="1".
Sun Jun  2 18:37:22 2024 user.notice nat6: Setting up masquerading nat6 for zone_name="wgserver" with zone_masq6_privacy="1"
Sun Jun  2 18:37:22 2024 user.notice nat6: Ensuring ip6tables chain="zone_wgserver_postrouting" contains our MASQUERADE.
Sun Jun  2 18:37:22 2024 user.notice nat6: Ensuring ip6tables chain="zone_wgserver_input" contains our permissive DNAT rule.
Sun Jun  2 18:37:22 2024 user.notice nat6: Ensuring ip6tables chain="zone_wgserver_forward" contains our permissive DNAT rule.
Sun Jun  2 18:37:22 2024 user.notice nat6: Done setting up nat6 for zone="wgserver" on devices:

The client log is:

2024-06-02 19:37:26.466
[NET] Network change detected with satisfied route and interface order [pdp_ip0, utun4]
2024-06-02 19:37:26.467
[NET] DNS64: mapped 149.22.xxx.xxx to itself.
2024-06-02 19:37:26.467
[NET] peer(mhlj…mcFE) - UAPI: Updating endpoint
2024-06-02 19:37:26.468
[NET] Routine: receive incoming v4 - stopped
2024-06-02 19:37:26.468
[NET] Routine: receive incoming v6 - stopped
2024-06-02 19:37:26.468
[NET] UDP bind has been updated
2024-06-02 19:37:26.469
[NET] peer(mhlj…mcFE) - Sending keepalive packet
2024-06-02 19:37:26.469
[NET] Routine: receive incoming v4 - started
2024-06-02 19:37:26.469
[NET] Routine: receive incoming v6 - started
2024-06-02 19:38:02.558
[NET] Network change detected with satisfied route and interface order [pdp_ip0, utun4]
2024-06-02 19:38:02.559
[NET] DNS64: mapped 149.22.xxx.xxx to itself.
2024-06-02 19:38:02.560
[NET] peer(mhlj…mcFE) - UAPI: Updating endpoint
2024-06-02 19:38:02.560
[NET] Routine: receive incoming v4 - stopped
2024-06-02 19:38:02.560
[NET] Routine: receive incoming v6 - stopped
2024-06-02 19:38:02.561
[NET] UDP bind has been updated
2024-06-02 19:38:02.561
[NET] peer(mhlj…mcFE) - Sending keepalive packet
2024-06-02 19:38:02.561
[NET] Routine: receive incoming v4 - started
2024-06-02 19:38:02.561
[NET] Routine: receive incoming v6 - started
2024-06-02 19:38:04.477
[NET] Network change detected with satisfied route and interface order [pdp_ip0, utun4]
2024-06-02 19:38:04.477
[NET] DNS64: mapped 149.22.xxx.xxx to itself.

Any help would be so appreciated.

LupusE · June 2, 2024, 7:04pm

The server only tells NAT6 messages? I doubt there is an rule for IPv6 predefined.

Solution 1: Add a rule for IPv6 routing.
Solution 2: Force the Client to use IPv4 only.

Is the IP which the client is using to connect IPv4? If it is a hostname, is there IPv4 and IPv6 behind the name?

whywontitwork · June 2, 2024, 7:36pm

Thanks so much for this. The IP which the client is using to reach the server is IPv4 - DDNS seems not to work at all - so I think there's not IPv6 in the mix.

I went for Solution 2 and stripped out any IPv6 from the config. It still connects but no access to internet.

alzhao · June 3, 2024, 6:43am

Generally it should be a problem of server side.

Can you send me a working wireguard config via private message and I will try?

whywontitwork · June 3, 2024, 8:38am

Happy to send you a config but I don’t have a working one for the server - no profile works.

I have OpenVPN working but not WireGuard. Would it still be useful?

alzhao · June 3, 2024, 8:48am

I need wireguard as it is the problem.

Just send me one which worked in your pc or smartphone is OK.

If even none works on pc or smartphone, definately it is server side problem. But if ovpn works, wireguard should works just OK.

You can just send me a non working one to try.

alzhao · June 5, 2024, 10:46am

After remote checking, the Wireguard server routing is missing for some reason.
Not sure how this happend but adding the routing or a reset fixed it.

Pro4TLZZ · June 5, 2024, 11:15am

Have you tried unsetting the MTU on the client device? When I initially setup Wireguard server on my Flint 2 I couldn't get local lan traffic unless I unset the MTU in the config file. Whereas my Docker Wireguard server worked fine when no MTU was set in the config file.

I didn't try lowering MTU, but in theory my client should be using 1420 still, just not explicitly set.

It might not fix your problem but hope you get a resolution.