Wireguard not working but open VPN does. BerylAX client to Brume2 server

2992 · December 12, 2023, 6:11pm

I have setup OpenVPN server on a Brume2, and client on BerylAX. It works fine.
I have setup WireGuard server on the same Brume2, and client on same BerylAX. It doesn’t work, the client simply doesn’t connect. I have no idea where to look in for debugging or logs… Any idea what can be wrong?.. I think I have configured the port fwd on the main router (fiber modem) properly.

admon · December 12, 2023, 6:24pm

So what kind of port forwarding did you set?

2992 · December 12, 2023, 7:11pm

beside that I’ve put the internal IP of the brume router in the DMZ of the main router/modem, I’ve set the 51820 as port fwd in the main router for brume’s IP.

Interesting is that OpenVPN works fine, with no any port (1194 or 443) fwd for it.

admon · December 12, 2023, 7:30pm

Guess you need to check the logs on the client then.

2992 · December 12, 2023, 7:36pm

true, but not sure where should I look for to find that…

The only place I found logs is under System/Log, and there I have:

Tue Dec 12 21:37:38 2023 daemon.notice netifd: Interface ‘wgclient’ is setting up now
Tue Dec 12 21:37:39 2023 user.warn : skip line without ‘=’ Default
Tue Dec 12 21:37:39 2023 user.warn : skip line without ‘=’
Tue Dec 12 21:37:39 2023 user.warn : skip line without ‘=’ Default
Tue Dec 12 21:37:39 2023 user.warn : skip line without ‘=’
Tue Dec 12 21:37:39 2023 user.warn : skip line without ‘=’ Default
Tue Dec 12 21:37:39 2023 user.warn : skip line without ‘=’
Tue Dec 12 21:37:39 2023 user.warn : skip line without ‘=’ Default
Tue Dec 12 21:37:39 2023 user.warn : skip line without ‘=’
Tue Dec 12 21:37:39 2023 user.warn : skip line without ‘=’ Default
Tue Dec 12 21:37:39 2023 user.warn : skip line without ‘=’

admon · December 12, 2023, 7:55pm

May you post your config file here?
(Obfuscated ofc.)

2992 · December 12, 2023, 7:59pm

I assume client’s config, right?

[Interface]
Address = 10.0.0.2/24
PrivateKey = MHLxxxxxxxxxxxx…xxxxxxxxxxE=
DNS = 64.6.64.6

[Peer]
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = xxxxxxx.glddns.com:51820
PersistentKeepalive = 25
PublicKey = MIfxxxxxxxxxxxx…xxxxxxxxxxV8=

admon · December 12, 2023, 8:03pm

The DDNS will resolve the correct IP?

2992 · December 12, 2023, 8:13pm

I think/hope so.
I’ve checked on dnschecker org and on whatsmydns net, with my xxxxxxx.glddns.com and it returns my main router/modem IP address, so I think it shall be right.
Besides, the OpenVPN server I’ve set on the same brume, I’ve configured it to use same DDNS, and the OpenVPN client on my beryl works fine.

However, on the brume, I still get this message when testing the DDNS:

2992 · December 13, 2023, 4:53pm

Anything else should I check? What else can be wrong? Anyone any idea?..

admon · December 13, 2023, 5:40pm

Not yet, but you should disable the port forwarding for DNS (UDP 53)
It’s not necessary and a problem speaking of security.

2992 · December 13, 2023, 5:58pm

I’ve removed that DNS UDP 53 port fwd rule, thank you!

bring.fringe18 · December 14, 2023, 10:43am

I’d spin up another WG profile for the Beryl AX, setting the Endpoint to the LAN IP of the Burme2. That’ll rule out if there’s something sideways with the current setup’s conf or if it’s more on the ISP side of things.

SSH’ing into the devices & checking the respective output of wg show wouldn’t be amiss, either.

2992 · December 14, 2023, 2:10pm

you mean another wg profile for Beryl with Brume’s LAN IP, i.e. 192.168…?

With the profile with GL.Inet DDNS (not with the main router/modem IP), I’ve got this with wg show:

interface: wgclient
public key: dlZxxxxxxxxxxxxx…xxxxxxxxxxx0ng=
private key: (hidden)
listening port: 33809
fwmark: 0x80000

peer: MIfxxxxxxxxxxxxxx…xxxxxxxxxxxxxyV8=
endpoint: [main router/modem IP]:51820
allowed ips: 0.0.0.0/0, ::/0
transfer: 0 B received, 1.30 KiB sent
persistent keepalive: every 25 seconds

bring.fringe18 · December 14, 2023, 2:14pm

🢁 Yeah, that’s an issue. It’s not getting anything back fr the other endpoint.

Yep; here’s something a little more detailed demonstrating precisely what I mean & examples of expected output:

2992 · December 14, 2023, 2:24pm

but that means I shall have them both on the same LAN, right?
For now, the Brume (WG server) is on the fixed ISP connection, and the Beryl (wg client) is tethering from my phone. Shall I connect them both on the same LAN, and make a profile with Brume LAN IP, for to see if the server on Brume has some issue?..

bring.fringe18 · December 14, 2023, 2:28pm

Well that could be introducing a whole host of complications, right there… I speculate.

Yeah, try to match my linked HOW-TO as closely as you can (the MTU value is highly likely safe to ignore). We want to ‘strip this down’ to as straightforward a setup as possible before introducing other variables like ISPs & their maybe ‘less than truthful’ Internet connectivity ‘plans.’

2992 · December 14, 2023, 3:59pm

that’s the whole point of this setup: to use it on the go with whatever internet connection I can get for Beryl.
OpenVPN works fine in this setup. WG, not…

With LAN IP it works, the wg client turns green.

So, must be something with the connection over internet, I would guess. But I have no idea what can it be, as long as OVPN works fine…

Edit: something strange has just happened: I’ve reconnected Beryl via mobile tethering and enabled the WG Client with the Brume’s LAN IP config, only to test and see what happens. Somehow, the wg client has got connected. Weird. However, not internet connection on it, i.e. I couldn’t browse internet on it. On Brume, the WG Server has shown me that there was some traffic on it. Strange. Then I’ve tried OVPN client on it, it doesn’t connect anymore. Again, strange. I’m rebooting it now, and try again.
Ok, never mind, my phone seemingly was still on the local WiFi , therefore these strange results.

bring.fringe18 · December 15, 2023, 7:37pm

So you seem to have something jamming the ports fr the Public Internet/WAN-side before connecting to WG Server on the Burme2.

What’s your phone OS? You’re going to need to do some port scanning & using a phone provides a GUI to do so if you’re not comfortable/able to SSH into one of the GL devices & run nmap.

opkg update; opkg install nmap
nmap -sU -p 51820 -v $publicIPAddressOfWANorModem

SSH’ing into the Burme2 or Beryl AX will also give the ability to get the output of wg show on ea. respective device. See the below resources:

2992 · December 15, 2023, 7:59pm

On Beryl (which is the WG Client), I’ve used both Android and iOS to tether, and the issue is there regardless which phone I use. Note: each phone uses different mobile carrier. For the moment I have no access to other fixed internet access, but as soon as I will have, I will try to see how it works.
I have a feeling that my router/modem provided by my ISP (or my ISP) is blocking something. I am not sure if they really do block something, as OpenVPN works fine (both the client on Beryl and the server on the Brume), so I assume WG should also work fine then. But again, if OVPN works fine with my ISP’s router/modem that doesn’t mean WG should also.
I will try to use nmap to scan on both of them, and get also the wg show output. If I cannot manage to do it, then I’ll try with Ning. Thank you!

[I am always using ipleak net and browserleaks com/ip for to get the IP and DNS leaks.]