Wireguard server doesn't work (GL-MT200N)

Hello there,

Since a few days I try to set up a WireGuard VPN server on my
GL-MT300N-V2 (firmware version 3.025). I hope somebody can help me with this issue.

I want to have worldwide access to a smarthome device in the local network. This device is connected with a LAN cable to my GL-MT300. The GL.inet-router (router mode) is a client of another router which connects to 4G and has a DHCP server running. I setup up a port forwarding on router #1 (port 51820 to IP 192.168.1.166 - this is the static IP of GL-MT200N in LAN of router #1).

I set up a WireGuard server and on my mobile phone I made a WireGuard client connection (see qr code down - the keys and public IP are anonymized), but I have no access neither to the local network, nor the smarthome device, nor the internet (even handshake fails). So no success.

Thank you very much for some support!

Best wishes,
joe-trocken

Johnex Edit (decoded the QR code for easier support):

[Interface]
PrivateKey = CCXuGSIjrimlDXG3mJmb8aaaaaaaaaaaaaaaaaaaa38=
ListenPort = 27166
Address = 10.0.0.4/32
DNS = 64.6.64.6

[Peer]
PublicKey = kUTy4LapzIBhbaaaaaaaaaaaaaaaaaaaaI6ppfyb6x4=
AllowedIPs = 0.0.0.0/0
Endpoint = 89.15.xxx.xx:51820
PersistentKeepalive = 25

I found the hint to use ssh to look on the router whats going on.
I did this, here you find the results of it:

wg
interface: wg0
public key: kUTy4LapzIBhb7Os/…TLYgBtI6ppfyb6x4=
private key: (hidden)
listening port: 51820

peer: UwopF+sV7Gt2rMETBPyORrT2TzIrSFD40fa8LCIoxE8=
allowed ips: 10.0.0.2/32
persistent keepalive: every 25 seconds

root@GL-MT300N-V2:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 20 0 0 apcli0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0
192.168.0.0 0.0.0.0 255.255.255.0 U 20 0 0 apcli0
192.168.8.0 0.0.0.0 255.255.255.0 U 0 0 0 br-lan
root@GL-MT300N-V2:~#

fowarding both tcp/udp is okay but not needed, udp is only needed and… also required :wink:

yes, only UDP is forwarded.

have you set it up?

As you connected to 4G network, most 4G network does not issue you a public IP address that you can use as a server.

Yes, I set it up.
So you mean it cannot work if I use 4G (by router #1, then forwarded to gl-mt200n-v2 as router #2?

You set it up? Do you mean already working?

No, unfortunately it doesnt work… no internet, no lan connection on wg client.

192.168.0.x
192.168.1.166 ?

if my guess is right it looks like you created a static wan ip on the mt300. but it is outside the scope of the subnet. if that is what you did then change the forward on router 1 to 192.168.0.166 and the wan ip on mt300 to 192.168.0.166

Sorry, that was a mistake only in my posting here.
I checked the forwarding on router #1… it was right (192.168.0.166). Forwarding and wan ip is the same.

Are you sure your 4G modem has public IP that can be accessed from the Internet? This is the prerequisite

No, I`m not sure, but how can I check that? Perhaps by buying a 4G usb stick that can be used directly in a mt300?

is this public or is it a perceived public subnet that is actually private using non private addressing.
www.dnsleaktest.com = 89.15.xxx.xx
true then public

Thanks for your help.
I started a standard and an extended test on dnsleaktest.com
I receive no “true” or “false” response, but a list of server ips i dont know (not the ip of router #1)

the testing buttons are irrelevant for you now. just making sure the 89.15.xxx.xx matches your client settings.

89.15.xxx.xx are the settings of client in the wireguard app and also same as the ip showed at dnsleaktest… do you mean that? sorry for this questions, my english is very bad :frowning:

Yeah that is what he meant.

One more test you can do is, in the GL UI, go to Applications -> Remote Access and temporarily Enable HTTP Remote Access. With another pc on another network, you can go to the IP 89.15.xxx.xx in your browser, and you should see the GL UI there.

It is possible your 4G stick has a mini firewall where you need to open ports as well, that would be an easy test.

lets recapp here and re-ask questions here
you have a single mt-300n-v2
you are somewhere on the internet (light explain here) on some kind of client(explain again here) trying to connect to a 4g device (explain here) that is connected to an mt-300n-v2 running wireguard server (wan-192.168.0.166 and lan-192.168.8.1) and want local access to an ethernet smart home device connected to the lan port of the mt-300N-v2 on 192.168.8.x network.

lets recapp here and re-ask questions here…

okay, I try to tell again:

you are somewhere on the internet on some kind of client

I want to use my mobile phone (Wireguard Android app) when I’m not at home to access my LAN (see down).

trying to connect to a 4g device (explain here)

yes, it’s a mobile router manufactured by ZTE I use at home. Unfortunately it has no open firmware like dd-wrt or so, but a closed “provider firmware”.

that is connected to an mt-300n-v2 running wireguard server (wan-192.168.0.166 and lan-192.168.8.1)

yes, the 4G router is router #1 and MT-300 is router #2. I cannot use 4G with MT-300 directly, so that’s why I need the 4G router #1.

and want local access to an ethernet smart home device connected to the lan port of the mt-300N-v2 on 192.168.8.x network.

Yes, exactly.

@Johnex
Thanks for the hint. Is there an (other) port forwarding needed for this, port 80 or so? I tried it to access the GL UI from outside after I nabled HTTP Remote Access (with port 80 forwarding to GL-MT300), but it didn’t work (“Request timed out”).

On a PC/laptop behind your 4G router, try browsing to 192.168.1.1 which hopefully brings up some configuration pages. Maybe one of those will show if you actually have an IP address or not.

Next, on your client configuration you have the IP defined as 10.0.0.4/32. But your server is configured to listen for 10.0.0.2/32. These IPs should be the same in order to complete the tunnel.

Also, when the Wireguard server is running you can always check if the port is reachable from you phone by using something like: https://www.yougetsignal.com/tools/open-ports/

Cheers.