Wireguard client not receiving data from 3G Router Server

I used the Automated version to install wireguard and generate client profiles listed here:

My client is not able to establish the connection. It sends packets but never receives. I must say that the router is connecting via 3G. Maybe my ISP is blocking this type of communications?

Thank you very much.

opkg update
opkg install tcpdump
tcpdump -evni any udp port 51820
iptables-save -c | grep -e 51820
1 Like

Thank you very much for your answer.

I started from a factory reset, changed LAN's IP range, configured my WiFi settings, installed the packages required, added my DynDNS provider and uptaded. I made, again, the automated installation but the result in the dump is 0 packets. Still no handshake between peers.

I made a port check and the result is that 51820 UDP is closed. (Made it in a WEB)

Is there any log that could be helpfull?

Thank you very much.

1 Like

Most mobile ISPs are using some kind of NAT for their LTE/ 5g (3g, 2g, …) contracts, in which case you'd be out of luck (IPv6 might work, but ISPs are also heavily blocking 'dangerous' ports).

Check if your reported WAN IP (in luci) matches with the results you get reported by external services.

1 Like

Unfortunately port checking services are unreliable for UDP.
It's best to use tcpdump to determine whether the ISP allows traffic.

Also verify the following:

  • Your DDNS domain matches the one configured in the VPN client.
  • The domain name is correctly resolved to a public IP address.
  • The IP matches the address of the router's WAN interface.
  • The port in the client profile matches the VPN server port.
1 Like

I have checked everything but my WAN IP. I am sorry, but my network knowledge is quite short. Where i can fin my WAN IP in Luci?

I guess i have to compare it with the one given in the domain name, haven't I?

Thank you ver y much @vgaetera @slh

ip address show; nslookup domain.name

I guess that as @slh suggested, my ISP is using a NAT because my 3g-wan inet is different from the ip reported by my ddns or an external web.

Is there any workaround?

At least one of the two peers need to have public IP address. If you have public IP address, make sure your ISP doesn't block inbound UDP traffic

My ISP is blocking inbound UDP traffic on IPv4 network but not on IPv6, so I can use wireguard via IPv6. I can also make it working by building a UDP tunnel over TCP first

1 Like