Quick Guide to Troubleshooting WireGuard VPN on GL.iNet Routers

Monday, Feb 3, 2025 by Adam Kimbrough

This guide provides comprehensive troubleshooting steps, tips, and tricks for setting up both VPN server and client on GL.iNet routers for a personal WireGuard VPN.

Check IP Address Conflicts

Ensure there are no IP address conflicts between the server and the client. Each device in the WireGuard network should have a unique address within the same subnet.

In the above example, my server’s WireGuard network IP is 10.1.0.1, and two client profiles have been generated, 10.1.0.2/24 and 10.1.0.3/24. Ensure that the first three octets (10.1.0) of the client profiles match the WireGuard server’s IP in the ‘Configuration’ tab. Otherwise, the devices will fail to connect.

Additionally, you will notice that I have modified this server’s IP from the default 10.0.0.1. The reason for this is that the 10.0.0. subnet is often used by other networks (e.g. Xfinity), so you want to prevent any possibility of network conflicts whether it be on your home network or at the client side while traveling. Therefore, I changed the second octet from “0” to “1” so the subnet is now 10.1.0.

Ensure WireGuard Port is Forwarded Correctly

WireGuard typically uses UDP port 51820, but you can customize this default port in the server router’s WireGuard configuration section. Using a different port, such as 51821, is recommended if the local firewall blocks the default WireGuard port while traveling. However, in other cases, the local network could be blocking UDP traffic completely, which means you will need to use an alternative VPN that uses TCP such as a Tailscale exit node or OpenVPN.

Refer to the blog on port forwarding for more info on performing this crucial first step correctly.

DNS Client and Server Configuration (Recommended)

If you set the DNS server line for your client profile configurations to be the same as your WireGuard server IP (ex. 10.1.0.1), then you must enable “Remote Access LAN” on your GL.iNet server router. This is located on the VPN Dashboard in the gear icon under options on the WireGuard server line.

Lastly, you can configure DNS servers on the server router under Network -> DNS to any preferred DNS server. It is usually recommended to use servers other than your ISP’s for privacy reasons. Cloudflare usually performs best. You may set Google as a backup as well for DNS Servers 3 and 4 manually (8.8.8.8 and 8.8.4.4).

Additional Troubleshooting Scenarios

“My server/client setup has been working for a while, but now I can’t connect anymore."

• First, try creating a profile config for your smartphone and upload the client profile to your phone with the WireGuard mobile app. Test the VPN connection using the phone. If it works, the issue is likely caused by your travel router.
• Enable Dynamic DNS on the server if your home network uses a dynamic public IP address instead of a static one (which is common).
• It's possible the WireGuard port is blocked from the client side. As discussed earlier, make sure to change it from the default 51820 to something else (e.g. 51825), and don't forget you will have to redo the port forward on your home router (unless you don't have a home router or it is operating in full pass-through mode).

“My connection is very slow and/or unstable”

• Check for high latency by using the "ping" command in a terminal or command prompt window to a DNS server like 8.8.8.8 or 1.1.1.1. Try changing the DNS servers in your server and/or client admin panel.
• Verify that you have a fast enough upload speed on your home network since this is the download speed you will receive at the client end. It is highly recommended you have at least 20 Mbps upload speed at the server location.
• Your GL.iNet server router may be underpowered depending on the model and what additional services you are running (AdGuard Home, encrypted DNS, etc.). Consider disabling these services or, if feasible, upgrading to a newer, more powerful router.
• It's possible the maximum transmission unit (MTU) is not optimized for VPN traffic, causing packet fragmentation. You can adjust both the server and client-side MTU values. Start changing the client side MTU from the default 1420 and decrease it in increments of "20" until you notice faster speeds. Don't go lower than 1280. Then, match this MTU size on the server-side admin panel. Note, if you are connecting through an additional VPN on your client device like a corporate VPN such as Zscaler, it's possible the corporate VPN MTU settings are the issue. In this case, you will not be able to resolve the issue since it needs to be adjusted on their end.

“I can’t remotely access my GL.iNet server’s admin panel”

• In order to remotely access the server's admin panel, the client device you are using must be connected through the WireGuard VPN tunnel. Once you have enabled the VPN on your travel router, you can simply enter the LAN IP of your GL.iNet server router into the browser search bar and hit Enter.
• You may need to change the LAN IP of your server or client if both are set to the default, 192.168.8.1 since this will cause a conflict. For example, you can change the server or client router's IP to 192.168.10.1.

If you are still unsuccessful in your troubleshooting efforts, don’t hesitate to make a post in the GL.iNet subreddit (/r/GLiNet) or join our Discord server and use the #tech-support-forum channel. Remember to share detailed logs from your router and/or WireGuard server for effective assistance.

About The Author

Adam, a Virginia native with a passion for international travel, holds an Electrical Engineering degree from Virginia Tech. He is a Community Specialist at GL.iNet, creator of The Wired Nomad—a resource for digital nomads—and works full-time for the world’s largest satellite operator. Connect with him on his website.