Can’t connect to wireguard server from WAN

Posted on


I’m trying to connect to my wireguard server, but it’s not working, and I’m out of my depth. I suspect it’s more of a network issue than a wireguard issue, but I could be mistaken. I’m hoping someone can give me some pointers.

What I’ve done / What is working

I’ve created several configurations on the server, and one of them I’ve added to the client running Pop-OS. If it’s on the (W)LAN, it can connect to the server without problems.


Set-up of client.

# /etc/wireguard/wg0.conf

PrivateKey = [removed]
Address =
MTU = 1420
DNS =,

PublicKey = [removed]
PresharedKey = [removed]
Endpoint =  # I tried with this one...
#Endpoint =  # ...and with this one.
AllowedIPs =, ::0/0

In the LAN, this works, regardless of the Endpoint that’s commented in:

# sudo wg-quick up wg0

[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a tun.wg0 -m 0 -x
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
[#] ip -4 route add dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
[#] iptables-restore -n

# sudo wg

interface: wg0
  public key: [removed]
  private key: (hidden)
  listening port: 44709
  fwmark: 0xca6c

peer: [removed]
  preshared key: (hidden)
  endpoint: 12.34.567.89:51820     # (WAN IP address or LAN IP address, depending on commented-in Endpoint in wg0.conf)
  allowed ips:, ::/0
  latest handshake: Now
  transfer: 17.84 MiB received, 230.08 KiB sent

For my smartphone, using the wireguard app, the same is true: the connection is working when the phone is in the WLAN.

What is not working

When the client tries to connect through the internet, it’s no longer working. The output of sudo wg-quick up wg0 is the same as when it’s in the LAN, but sudo wg takes a long time to produce an output, and when it does, it is always at 0 trafic:

# sudo wg

interface: wg0
  public key: [removed]
  private key: (hidden)
  listening port: 60955
  fwmark: 0xca6c

peer: [removed]
  preshared key: (hidden)
  endpoint: 12.34.567.89:51820
  allowed ips:, ::/0
  transfer: 0 B received, 2.31 KiB sent


Seems to me that there is a problem getting into the LAN from the WAN, so I better crack out the old network diagram.

This is the set-up of the LAN:

enter image description here

On both the routers, port forwarding for UDP traffic on port 51820 is active. (on the primary router, to the secondary one, and on the secondary one, to the vpn server)

It’s surely not relevant, but the client is connected to the internet through a USB-tethered smartphone’s cellular data connection, over which it can ping google and access the internet just fine.

The VPN Server is running a service to update the DDNS service, and pinging this shows that it indeed resolves to my WAN address. The pings get a response as well:

~$ ping
PING (12.34.567.89) 56(84) bytes of data.
64 bytes from (12.34.567.89): icmp_seq=1 ttl=47 time=77.1 ms
64 bytes from (12.34.567.89): icmp_seq=2 ttl=47 time=76.1 ms

I’m not working on networks and networking infrastructure every day, so excuse me in advance if this has an obvious reason, or if I left out any critical information; just ask and I’ll happily provide any additional data that is needed.

Additional information / Primary router settings

  • I can connect to the VPN server whether on LAN1 or LAN2, so the port forwarding on the own/secondary router seems to be working just fine; the problem must be in the ISP/primary router or its modem.

  • The following port forwarding rules are set in this router; correctly AFAICS:
    enter image description here

  • The ISP router has a firewall, but it’s an on-or-off one without any settings.
    enter image description here


Solution (well, workaround): bridge mode

A traceroute -U -p 51820 showed that the packets were reaching the primary router, but died there.

I assume there is some accidental or intended blocking of these packets by the ISP-provided hardware, and turned the device into bridge mode. The secondary router has been promoted to primary router and the setup is now working perfectly fine. I can reach and connect to the wireguard server without problem.

Thanks for your help.

And thanks Vodafone for being less than helpful.

Leave a Reply

Your email address will not be published.