The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,862 other subscribers
«

Some WireGuard console tricks that helped me figure out a GL.iNET “status yellow” connection problem

Posted by jpluimers on 2026/01/14

TL;DR: the connection problem was because of a public key mismatch between the pfSense central location and GL.iNET peer.

Since the pfSense cannot export configuration in either text or QR format (see rcmcdonald91/pfSense-pkg-WireGuard: This is a port of the original WireGuard UI bits as implemented by Netgate in pfSense 2.5.0 to a package suitable for rapid iteration and more frequent updating on future releases of pfSense.), I made a copy paste mistake.

This resulted in the WireGuard client connection indicator on the GL.iNET to turn yellow instead of green. This means that the handshake is only partially completed (there is a WireGuard connection but there is no returning traffic on it).

GL.iNET VPN status explanation:

  • no color: no VPN
  • yellow: VPN not fully established
  • green: VPN established

How I found out

The intermittent error message on the console of the GL.iNET when querying the wg0 (default WireGuard) interface led me to this [Wayback/Archive] “Interface wg0 not found” – Google Search which regrettably returned very few results.

So I did a [Wayback/Archive] gl.inet “wireguard” “client” “yellow” – Google Search which showed remarkably few relevant results apart from [Wayback/Archive] WireGuard remains yellow, no internet but LAN ok – Technical Support – GL.iNet which showed how to figure out if IPv4 forwarding was enabled (see commands below: it was).

Given most network problems I ever faced were about configuration, that’s what my suspicion indicated I should investigate, so I:

  1. started a Beyond Compare session with a two-way text compares:
    1. GL.iNET information on the left
    2. pfSense on the right
  2. extracted all the WireGuard related configuration data from the
    • GL.iNET side by running some of the commands below
    • pfSense side by copy pasting it from the web user interface (easier navigation), /status.php page (easier searching) or running some commands on the console

    and copied these to the respective text compare panes in Beyond Compare

  3. moved around the various bits to match the public keys (Beyond Compare allows live editing while dynamically updating the match/difference colours)

pfSense console and config file documentation

Figuring out how to extract the WireGuard information on pfSense made it easier to do the same on GL.iNET, so here are some links first:

In the future I might want to invest some time to beef up my rusty XPath skills as pfSense ships with libxml2 which contains the xmllint tool that can be used to query the /conf/config.xml file.

Some links for that:

Then I figured out that wg was available on the ssh console which made the export a lot easier as it is the crossplatform tool for configuration management:

That gave me this (note they have now correctly matching – and fake – keys):

  • # wg show
interface: tun_wg0
  public key: DRzK66I6qmZN2bI7LYtgCrnRU0+fnP42D6if/wSdY0A=
  private key: (hidden)
  listening port: 51820

peer: ymOvXjSVGgA21GQPjusnbmsT/GjGott+vSEa4dLLaFo=
  endpoint: 37.15.24.25:51622
  allowed ips: 192.168.24.0/24, 172.16.21.24/32
  latest handshake: 1 minute, 39 seconds ago
  transfer: 190.09 KiB received, 5.60 MiB sent
  persistent keepalive: every 15 seconds
  • # wg showconf tun_wg0
[Interface]
ListenPort = 51820
PrivateKey = EKdlg+bFUvPzySJGy48R78H3pEh3DqzXAZ6Q2zCG9mw=

[Peer]
PublicKey = ymOvXjSVGgA21GQPjusnbmsT/GjGott+vSEa4dLLaFo=
AllowedIPs = 192.168.24.0/24, 172.16.21.24/32
Endpoint = 37.15.24.25:51622
PersistentKeepalive = 15

Helpful GL.inet ssh console commands

A few commands that helped me were these (note they have now correctly matching – and fake – keys):

  • # ifstatus wg0
Interface wg0 not found

    Note this shows nothing when the WireGuard connection is yellow.
    It prompted me into searching why the interface was not found when WireGuard indeed was started.

  • # wg show
interface: wg0
  public key: ymOvXjSVGgA21GQPjusnbmsT/GjGott+vSEa4dLLaFo=
  private key: (hidden)
  listening port: 51622

peer: DRzK66I6qmZN2bI7LYtgCrnRU0+fnP42D6if/wSdY0A=
  endpoint: 77.17.22.136:51820
  allowed ips: 192.168.11.0/24, 192.168.12.0/24, 192.168.7.0/24, 172.16.21.24/32
  latest handshake: 9 seconds ago
  transfer: 27.28 KiB received, 61.77 KiB sent
  persistent keepalive: every 25 seconds

    Note that when the WireGuard connection is yellow this either shows nothing at all or no (zero bytes) information received:

    # wg show
interface: wg0
  public key: ymOvXjSVGgA21GQPjusnbmsT/GjGott+vSEa4dLLaFo=
  private key: (hidden)
  listening port: 51622

peer: DRzK66I6qmZN2bI7LYtgCrnRU0+fnP42D6if/wSdY0A=
  endpoint: 77.174.229.136:51820
  allowed ips: 0.0.0.0/0
  transfer: 0 B received, 148 B sent
  persistent keepalive: every 25 seconds
  • # cat /etc/config/wireguard

config proxy
    option main_server '21wireguard7'
    option access 'ACCEPT'
    option enable '1'
    option host '77.17.22.136'

config peers 'wg_peer_7573'
    option name '21wireguard7'
    option address '172.16.21.24'
    option private_key 'kJQ88WGRZbApOOyRgK6N2RL6VcedER9Hq0tl0KRmrkQ='
    option public_key 'DRzK66I6qmZN2bI7LYtgCrnRU0+fnP42D6if/wSdY0A='
    option persistent_keepalive '25'
    option listen_port '51622'
    option end_point '77.17.22.136:51820'
    option allowed_ips '172.16.21.24/32,192.168.7.1/24,192.168.11.1/24,192.168.12.1/24'
  • # /etc/init.d/wireguard start

    Note this will not update the Web UI! This is however a very effective way to quickly test. And like the stop command below, it will show a lot of errors especially around the [Wayback/Archive] [OpenWrt Wiki] The UCI system

    The abbreviation UCI stands for Unified Configuration Interface, and is a system to centralize the configuration of OpenWrt services.

    Some uci show commands are shown below.

  • # /etc/init.d/wireguard stop

    Note this will not update the Web UI! This is however a very effective way to quickly test.

  • # grep ip_forward /etc/sysctl.conf
# cat /proc/sys/net/ipv4/ip_forward
1

  • # grep -n . /etc/init.d/wireguard | less

    This sounds like a funny command, but since less does not show line numbers, it is extremely convenient to have grep force line numbers.

  • # uci show

    shows all configuration of which the two below are excerpts.

  • # uci show wireguard.@proxy[0].enable
wireguard.cfg0123e7.enable='1'

    shows specific configuration.

  • # uci show wireguard
wireguard.@proxy[0]=proxy
wireguard.@proxy[0].main_server='21wireguard7'
wireguard.@proxy[0].access='ACCEPT'
wireguard.@proxy[0].enable='1'
wireguard.@proxy[0].host='77.17.22.136'
wireguard.wg_peer_7573=peers
wireguard.wg_peer_7573.name='21wireguard7'
wireguard.wg_peer_7573.address='172.16.21.24'
wireguard.wg_peer_7573.private_key='kJQ88WGRZbApOOyRgK6N2RL6VcedER9Hq0tl0KRmrkQ='
wireguard.wg_peer_7573.public_key='DRzK66I6qmZN2bI7LYtgCrnRU0+fnP42D6if/wSdY0A='
wireguard.wg_peer_7573.persistent_keepalive='25'
wireguard.wg_peer_7573.listen_port='51622'
wireguard.wg_peer_7573.end_point='77.17.22.136:51820'
wireguard.wg_peer_7573.allowed_ips='172.16.21.24/32,192.168.7.1/24,192.168.11.1/24,192.168.12.1/24'

    shows full wireguard configuration.

  • The above two change when the connection is down: 
    # uci show wireguard.@proxy[0].enable
wireguard.cfg0123e7.enable='0'

    The `proxy` is not enabled when the link is down.

  • # uci show wireguard
wireguard.@proxy[0]=proxy
wireguard.@proxy[0].main_server='219wireguard71'
wireguard.@proxy[0].access='ACCEPT'
wireguard.@proxy[0].host='77.174.229.136'
wireguard.@proxy[0].enable='0'
wireguard.wg_peer_7573=peers
wireguard.wg_peer_7573.name='219wireguard71'
wireguard.wg_peer_7573.address='172.16.219.224'
wireguard.wg_peer_7573.private_key='aNMK9xxennJzRgXWmiKrZ9QqtjvsheJwuWO9r2kZq1g='
wireguard.wg_peer_7573.public_key='cUjwwh+hv3dTmsZiDuCjJXH+XHyw39rj0Q2Fu1RE8Hg='
wireguard.wg_peer_7573.persistent_keepalive='25'
wireguard.wg_peer_7573.listen_port='51622'
wireguard.wg_peer_7573.end_point='77.174.229.136:51820'
wireguard.wg_peer_7573.allowed_ips='172.16.219.224/32,192.168.71.1/24,192.168.171.1/24,192.168.124.1/24'

    The `proxy` is not enabled when the link is down.

  • # wg show; ip route get 1; nslookup openwrt.org; head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
interface: wg0
  public key: ymOvXjSVGgA21GQPjusnbmsT/GjGott+vSEa4dLLaFo=
  private key: (hidden)
  listening port: 51622

peer: DRzK66I6qmZN2bI7LYtgCrnRU0+fnP42D6if/wSdY0A=
  endpoint: 77.17.22.136:51820
  allowed ips: 192.168.11.0/24, 192.168.12.0/24, 192.168.7.0/24, 172.16.21.24/32
  latest handshake: 27 seconds ago
  transfer: 29.09 KiB received, 70.09 KiB sent
  persistent keepalive: every 25 seconds
1.0.0.0 via 192.168.2.1 dev wlan-sta src 192.168.72.33 uid 0 
    cache 
Server:     127.0.0.1
Address:    127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1
==> /etc/resolv.conf <== search lan nameserver 127.0.0.1 ==> /tmp/resolv.conf <== search lan nameserver 127.0.0.1 ==> /tmp/resolv.conf.auto <== # Interface wwan nameserver 192.168.2.1 search fritz.box ==> /tmp/resolv.conf.vpn <==
nameserver 209.244.0.3
nameserver 64.6.64.6
head: /tmp/resolv.*/*: No such file or directory

–jeroen

This entry was posted on 2026/01/14 at 12:00 and is filed under GL.iNet, GL.iNET GL-SFT1200, Hardware, Network-and-equipment, pfSense, Power User, routers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«