Multiple issues with wireguard

I have wetek play 2 using 9.2.8 coreelec. I have tried wiregaurd with many different dockers and now trying to run it natively in coreelec. and all do not seem to be working. I have a working config file, (tested in android) that I want to use as an alternative to openvpn which for whatever reason is using 10% of my overall speed.

I’ll start with the most basic issue. Initially I had the problem with iptables ‘raw’ which I have managed to get past using AllowedIPs= …etc

The next error I get which I cannot get past is:

iptables v1.8.4 (legacy): Couldn't load match `mark':No such file or directory
Try `iptables -h' or 'iptables --help' for more information.

The closest I have come is by using thrnz/docker-wireguard-pia which gets up to the point of establishing a connection, but it doesn’t connect to the internet and it breaks something that I cannot continue to access internet through my box without a reboot. I got to this point by modifying the config and disabling firewall.

I want to solve this bit first before getting on to my next issue of wanting to use my preferred method of linuxserver/wireguard docker

I did go through them both, but it appears this is a coreelec issue or rather specifically coreelec on wetekplay 2 issue. Docker walked me through some of the steps I could take but to no avail.

Wireguard support is far too broad I have looked around and it appears its something to do with iptables legacy vs iptables nft, but tbh this is out of my league.

Reading through the forums here I can see that people have struggled as well setting up wireguard, but then the posts about them stopped so I am assuming they managed to work it out?

Wireguard can be pretty finicky to set up.

One of the problems is that you are running 9.2.8 (legacy) which reached End Of Life beginning this year, so unfortunately we no longer offer support for our legacy product.

When it comes to wireguard I am far from a specialist. I use a different (hardware) VPN solution. The best I can do is provide you with links to their support forums.

The little information I have is this:

In ~/.config/wireguard/ there’s a sample file that has to be adapted and renamed to wireguard.config
Once that’s done, an entry for wireguard should appear in the connections tab in the CoreELEC settings addon

There is a bug resolving ddns so static IP’s are needed.

Some more (hopefully useful) links:

Configuring WireGuard in ELEC v9.2.1 and newer

New version of the article above

Thanks for your response. I think the key bit is the connman vs standard protocol. standard is trying to add routes to the table using iptables / nft (wg-quick script) which may not be suited to an elec system.

Will the “new” version be applicable to legacy 9.2.8? Also I understand that its for server plus clients, but I only intend to use it as a client can i strip the config file of it?

I am successfully using WireGuard in client mode with dynamic DNS on my CE devices. For server mode I am using LibreELEC on a x86_64 device. I have no problem with reboots and IP address changes of my domain name although for reliability reasons I still use ZeroTier simultaneously for emergency connections.

For CoreELEC with WireGuard in client mode I follow this: (today I have been able to verify that the linuxserver/wireguard container in client mode now also works well - it did not work before - as long as the parameter AllowedIPs is replaced by, or others)

For LibreELEC with WireGuard in server mode I use the linuxserver/wireguard docker container according to this: Docker Hub

WireGuard allows me to have three remote home subnets, each with their own domain, linked together.

For what it’s worth, here is more documentation regarding docker and wireguard.

kind people over at linuxserver tried to help me for a while. There was something about the container being on coreelec that wasn’t working. They said it was a specific issue as they are not seeing it on any other device.

So it could be either coreelec or the implementation of docker on coreelec.

@cubimol I will give it a try. Can i assume that people have been relatively unsuccessful with wireguard unless used with connman?

For months I successfully used WireGuard in client mode with ‘connmanctl’ because I had an internet subscription with static IP on the server, which is not normal in my country.

My problems started when I changed my internet subscription with dynamic IP on the server. You can fiddle around and run scripts to watch for changes in the server’s IP address and act accordingly but I think this is a huge fudge, plus it’s hard to modify routing priorities with ‘connmanctl’. In the end I searched for a new method for my CoreELEC clients.

Later I tried the linuxserver/wireguard docker container in client mode and it didn’t work either because of DNS and AllowedIPs configuration errors.

Lastly, another CoreELEC user wrote about setting up WireGuard with ‘entware’ services. I studied this issue a bit more in depth and searched for a solution to the crashes due to AllowedIPs= redirecting all traffic to the wg0 interface, this turned out to be the solution to all my problems and that’s when I wrote this mini tutorial, since then I haven’t had any problems.

Finally managed to get a working conf file, followed the entware tutorial you sent but it still isn’t working for me.


Address =
PrivateKey = xx...

PersistentKeepalive = 25
PublicKey = 9hp..
AllowedIPs =,
Endpoint =

My result:

Warning: `/storage/.opt/etc/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /proc/self/fd/63
[#] ip -4 address add dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add dev wg0
[#] ip -4 route add dev wg0

So even though it adds it doesn’t connect to anything. I have tried the same config file on android WG and it works.

I see that your WireGuard client service works, there are no errors, so if your configuration does not work I can only explain it by error in the IP address of the server (, in the connection keys PrivateKey and PublicKey, or error in the IP address assigned to your device in the WireGuard domain (

However I see that you don’t use domain names for the WireGuard server (you use, this means that CoreELEC’s native ‘connmanctl’ method should also work and this would be the method I would use in the first place.

You have to recheck the connection parameters to your WireGuard server and follow the instructions that this service gives you. If all is well this could mean someone is spoofing your WireGuard identity on your same IP address You should contact the help desk of your WireGuard server and note that the different methods of configuring the WireGuard service ( [1] ‘connmanctl’, [2] ‘/usr/bin/wg’, [3] ‘/opt /bin/wg-quick’, and [4] docker linuxserver/wireguard client mode) use different configuration files.

Do you have an internet subscription through CG-NAT? If your answer is yes and the WireGuard server requires an incoming UDP connection to your device, it could also be an explanation for your problem (I have two WireGuard CE devices in client mode behind CG-NAT and both work fine, although the wg0 interface reports transmission errors for the reason that the server cannot establish an incoming communication towards the client, this is because the devices connected to the internet behind a CG-NAT cannot be contacted from the internet, it is only possible as a response to a request initiated by the client).

I have searched for information about the server and only found out that it is a Pia VPN and seems to use a private API, but nowhere does it say that this service uses the WireGuard protocol. Obviously if this server does not use WireGuard or your account is not enabled then you will never get it to work with CoreELEC’s WireGuard service.

I can’t see why my wg0.conf would be incorrect the exact same file works in android. I connected it, checked my ip address and it comes up as the new IP address of the client . It is indeed a pia server, generated using their scripts (pia-foss).

I’m not interested in server side, at the moment, I use zerotier for that.

I’m thinking of doing a fresh install. Trying using wg-quick then connman and if all fails libre and if that fails, armbian lol

You will not be able to use wg-quick. We recently added bash into amlogic-ng and your device is EOL. The implementation we inherited from LibreELEC is off standard and due to the fact that they don’t want to have bash. You will get a p2p in wg but you will have to take care of routes.
I have had no time to add wq-quick and patch the paths and do the testing.

I am using entware wg-quick successfully with CoreELEC! :beers:

It’s a good workaround but it can work natively too.

1 Like

The information needed is the same but you have to put it as the sample file. It just works that way. Have you tried it yet? I can guarantee that it works. I connect to my home network that way when I’m out on vacation.
If you only need to act as client it’s quite easy.

I will give it a shot converting the file into a connman equivelant see if it fires up.

Just thought i’d report back that connman works. But its seems very long and laborious to do it this way. Is it not possible to build coreelec with standard ip tables like raw/match etc?

You are using CE9 with 3.14 kernel. Both are EOL and there will be no new builds. You can however try to build a kernel with those modules enabled yourself but there will be no support.

1 Like

Wait, isn’t CE9 4.9 kernel?

CoreELEC (official): 9.2.8 (Amlogic-ng.arm)
CoreELEC:~ # uname -a
Linux CoreELEC 4.9.113 #1 SMP PREEMPT Tue Sep 7 08:55:27 CEST 2021 aarch64 GNU/Linux

Understood, he has a now unsupported device, so some 9.2 users have old kernels.