Can't download files through https on my desktop PC, seems OpenWrt related

Since i am using my openwrt router, my desktop wont correctly download files from https. They sometimes immediately report the error that it cant read the "source file". sometimes the download starts, but stops after seconds with a failure. I can retry to download, and it will download a small portion again, failing again after seconds. Keeping this up, i can download a full file, but it's a lot of clicks....
The strange thing, is that if i change the download URL to http instead of https, the download completes normally without issues.

Now...everyone is probably wondering why i am asking this on the openwrt forum. It is because i just tried to tether my phone's 4g connection to the desktop PC, and there are no issues downloading over https. I also didn't have this issue before using Openwrt.
I normally use a wireguard connection, but also tested and have the issue when i disable the wireguard interface.
Of course i also tested other browsers. Edge, firefox and chrome all suffer from this issue. I already resetted firewall settings and network settings on the PC. Browsing, streaming etc work flawless. Speedtests show a solid connection. And again....http downloads work without issues either. https downloads from browsers are the issues.

The logs doesn't seem to show any information regarding errors. Strangely, my phone is unaffected and i can download anything without issues on there.

The only thing i found googling was the following, that exactly describes the issue. However, it is for windows server, and i am using windows 11.
https://social.msdn.microsoft.com/Forums/en-US/722af185-5571-4955-9754-27471637b554/https-downloads-failing?forum=iistroubleshooting

Help would be super appriciated, from all the network experts who live here!

Can you try to boot a linux live distro on the desktop and try to download something over https?
Do you have other PC to test, maybe some friend's, since the phone seems to work fine?

i have a laptop i tested it with and downloads fine, although for some reason always claims internet is not available on the wifi network until i turn wifi off and on again.
I find it strange that this desktop pc has no problems downloading through my phone's tether, while through the openwrt router has problems.

okay let's have a look for something strange in the configuration.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ip -6 addr ; ip -6 ro li tab all ; ip -6 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
7: wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    inet REDACTED/24 brd REDACTED scope global wan
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP ql                                                                                                                                                                                                                                                                                                                                                           en 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
15: surfshark: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKN                                                                                                                                                                                                                                                                                                                                                           OWN qlen 1000
    inet 10.2.0.2/32 brd 255.255.255.255 scope global surfshark
       valid_lft forever preferred_lft forever
default dev surfshark scope link
REDACTED/24 dev wan scope link  src REDACTED
REDACTED via REDACTED dev wan
REDACTED via REDACTED dev wan
REDACTED via REDACTED dev wan
REDACTED/24 dev br-lan scope link  src 192.168.1.1
REDACTED via REDACTED dev wan
local 10.2.0.2 dev surfshark table local scope host  src 10.2.0.2
local REDACTED dev wan table local scope host  src REDACTED
broadcast REDACTED dev wan table local scope link  src REDACTED
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
7: wan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 REDACTED/64 scope link
       valid_lft forever preferred_lft forever
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 REDACTED/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 REDACTED/64 scope link
       valid_lft forever preferred_lft forever
12: phy0-mesh0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 REDACTED/64 scope link
       valid_lft forever preferred_lft forever
13: phy0-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 REDACTED/64 scope link
       valid_lft forever preferred_lft forever
14: phy1-ap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 REDACTED/64 scope link
       valid_lft forever preferred_lft forever
REDACTED/64 dev br-lan  metric 1024
unreachable REDACTED/48 dev lo  metric 2147483647
fe80::/64 dev br-lan  metric 256
fe80::/64 dev phy0-ap0  metric 256
fe80::/64 dev phy1-ap0  metric 256
fe80::/64 dev wan  metric 256
fe80::/64 dev phy0-mesh0  metric 256
local ::1 dev lo table local  metric 0
anycast fd24:536a:b9a7:: dev br-lan table local  metric 0
local fd24:536a:b9a7::1 dev br-lan table local  metric 0
anycast fe80:: dev br-lan table local  metric 0
anycast fe80:: dev phy0-ap0 table local  metric 0
anycast fe80:: dev phy1-ap0 table local  metric 0
anycast fe80:: dev wan table local  metric 0
anycast fe80:: dev phy0-mesh0 table local  metric 0
local REDACTED:a784 dev phy0-ap0 table local  metric 0
local REDACTED:a782 dev wan table local  metric 0
local REDACTED:a783 dev br-lan table local  metric 0
local REDACTED:a784 dev phy0-mesh0 table local  metric 0
local REDACTED:a785 dev phy1-ap0 table local  metric 0
multicast ff00::/8 dev br-lan table local  metric 256
multicast ff00::/8 dev phy0-ap0 table local  metric 256
multicast ff00::/8 dev phy1-ap0 table local  metric 256
multicast ff00::/8 dev wan table local  metric 256
multicast ff00::/8 dev phy0-mesh0 table local  metric 256
multicast ff00::/8 dev surfshark table local  metric 256
0:      from all lookup local
32766:  from all lookup main
lrwxrwxrwx    1 root     root            16 Mar 14 22:47 /etc/resolv.conf -> /tm                                                                                                                                                                                                                                                                                                                                                           p/resolv.conf
-rw-r--r--    1 root     root            47 Mar 17 06:37 /tmp/resolv.conf
-rw-r--r--    1 root     root           110 Mar 17 06:37 /tmp/resolv.conf.d/reso                                                                                                                                                                                                                                                                                                                                                           lv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           110 Mar 17 06:37 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface surfshark
nameserver 10.2.0.1
# Interface wan
nameserver REDACTED
nameserver REDACTED

{
        "kernel": "5.15.98",
        "hostname": "MainRouter",
        "system": "ARMv8 Processor rev 4",
        "model": "Dynalink DL-WRX36",
        "board_name": "dynalink,dl-wrx36",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r22276-8dea8bde2a",
                "target": "ipq807x/generic",
                "description": "OpenWrt SNAPSHOT r22276-8dea8bde2a"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACTED::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'surfshark'
        option proto 'wireguard'
        option private_key 'REDACTED'
        list addresses '10.2.0.2/32'
        list dns '10.2.0.1'

config wireguard_surfshark
        option description 'de-fra.prod.surfshark.com.conf'
        option public_key 'REDACTED'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '91.239.157.56'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config wireguard_surfshark
        option description 'nl-ams.prod.surfshark.com.conf'
        option public_key 'REDACTED'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '193.176.31.79'
        option endpoint_port '51820'

config wireguard_surfshark
        option description 'de-ber.prod.surfshark.com.conf'
        option public_key 'REDACTED'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '89.36.76.59'
        option endpoint_port '51820'

config wireguard_surfshark
        option description 'DE_ProtonVPN-DE-95.conf'
        option public_key 'REDACTED'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host 'REDACTED'
        option endpoint_port '51820'
        option persistent_keepalive '25'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi'
        option band '5g'
        option cell_density '0'
        option htmode 'HE80'
        option channel '40'
        option country 'US'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'psk2'
        option key 'REDACTED'
        option ieee80211r '1'
        option mobility_domain '4f59'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi+1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'
        option country 'DE'
        option channel '11'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'REDACTED'
        option encryption 'psk2'
        option key 'REDACTED'
        option ieee80211r '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet7'
        option device 'radio1'
        option mode 'mesh'
        option encryption 'sae'
        option mesh_id '189b'
        option mesh_fwding '1'
        option mesh_rssi_threshold '0'
        option key 'REDACTED'
        option network 'lan'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'mesh'
        option encryption 'sae'
        option mesh_id '188b'
        option mesh_fwding '1'
        option mesh_rssi_threshold '0'
        option key 'REDACTED'
        option network 'lan'

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '2500'
        option dnsforwardmax '320'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'Samsung'
        option ip '192.168.1.154'
        option mac 'F4:FE:FB:9F:21:B6'

config host
        option name 'HarmonyHub'
        option ip '192.168.1.160'
        option mac '00:04:20:FC:18:14'

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'surfshark'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'surfshark'

config forwarding
        option src 'lan'
        option dest 'surfshark'

Due to character limit, 3 above replies. Hopefully it can help

First of all it is a snapshot, so it may have some issues, as they are not stable releases.
Second there have been some modifications from the default configuration. The fastest and easiest way to verify is to take a configuration backup and reset to defaults. This can work for you immediately as you are using dhcp on wan.

thanks. So create a backup, then do a factory reset? then restore backup after testing?
I think that the configuration backup does not automatically install packages, right? So i need to check what i need to fully "restore".

That's right.
You can backup them though and restore them.

So, today i came on the simple but brilliant idea to connect my vodafone wan router(thats set as bridge) directly to my pc. and downloads over https work fine, no issues.
But when i connect my pc to the dynalink openwrt router thats connected to the vodafone wan router, https downloads keep failing.
Weird, since i tested my laptop and my phone have no issues. Yet there is something related to openwrt that causes my normal PC not to download over HTTPS.

I tried to do a factory reset, and now i cannot install wireguard anymore....Getting the error that the kernel is incompatible.

During testing with the clean factory reset, the download failed once after around half a minute instead of seconds. i clicked retry, and then it worked for a solid 5 minutes until i decided to start putting back the settings i have, since i do want 802.11s mesh and wireguard functionality. Those are the only features i have installed and want.

But yeah now i am stuck restoring.

EDIT: Had to do a firmware upgrade, that solved the issue with the kernel being outdated. I have now all settings set back to how they were, and downloading over https seem to work. (even after a reboot)
But i know that after resetting the whole router it was failing once as i said before, so i guess i'l have to wait and see.
Maybe there is some weird bug that makes this issue become worse, the longer the router has gone without a reset. Time will tell, but i have been downloading now for 10 minutes without issues.

EDIT: well it's definitely no longer seconds, but the issue still comes back. But it can be more then 10 minutes without trouble now, before the download fails.

Does the problem happen if you're not running Wireguard?

Yep, as per the first post:
"I normally use a wireguard connection, but also tested and have the issue when i disable the wireguard interface."

Ok... sorry, I missed that line.

Sometimes this type of issue can be related to MTU issues. What type of internet service do you have, and what is the connection protocol (for the main router: DHCP, PPPoE, Static)?

At this point you might gain some more information by disabling the wireguard tunnel and running a tcpdump to capture the download traffic and inspect the TCP state machine transitions.

Knowing whether one of the hosts is simply not replying or perhaps sending a RST or a FIN in the middle of the download might help in diagnosing whether it's server or client resetting the connection

Err...I'm not sure! I have a vodafone station, as the device is called, and is setup to bridge mode, so it pushes traffic further and back into the internet. no wlan or anything else is enabled on it.
the vodafone provider has dynamic IP's, so they change often.

I have some more results though. I tried downloading through the vodafone box directly, now waiting 10 minutes, and the download failed (didnt see exactly when, but between 5 and 10 minutes), so the issue is ALSO when evading the openwrt router and connecting directly to the vodafone bridge.

I then tried to connect the pc once again to my phone, and use my phone's internet access to download the same file. it ran for 1 hour and 10 minutes until i decided it is stable enough and cancelled the download myself.

I have no idea how to solve this, but i suppose we cant blame openwrt anymore.
Even though it's weird how the issue is now less severe. i can download for sometimes minutes when the download fails, and the phone's 4g connection tethered to be pc remains flawless. before i resetted the openwrt router, i had this issue after mere seconds, not more then 5 seconds until the download fails.
Very odd issue...

I'd recommend contacting your ISP to ask them if they have a solution for this issue.