Connection timed out for a specific website

Installing and Using OpenWrt Network and Wireless Configuration
21

Right now it is impossible to determine if the problem is with the OpenWrt configuration or with the vpn itself, or with some unusual interaction between the two.

There is nothing in the OpenWrt setup that would present any issues from what we can see. And all the traffic moves through both routers transparently insofar is it is encapsulated within a tunnel. As a result, I doubt that OpenWrt is responsible for the issue, but it is possible that the vpn doesn’t like something (maybe the chosen subnet or something).

22

It used to work perfectly earlier. I'd say the point it stopped working is when I reinstalled my os. But it shouldn't have affected the router, and at least connection from phone should have stayed the same.

23

Yeah... it's a bit odd. But, from the perspective of the traffic between you and the website in question, the router pretty much doesn't exist because of the VPN.

Specifically, if you do a traceroute from your computer to any site (traceroute openwrt.org for example), you will not see either of the routers in the resulting trace. Instead, your first hop will be the VPN tunnel (i.e. the first router at their endpoint).

24

Another thing that might help. Before factory resetting and updating openwrt, I was playing around with router level adblocking. And when I first started troubleshooting I was able to load the website after I "did something" in adblock-luci page. I dont remember what I did there and it worked only once.

25

Well, if you setup any adblocking/DNS blocks and are still using the router as the DNS even in the context of your VPN (unlikely but possible, depending on the VPN's configuration on your computer), that could be part of it. But that would not be a factor in a default configuration of OpenWrt... so make sure you do not have any adblocks setup.

In the meantime, from your computer, try a traceroute to a website that works (like this one) and to the website that doesn't work... share the results with us (feel free to redact the name of the website if that is something you are unwilling to share).

26

With VPN on:

traceroute openwrt.org
traceroute to openwrt.org (64.226.122.113), 30 hops max, 60 byte packets
 1  172.16.0.1 (172.16.0.1)  85.755 ms  85.954 ms  85.928 ms
 2  2.57.241.1 (2.57.241.1)  86.109 ms  86.085 ms  86.206 ms
 3  87.236.154.202 (87.236.154.202)  86.324 ms  86.576 ms  86.573 ms
 4  87.236.158.202 (87.236.158.202)  118.818 ms  118.838 ms  118.818 ms
 5  fra1-edge1.digitalocean.com (80.81.193.141)  170.496 ms  170.505 ms  170.480 ms
 6  143.244.224.104 (143.244.224.104)  170.455 ms 143.244.224.112 (143.244.224.112)  116.757 ms 143.244.224.104 (143.244.224.104)  117.104 ms
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  wiki-03.infra.openwrt.org (64.226.122.113)  117.558 ms  116.894 ms  116.472 ms

traceroute redacted
traceroute to redacted (..16.14), 30 hops max, 60 byte packets
 1  172.16.0.1 (172.16.0.1)  84.773 ms  84.967 ms  85.096 ms
 2  2.57.241.1 (2.57.241.1)  85.350 ms  85.526 ms  85.561 ms
 3  e0-2.core2.hel1.he.net (184.104.203.132)  86.626 ms  86.768 ms  86.866 ms
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

VPN off:

traceroute openwrt.org
traceroute to openwrt.org (64.226.122.113), 30 hops max, 60 byte packets
 1  _gateway (192.168.2.1)  0.441 ms  0.386 ms  0.362 ms
 2  192.168.3.1 (192.168.3.1)  1.929 ms  1.708 ms  1.375 ms
 3  * * *
 4  dynamicip-109-194-24-39.pppoe.[isp]  5.835 ms  5.929 ms  5.756 ms
 5  gw-as9049.retn.net (87.245.228.193)  69.744 ms  71.077 ms  70.673 ms
 6  139.45.236.32 (139.45.236.32)  141.866 ms  141.468 ms  141.471 ms
 7  ae3-4.rt.eqx.fkt.de.retn.net (87.245.232.233)  105.199 ms sto-bb2-link.ip.twelve99.net (62.115.139.51)  88.084 ms ae0-4.rt.eqx.fkt.de.retn.net (87.245.232.78)  99.999 ms
 8  ffm-bb2-link.ip.twelve99.net (62.115.138.105)  100.789 ms  100.508 ms fra2-edge1.digitalocean.com (80.81.195.151)  95.636 ms
 9  ffm-b5-link.ip.twelve99.net (62.115.136.219)  97.633 ms * *
10  * digitalocean-ic-378008.ip.twelve99-cust.net (80.239.132.215)  101.223 ms *
11  * * *
12  * * *
13  * * *
14  * * *
15  * wiki-03.infra.openwrt.org (64.226.122.113)  104.051 ms *

traceroute redacted
traceroute to redacted (..154.79), 30 hops max, 60 byte packets
 1  _gateway (192.168.2.1)  0.895 ms  0.843 ms  0.968 ms
 2  192.168.3.1 (192.168.3.1)  2.752 ms  6.515 ms  4.009 ms
 3  * * *
 4  dynamicip-109-194-24-39.pppoe.[isp]  70.863 ms  70.940 ms  71.009 ms
 5  188x186x153x2.static.[isp]  77.259 ms  75.582 ms  76.285 ms
 6  188x186x153x1.static.[isp]  72.331 ms  74.687 ms  71.687 ms
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
27

Note the first hop...

With the VPN turned on:

This is the VPN provider's router. From the perspective of traffic leaving your computer, the OpenWrt router doesn't exist.

Compare that against when your VPN is disabled:

The first hop is your OpenWrt router, and the second hop is the ISP router upstream of your OpenWrt device.

The conclusion we can reach here is that the problem is with your VPN, not your OpenWrt router.

28

Interesting. While I contact vpn's support I'd like to check one last thing with openwrt router. What if openwrt's dns is overwriting vpn's one? Is there a way to check it?

29

This is extremely unlikely. It wouldn't be an issue of OpenWrt "overwriting" but rather your computer's operating system not using the tunnel for DNS.

In this case, the DNS server that OpenWrt is using is almost certainly the upstream router itself. And if that's the case, there would be no functional difference between using the OpenWrt router vs connecting directly to the upstream router.

If you're using a Mac or Linux system, you can easily use nslookup for this purpose to see if there is even a way that this could happen:

The first line will do DNS lookup with the server your computer is using now. It will report the server information as part of the output. The second line will tell it to do the lookup with the OpenWrt router as the DNS server.

nslookup OpenWrt.org
nslookup OpenWrt.org 192.168.2.1

Run this with and without the VPN enabled. It is possible that the second line will error out while the VPN is active... and if that's the case, it says that the computer cannot reach the OpenWrt router itself due to the traffic being sent through the tunnel instead.

Then run it again with and without the VPN on the site that is not working. Share the results.

30

VPN on:

nslookup OpenWrt.org
Server:         172.16.0.1
Address:        172.16.0.1#53

Non-authoritative answer:
Name:   OpenWrt.org
Address: 64.226.122.113
Name:   OpenWrt.org
Address: 2a03:b0c0:3:d0::1a51:c001

nslookup OpenWrt.org 192.168.2.1
;; communications error to 192.168.2.1#53: timed out
;; communications error to 192.168.2.1#53: timed out
;; communications error to 192.168.2.1#53: timed out
;; no servers could be reached

slookup redacted
Server:         x.x.0.1
Address:        x.x.0.1#53

Non-authoritative answer:
Name:   redacted
Address: x.x.16.14

nslookup redacted 192.168.2.1
;; communications error to 192.168.2.1#53: timed out
;; communications error to 192.168.2.1#53: timed out
;; communications error to 192.168.2.1#53: timed out
;; no servers could be reached

vpn off

nslookup OpenWrt.org
Server:         192.168.2.1
Address:        192.168.2.1#53

Non-authoritative answer:
Name:   OpenWrt.org
Address: 64.226.122.113
Name:   OpenWrt.org
Address: 2a03:b0c0:3:d0::1a51:c001

nslookup OpenWrt.org 192.168.2.1
Server:         192.168.2.1
Address:        192.168.2.1#53

Non-authoritative answer:
Name:   OpenWrt.org
Address: 64.226.122.113
Name:   OpenWrt.org
Address: 2a03:b0c0:3:d0::1a51:c001

nslookup redacted
Server:         192.168.2.1
Address:        192.168.2.1#53

Non-authoritative answer:
Name:   redacted
Address: x.x.146.207
Name:   redacted
Address: x:x:fb00::301

nslookup redacted 192.168.2.1
Server:         192.168.2.1
Address:        192.168.2.1#53

Non-authoritative answer:
Name:   redacted
Address: x.x.146.207
Name:   redacted
Address: x:x:fb00::301
31

As you can see, with the VPN enabled, you cannot use the OpenWrt router as a DNS server. The default DNS that the system uses when the VPN is enabled is from the VPN provider.

When the VPN is disabled, the default server is the OpenWrt router, and you can see it works for both calls.

What is very interesting, though, is that the site in question results in different addresses depending on if it goes through the VPN or not. I don't know if one or the other is incorrect (it is not unusual for the results to be different if your home/ISP is different than the region/country where your VPN's servers are running).
VPN on and DNS via the VPN provider:

VPN off and DNS via OpenWrt (which is also the same as the DNS of the router in front of the OpenWrt device):

32

For some reason, changing vpn protocol from wireguard to openvpn fixes the issue. Thank for your help everyone!

Edit: Another way is to change MTU setting in WireGuard protocol. The default (for ivpn) is 1420. Changing the number to a lower one also fixes the issue.

Edit 2: The cause of the problem was the way WireGuard handles packet sizes. Each layer adds extra header bits to each packet. My network jumps between 2 routers before jumping to the web (after which it encounters more relays that also increase size) which result in fragmentation, where a packet is split in two to make it through network hops that do not support large packets.

33

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.