Connection timing-out

Not sure if I should start with pasting my config. Being Openwrt user for 3+ years. Currently running setup of BPI-R3. Issues started after upgrade to latest 23.05.4 version. Rollback to 23.05.3 didnt not helped. Playing around with settings (like sw/hw offload, adblock package, pbr package etc) doesnt help. Syslog/kernel logs shows nothing suspicions (not an expert)

Problem is that connection is timeouting. On Wifi, on eth LAN cable, in WG tunnel and direct WAN connect through router as well.

By timeouting I mean that web pages are not being loaded from time to time and I hit refresh several times to get them loaded. Large files can't be downloaded and returns errors.

Ping to CF 1.1.1.1 returns about 0.3% error rate. Especial problem is with large files, like driver download and example files


root@Router:~# wget -O /dev/null http://speedtest.tele2.net/10GB.zip
Downloading 'http://speedtest.tele2.net/10GB.zip'
Connecting to 90.130.70.73:80
Writing to '/dev/null'
/dev/null              0% |                               | 96681k  0:03:34 ETAConnection error: Connection failed


clientpc:wget -O /dev/null http://speedtest.tele2.net/10GB.zip
--2024-09-03 23:05:58--  http://speedtest.tele2.net/10GB.zip
Resolving speedtest.tele2.net (speedtest.tele2.net)... 90.130.70.73
Connecting to speedtest.tele2.net (speedtest.tele2.net)|90.130.70.73|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10737418240 (10G) [application/zip]
Saving to: ‘/dev/null’

/dev/null                           0%[                                                           ]  14.85M  35.3MB/s    in 0.4s    

2024-09-03 23:05:59 (35.3 MB/s) - Read error at byte 15574625/10737418240 (Connection reset by peer). Retrying.

--2024-09-03 23:06:00--  (try: 2)  http://speedtest.tele2.net/10GB.zip
Connecting to speedtest.tele2.net (speedtest.tele2.net)|90.130.70.73|:80... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 10737418240 (10G), 10721843615 (10.0G) remaining [application/zip]
Saving to: ‘/dev/null’

/dev/null                           1%[                                                           ] 136.66M  41.6MB/s    in 2.9s    

2024-09-03 23:06:03 (41.6 MB/s) - Read error at byte 143302144/10737418240 (Connection reset by peer). Retrying.

--2024-09-03 23:06:05--  (try: 3)  http://speedtest.tele2.net/10GB.zip
Connecting to speedtest.tele2.net (speedtest.tele2.net)|90.130.70.73|:80... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 10737418240 (10G), 10594116096 (9.9G) remaining [application/zip]
Saving to: ‘/dev/null’

/dev/null                           1%[                                                           ] 164.25M  45.1MB/s    in 0.6s    

2024-09-03 23:06:05 (45.1 MB/s) - Read error at byte 172231590/10737418240 (Connection reset by peer). Retrying.

^C

All troubleshooting information can be provided upon request. Really appreciate community's help

Please run test at http://speed.cloudflare.com/ - if any loss is reported to a datacenter nearby or its somewhere further away.

Does this happen with one specific site, or many?

What is your internet connection type from the ISP (cable/dsl/fiber/cellular/PTMP wireless) and what is the connection protocol (static IP/DHCP/PPPoE)?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Happens to many random sites. Even posting post in this forum resulted in blank page.
It is cable connection with DHCP

root@Router:~# ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "Router",
	"system": "ARMv8 Processor rev 4",
	"model": "Bananapi BPI-R3",
	"board_name": "bananapi,bpi-r3",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "mediatek/filogic",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"
	}
}
root@Router:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fde3:d3f0:9ebc::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'sfp2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option delegate '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	option type 'bridge'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option disabled '1'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'guest'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'WG0'
	option proto 'wireguard'
	option peerdns '0'
	option mtu '1280'
	option private_key 'XXXX'
	list addresses '172.16.0.2/32'
	list dns '1.1.1.1'
	list dns '1.0.0.1'
	option delegate '0'

config wireguard_WG0
	option endpoint_port '2408'
	option description 'cloudflare_warp'
	option endpoint_host 'engage.cloudflareclient.com'
	option public_key 'bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo='
	option persistent_keepalive '25'
	option route_allowed_ips '1'
	list allowed_ips '0.0.0.0/0'

config interface 'openvpn'
	option proto 'none'
	option device 'tun0'
	list dns '1.1.1.1'
	list dns '1.0.0.1'

config interface 'vpn_free'
	option proto 'static'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'real_guest'
	option proto 'static'
	option ipaddr '192.168.30.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config interface 'iot_vpn_free'
	option proto 'static'
	option ipaddr '192.168.40.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

config device
	option name 'wan'
	option macaddr 'E8:9F:80:E9:56:F5'

root@Router:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option country 'LV'
	option cell_density '0'
	option channel 'auto'
	option htmode 'HT20'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option country 'LV'
	option cell_density '0'
	option he_su_beamformee '1'
	option he_bss_color '8'
	option htmode 'HE80'
	option channel '48'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'sae-mixed'
	option key 'XXXX'
	option ssid 'Anastasija'
	option disassoc_low_ack '0'
	list maclist 'B4:70:64:2C:77:F4'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option encryption 'psk2'
	option key 'XXXX'
	option network 'guest'
	option ssid 'Anastasija-IOT'
	option disassoc_low_ack '0'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Anastasija'
	option encryption 'psk2'
	option key 'XXXX'
	option network 'lan'
	option disassoc_low_ack '0'
	option macfilter 'allow'
	list maclist 'AC:0B:FB:DA:C4:C3'
	list maclist 'C8:F0:9E:9B:3E:4C'
	list maclist '10:09:F9:18:FF:89'
	list maclist 'DC:54:D7:6D:3D:90'
	list maclist '8E:61:32:23:DB:E3'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Anastasija-F'
	option encryption 'sae-mixed'
	option key 'XXXX'
	option network 'vpn_free'
	option disassoc_low_ack '0'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Anastasija-Guest'
	option encryption 'sae-mixed'
	option key 'XXXX'
	option network 'real_guest'
	option isolate '1'
	option disassoc_low_ack '0'

config wifi-iface 'wifinet6'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Anastasija-IOT-F'
	option encryption 'psk2'
	option key 'XXXX'
	option network 'iot_vpn_free'
	option disassoc_low_ack '0'

root@Router:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	list server '/use-application-dns.net/'
	list server '/mask.icloud.com/'
	list server '/mask-h2.icloud.com/'
	option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,8.8.8.8'
	list dhcp_option '6,8.8.4.4'

config host
	option name 'washer'
	option ip '192.168.10.128'
	option mac '88:57:1D:45:D6:39'

config host
	option name 'LGwebOSTV'
	option ip '192.168.1.235'
	option mac '30:B1:B5:96:FB:BE'

config host
	option duid '0003000130B1B596FBBE'
	option mac '30:B1:B5:96:FB:BE'

config host
	option name 'Vladimir-s-A52s'
	option ip '192.168.1.145'
	option mac 'B4:70:64:2C:77:F4'

config host
	option name 'LIANLI'
	option mac 'E8:9C:25:32:5B:C2'
	option ip '192.168.1.233'

config host
	option name 'wled-WLED'
	option ip '192.168.1.181'
	option mac 'C8:F0:9E:9B:3E:4C'

config dhcp 'vpn_free'
	option interface 'vpn_free'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,8.8.8.8'
	list dhcp_option '6,8.8.4.4'

config dhcp 'real_guest'
	option interface 'real_guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option ' 6,8.8.8.8'
	list dhcp_option '6,8.8.4.4'

config dhcp 'iot_vpn_free'
	option interface 'iot_vpn_free'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,8.8.8.8'
	list dhcp_option '6,8.8.4.4'

config host
	option name 'zzzzzzzzz-iPhone'
	option dns '1'
	option mac '7E:06:2F:04:21:FF'
	option ip '192.168.20.169'

config host
	option name 'ESP-2D62BB'
	option ip '192.168.1.106'
	option mac '5C:CF:7F:2D:62:BB'

config host
	option name 'wled-WLED-CEILING'
	option ip '192.168.10.120'
	option mac '08:D1:F9:29:6D:DC'

config host
	option name 'roborock-vacuum-a51'
	option ip '192.168.10.105'
	option mac 'B0:4A:39:68:B8:68'

config host
	option name 'xxxxx-s-A52s'
	option ip '192.168.1.184'
	option mac 'C6:47:2B:0B:12:3D'

config host
	option name 'DELL'
	option ip '192.168.1.148'
	option mac '88:53:2E:1A:35:60'

config host
	option name 'DeLonghi'
	option ip '192.168.40.199'
	option mac '40:91:51:14:5D:FC'

config host
	option name 'LaserJetM125nw'
	list mac 'EC:0E:C4:59:29:7A'
	option ip '192.168.10.200'

config host
	option name 'yyyyyy'
	option ip '192.168.40.154'
	option mac '9C:75:6E:0C:15:DC'

config host
	option name 'zhimi-airpurifier-mb3'
	option ip '192.168.40.177'
	list mac '5C:E5:0C:E2:77:6F'

config host
	option name 'sharpTv'
	list mac 'C0:8A:CD:C3:CB:E6'
	option ip '192.168.1.191'

config host
	option name 'chuangmi_camera_021a04'
	option ip '192.168.1.190'
	option mac '60:7E:A4:16:9F:B3'

root@Router:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option synflood_protect '1'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'openvpn'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn_free'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vpn_free'

config zone
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	option name 'iot_vpn_fre'
	list network 'iot_vpn_free'

config zone
	option name 'guest'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'guest'

config rule
	option name 'Guest DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'Guest DHCP'
	list proto 'udp'
	option src 'guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config zone
	option name 'real_guest'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'real_guest'

config rule
	option name 'VPN_FREE DNS'
	option src 'vpn_free'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'VPN_FREE DHCP'
	list proto 'udp'
	option src 'vpn_free'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'IOT_VPN_FREE DNS'
	option dest_port '53'
	option target 'ACCEPT'
	option src 'iot_vpn_fre'

config rule
	option name 'IOT_VPN_FREE DHCP'
	list proto 'udp'
	option dest_port '67-68'
	option target 'ACCEPT'
	option src 'iot_vpn_fre'

config rule
	option name 'REAL_GUEST DNS'
	option src 'real_guest'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'REAL_GUEST DHCP'
	list proto 'udp'
	option src 'real_guest'
	option dest_port '67-68'
	option target 'ACCEPT'

config zone
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'
	option name 'wg0'
	list network 'WG0'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'wan'
	list network 'wan6'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'WOL'
	option src_dport '9'
	option dest_ip '192.168.1.233'
	option dest_port '9'
	option src 'lan'
	option enabled '0'

config forwarding
	option src 'guest'
	option dest 'wg0'

config rule
	list proto 'tcp'
	option src 'wan'
	option dest_port '8000'
	option target 'ACCEPT'
	option name 'Allow-HTTP-lighttpd'
	option enabled '0'

config rule 'ovpn'
	option name 'Allow-OpenVPN'
	option src 'wan'
	option dest_port '1194'
	option proto 'tcp'
	option target 'ACCEPT'

config rule
	option src_port '5353'
	option src '*'
	option name 'Allow-mDNS'
	option target 'ACCEPT'
	option dest_ip '224.0.0.251'
	option dest_port '5353'
	option proto 'udp'

config forwarding
	option src 'lan'
	option dest 'wg0'

config forwarding
	option src 'vpn_free'
	option dest 'wan'

config forwarding
	option src 'real_guest'
	option dest 'wg0'

config forwarding
	option src 'iot_vpn_fre'
	option dest 'wan'

config rule
	option name 'Allow-Transmission'
	option src 'wan'
	option target 'ACCEPT'
	list proto 'tcp'
	list proto 'udp'
	option dest_port '54606'
	option src_port '54606'
	option dest 'lan'
	option enabled '0'

config rule

config forwarding
	option src 'vpn_free'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'iot_vpn_fre'

config forwarding
	option src 'lan'
	option dest 'real_guest'

config forwarding
	option src 'lan'
	option dest 'vpn_free'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Transmission'
	option src 'wan'
	option src_dport '54606'
	option dest_port '54606'
	option dest_ip '192.168.20.108'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Transmission-On-Router'
	option src 'wg0'
	option src_dport '51413'
	option dest_ip '172.16.0.2'
	option dest_port '51413'

config forwarding
	option src 'lan'
	option dest 'wan'

config forwarding
	option src 'vpn_free'
	option dest 'iot_vpn_fre'

config forwarding
	option src 'vpn_free'
	option dest 'real_guest'

config forwarding
	option src 'vpn_free'
	option dest 'guest'

config forwarding
	option src 'lan'
	option dest 'guest'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

It hangs at Running state and never finishes.

Add "drop invalid packets" checkbox to firewall config, try again. It will be tough game as you need pcap from the end of 10gb transfer to see what kills it.

There could be other causes, but let's start with the things we can see in the config.

Remove the bridge line from below:

Make sure both VPNs are stopped and disabled. Further, you can remove the DNS entries from the VPNs as they do nothing.

You can also remove the DNS entries from the lan and other local interfaces. The only one that should have it is the wan since you have elected to not use the peer dns.

Go back to basics with the radio configs... remove the beamforming and bss color lines.

Don't use sae-mixed here or on the other SSSID configs. Use only WPA2 or WPA3 encrpytion. Also remove the maclist on this and the others (we need to get back to basics)

Remove this orphaned rule line from the firewall:

Disable PBR

And read through your firewall to make sure you don't have any duplicate entries.

Once those changes have been made, restart your router and test again.

2 Likes

Actual uclient-fetch freezes at 4GB, integer overflow stuff yk.
I dont think ookla server resets connections.
Two theories:
your provider has weird approach to traffic management
or it has leaky switch where your packet hits co-customer router that sends reset to your traffic.

1 Like

Thanks for your support. Apparently today I found out that issue appears only within Cloudflare WARP VPN tunnel (but upon making this post I have checked direct wan as well and it was giving same connection reset errors). This lead me to suspect issues within wireguard client, tunnel settings, VPN tunnel itself. (Which is quite a strange as such setup has been working okey for years already).

wget -O /dev/null http://speedtest.tele2.net/10GB.zip
--2024-09-04 13:05:52--  http://speedtest.tele2.net/10GB.zip
Resolving speedtest.tele2.net (speedtest.tele2.net)... 90.130.70.73
Connecting to speedtest.tele2.net (speedtest.tele2.net)|90.130.70.73|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10737418240 (10G) [application/zip]
Saving to: ‘/dev/null’

/dev/null                         100%[==========================================================>]  10.00G  58.6MB/s    in 3m 9s

Try these sysctl-s

sysctl net.ipv4.conf.default.log_martians=1 net.ipv4.conf.all.log_martians=1 net.netfilter.nf_conntrack_log_invalid=255

To see attempts at leaks and other discrepancies in the logs. As long as your client runs on the router itself whole offload machinery is not involved.

Best observed in logs like after 24h happy/unhappy usage (make log buffer to few megabytes if output is high) . Usual resolutions are like arp or rp filters, firewall-dropping invalid packets etc.

e.g. suspect of unsolicited FIN in stream likely by other parties firewall:

[ 96729.875892] nf_ct_proto_6: ACK is over the upper bound (ACKed data not seen yet) IN=wan OUT= MAC=MY_MAC:GW_MAC:08:00 SRC=a.b.c DST=x.y.z LEN=40 TOS=0x00 PREC=0x20 TTL=117 ID=47485 DF PROTO=TCP SPT=60549 DPT=57525 SEQ=4287056779 ACK=3528348688 WINDOW=258 RES=0x00 ACK FIN URGP=0 

would be dropped as is with drop-invalid checkbox.

yes, kernel log now is full of like these

[12978.512871] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148373988 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.531466] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148376444 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.550195] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148378900 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.568788] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148381356 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.587369] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148383812 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.605941] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148386268 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.624510] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148388724 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.643085] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148391180 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.661664] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148393636 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.680235] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148396092 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.698860] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148398548 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.717434] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148401004 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.736002] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148403460 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.754573] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148405916 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.773141] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148408372 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.791712] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148410828 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.810280] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148413284 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.828848] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148415740 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.847482] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148418196 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.866053] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148420652 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.884621] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148423108 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.903187] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148425564 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.921755] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148428020 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[12978.940323] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=188.16.96.22 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=41221 DPT=41480 SEQ=2148430476 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[13042.232252] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=90.130.70.73 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=62318 SEQ=922907264 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[13042.250500] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=90.130.70.73 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=62318 SEQ=922933052 ACK=0 WINDOW=0 RES=0x00 RST URGP=0 
[13042.268773] nf_ct_proto_6: invalid rst IN=WG0 OUT= MAC= SRC=90.130.70.73 DST=172.16.0.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=62318 SEQ=922946560 ACK=0 WINDOW=0 RES=0x00 RST URGP=0

Once in an eon it hits your connection and resets it.... Thats the creative traffic management thing i talked about.

Sad it cannot be more detailed like to filter this event and log the rest.
Doc: https://www.kernel.org/doc/html/latest/networking/nf_conntrack-sysctl.html

Check firewall checkbox to drop invalid globally and try again.

sadly, this was already done as per recommendation checklist

1 Like

There is active in-path / near-path device generating those resets behind wg tunnel. It is out of your control, dropping them reduces the window such reset may succeed, doing 1 window check in firewall then other in linux tcp/ip.

If you have time and space you could pipe logs to a syslog server and look for events with different signatures, but this is unbeatable to reset your connections over time.

Man, looks like you're trying to circumvent Rostelecom's ban on VPN connections abroad. My friend just confirmed that he has similar problems both with OpenVPN and Wireguard servers abroad. But his ISP is different from yours. So, probably, others started doing the same.

... obfs4proxy works fine for me.

1 Like

To sum up - builtin checkboxes can help diagnose the interference, but are no match for purpose-built tools. Thanks @timur.davletshin for confirming.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.