I recently started having issues with my VPN connection on my network. Just for reference, I'm running OpenWrt 24.10.0 r28427 on a Linksys WRT3200ACM. This does apply to all devices on my network, but I'm more concerned with my desktop which can't seem to hold a stable connection to the VPN. (Hardwired with a CAT6 cable) I use WireGuard with ProtonVPN as a service provider and haven't had any problems until two nights ago. At first, I thought it was a problem with the actual server I was connecting to, but I have since switched to 3 others and am experiencing the same problems. If anyone has any advice on what to look for when diagnosing this issue it would be greatly appreciated. Here is a screenshot of the pings to Cloudflare for reference:
First check (perhaps you already did) that your internet is working OK, so disable WireGuard and ran some test e.g speedtest, ping, and https://packetlosstest.com/
If your internet is OK then indeed my first thought would be an overcrowded VPN server be sure to use a server in different country to test
I attempted to test the normal connection to my ISP Without the use of WireGuard but after disabling the interface, I was left with no internet access and wasn't sure how to resolve that. I apologize; I am no Network Engineer. I used to use OpenVPN which was much easier to shut off when I needed it, but WireGuard doesn't seem to be that easy. I do have PBR (Policy Based Routing) installed for a could of devices that cry about being behind a VPN (Smart TVs, Girlfriend's iPhone, etc) and she has told me she has had no issues. Any chance it could be a hardware problem?
When you disable WireGuard and the default route is via the VPN then the normal default route is not restored.
Just reboot or easier from the command line: service network restart
P.S. that is one of the reasons I like using 128.0.0.0/1 and 0.0.0.0/1 instead of 0.0.0.0/0 as Allowed IPs
I don't have to change my DNS servers (Which are pointing to the VPN's IP) or change any firewall rules? There was a lot I configured to get this working. I also have 0.0.0.0/0 per the instructions from ProtonVPN: https://protonvpn.com/support/openwrt-wireguard am I safe to change this to 0.0.0.0/1? Only thing I did differently from these instructions was I set "Persistant Keep Alive" to 25 instead of the default 0 and the MTU was set to 1412. Thanks for your help by the way.
If your only DNS server is Protons and it is not accessible without the VPN then you do need to change this.
Having this can be dangerous as you often have to have DNS resolution before the tunnel is started e.g. for ntp or hostname resolution so I am not a big fan of it.
I have two local DNS servers to route my LAN traffic through (Two PiHoles on my network) But my DNS server for the WAN interface located here: Network>Interfaces>WAN>Advanced Settings>"Use custom DNS servers" it's using the IP for the wg0 interface which is 10.2.0.1. Could this be my problem? Also, is there an OpenWRT guide I could use for setting up the VPN? Maybe the settings I got from Proton aren't ideal. I put a ticket in their support team but they haven't gotten back to me. 0 issues with their services and I've been using them for 5+ years. Checking on the servers from the download page here: https://account.protonvpn.com/downloads shows me that all the servers I have configured are online and have very little load. What else might be causing these issues?
Thank you for the link and the PDF. This is very helpful. I will test the internet without the VPN when I get home. (At work currently with a RustDesk connection to my home machine that's painstakingly slow due to the VPN issues) Appreciate your help thus far!
Thank you, so it does appear that it is NOT my ISP because disabling the WireGuard interface has provided me with a solid connection to the WAN. It seems that US-NY-561 from ProtonVPN is having issues. I have since switched my server to a different one. Quick question though, if I have a list of peers from Proton on my wg0 interface, how can I easily switch between them at any given time? If I "Enable" all of the ones in this list, will it automatically switch to a different server if the current one is having trouble? If not, how can I switch between different peers without having to load the configuration each time? Seems like my IP doesn't change every time I switch to a different peer unless I load the conf from the "General Settings" tab
I also run into that problem occasionally that a VPN server is down for maintenance or overcrowded etc.
I have a watchdog script to automatically switch tunnels if one tunnel is down.
Just create a couple of WireGuard interfaces/tunnel each with one peer to a different server.
Enable one and disable the others and by just enabling /disabling you switch.
This is fantastic, thank you for your work on this script! I have it created on my router and tested it in the CLI. Got this output:
chdog: started, pinging every 15 seconds to 1.1.1.1 on tunnel wg0 with endpoint 146.70.202.146
Sat Mar 15 14:46:38 2025 user.notice wireguard-watchdog.sh[20678]: WireGuard watchdog: ./wireguard-watchdog.sh is started, waiting for services
root@PyrosRouter:/usr/share#
So it seems like it's working! One thing I did not actually test though is the other WireGuard interfaces, take a quick peek to make sure I did them all correct. They should all be identical except the IPs they connect to:
So I added a few more interfaces to get to the maximum. (9) And rebooted my router after adding the interfaces to your script, but I noticed that wireguard.watchdog.sh can't see my interfaces? It keeps trying to restart the network over and over:
root@PyrosRouter:~# logread -e watchdog
Sun Mar 16 00:28:46 2025 user.notice wireguard-watchdog.sh[3775]: BusyBox v1.36.1 (2025-02-03 23:09:37 UTC) multi-call binary.
Sun Mar 16 00:28:46 2025 user.notice wireguard-watchdog.sh[3775]: Usage: seq [-w] [-s SEP] [FIRST [INC]] LAST
Sun Mar 16 00:28:46 2025 user.notice wireguard-watchdog.sh[3775]: Print numbers from FIRST to LAST, in steps of INC.
Sun Mar 16 00:28:46 2025 user.notice wireguard-watchdog.sh[3775]: FIRST, INC default to 1.
Sun Mar 16 00:28:46 2025 user.notice wireguard-watchdog.sh[3775]: -w Pad to last with leading zeros
Sun Mar 16 00:28:46 2025 user.notice wireguard-watchdog.sh[3775]: -s SEP String separator
Sun Mar 16 00:28:46 2025 user.notice wireguard-watchdog.sh[3775]: uci: Entry not found
Sun Mar 16 00:28:46 2025 user.notice wireguard-watchdog.sh[3775]: WireGuard watchdog: started, pinging every 30 seconds to 8.8.8.8 on tunnel with endpoint
Everything in the script is identical to the one you linked, I even put it back to 8.8.8.8 and 30 seconds sleep. Only thing I added were my WG interfaces:
#Add the Wireguard tunnels you want to use for fail over as a continuous range e.g. WG1, WG2 etc., max 9 tunnels
WG1="wg0"
WG2="wg1"
WG3="wg2"
WG4="wg3"
WG5="wg4"
WG6="wg5"
WG7="wg6"
WG8="wg7"
WG9="wg8"
I just killed it with killall wireguard-watchdog.sh, any idea what I'm doing wrong?
This is working fantastic with the default settings and the 8 WireGuard interfaces, thank you. I had one more question regarding the "Usage with PBR" section in your documentation. I have a few devices configured with PBR on my network, and each time your script switches interfaces (Which seems to be a lot lately, not sure wtf is going on with ProtonVPN) the internet for my PBR devices drop their connection for a few seconds. Obviously this has made some individuals in my household pretty upset, especially when they are streaming "Desperate Housewives" for the 13,000th time. Will your section on "Usage with PBR" fix this problem? I don't want to mess with it unless absolutely necessary because it's working flawlessly now.
Switching indeed gives a few seconds without internet.
I have updated the script so that you can try with only switching interfaces and not a full network restart by commenting RESTARTNETWORk=, however this might not always work and even then it will take a little time for switching.
Alternative is to use PBR
Either use PBR as described to only set the clients you want to use the VPN.
OR do it the other way around e.g. for your TV using the wan:
Create a table 102 with default route via the WAN and let your TV use that, you need the gateway for your WAN which can be found with: ifstatus wan | grep nexthop
