No handshake (WireGuard client) after updating packages

Hello, I'm experiencing a troubling issue that I have no idea how to solve. It began after I updated system packages, clients assigned to the VPN with PBR can't connect to the internet. Looking at the WireGuard status page, it shows that there has never been a handshake made. Previously I noticed that there was data being transmitted, but never any received. Right now there is no traffic from the VPN at all.

wg status884×204 6.88 KB

Using Dynalink DL-WRX36 and the latest snapshot version. I recently reflashed my router, I actually am not using PBR at the moment, just trying to solve this issue first.

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option hostname '*'
        option peerdns '0'
        list dns '9.9.9.9'

config device
        option name 'lan1'
        option ipv6 '0'

config device
        option name 'lan2'
        option ipv6 '0'

config device
        option name 'lan3'
        option ipv6 '0'

config device
        option name 'lan4'
        option ipv6 '0'

config device
        option name 'miireg'
        option ipv6 '0'

config device
        option name 'wan'
        option ipv6 '0'

config interface 'mullvad'
        option proto 'wireguard'
        option private_key 'scrubbed'
        list dns '100.64.0.7'
        option delegate '0'
        list addresses '10.75.110.231/32'

config wireguard_mullvad
        option description 'Imported peer configuration'
        option public_key 'scrubbed'
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '143.244.47.65'
        option endpoint_port '3458'

/etc/config/firewall

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config zone
        option name 'mullvad'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'mullvad'
        option masq '1'
        option mtu_fix '1'
        option family 'ipv4'

config forwarding
        option src 'lan'
        option dest 'mullvad'

If any additional information is needed, please let me know.

Thats usually a bad idea...
But spooky that a new flash lead to the same problem...

Wait so you're saying that using apk upgrade is a bad idea? Should I reflash each time I need to update, then?

Did some more troubleshooting, after adding date -s "2030-01-01 00:00:00" to crontab it works, but only after a reboot. If I manually restart the mullvad interface then the issue reoccurs. I guess this is resolved, it's bizarre though because I never needed to do this before, only after updating recently. I would like to know why this is happening, and whether it's a bug or whatnot...

EDIT: Another weird thing, I briefly enabled "route allowed IPs" in the peer submenu and it did appear to work, this is not desirable however as I would like to use my WAN interface as the default gateway. If route allowed IPs is disabled but there are PBR rules, it won't handshake. I'm honestly not sure if the race condition fix in my crontab is what resolved this.