What was working:
After setting everything up, all network traffic was routed through the Mullvad WireGuard tunnel. Internet access worked fine on all Wi-Fi devices for about a week.
The problem:
After roughly one week (possibly exactly one week), things suddenly broke:
Wi-Fi clients can no longer access the internet
I cannot access the OpenWrt router web UI at 192.168.2.1
The router only becomes reachable if I start the Mullvad VPN client on my computer
Even then, I can only access 192.168.2.1 — there is still no internet connectivity
As soon as I close the VPN client on my computer, I lose access to the router again
So effectively:
No VPN client on my PC → cannot reach router at all
VPN client running → router reachable, but still no internet
Questions:
What could cause the LAN and router itself to become unreachable unless a client-side VPN is active?
Why would this work perfectly for a week and then fail suddenly?
Any ideas on what to check or how to recover from this would be greatly appreciated.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
Change "wan6" lowlevel interface to @wan or disable it completely.
strictorder in dhcp does not do what you want. It queries servers in order 2/5s apart, not 1s in between until one responds.
superfluously wg looks ok....
Network -> Interfaces -> deleted wan6
Removed strict order in dhcp
Unfortunately it still doesn't work. When I close the VPN client on the computer, I cannot even access the router menu.
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.110",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "GL.iNet GL-MT6000",
"board_name": "glinet,gl-mt6000",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.4",
"revision": "r28959-29397011cc",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.4 r28959-29397011cc",
"builddate": "1760891865"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdxx:xxxx:xxxx::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth1.7'
option proto 'pppoe'
option ipv6 'auto'
option username ‚XXXXX‘
option password ‚XXXXX‘
config interface 'WGINTERFACE'
option proto 'wireguard'
option private_key ‚XXXXX‘
list addresses ‚XX.XX.X.XXX/32'
option force_link '1'
config wireguard_WGINTERFACE
option public_key 'XXXXX'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host ‚XXX.XXX.XXX.XX‘
option endpoint_port '51820'
config route
option interface 'WGINTERFACE'
option target '100.64.0.15/32'
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel 'auto'
option htmode 'HE40'
option country 'DE'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid ‚XXXXX‘
option encryption 'psk2'
option key ‚XXXXX‘
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel 'auto'
option htmode 'HE160'
option country 'DE'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid ‚XXXXX’
option encryption 'psk2'
option key ‚XXXXX‘
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list server '10.64.0.1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
list dhcp_option '6,100.64.0.15'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piofolder '/tmp/odhcpd-piofolder'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'WGZONE'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'WGINTERFACE'
config forwarding
option src 'lan'
option dest 'WGZONE'
When I set up the VPN I followed these steps from the link:
DNS leaks
If the router is leaking the DNS servers from your Internet provider then try to change some of the following settings and then restart the router and the computers/devices in the local network that are connected to the router.
Network > Interfaces > WAN (click edit) > Advanced Settings > Use DNS servers advertised by peer (disable)
Network > DHCP and DNS > Advanced Settings > Strict order (enable)
Network > Interfaces > LAN > DHCP Server > Advanced Settings > "Force DHCP on this network even if another server is detected" (enable)
Network > Interfaces > LAN > DHCP Server > IPv6 Settings > Router Advertisement-Service (disable)
I changed the setting back. 1 to enable, 2 to disable, 3 to disable and 4 I don't remember the default. could it be a problem it is disabled?
I'm noticing a strange thing in the config files... for example:
Note that the private key, addresses, and endpoint host lines have what appears to be a comma (,) instead of a single quote ('). I'm seeing this in several places throughout the config (not just the examples shown).
Please double check your config to see if those are really in the config files or if this is some sort of copy/paste error into the forum.
EDIT: upon further examination, those don't appear to be normal commas and single quotes, but rather some other quote type (not sure offhand which, but a "curly" single quote on the closing side, and the opening side seems to have the same quote except flipped upside down (like the upside down question mark common in Spanish).
So can you confirm that the strange quotes in your config output are purely a function of the text editor you used to redact details? Please double check the real configs to make sure that the quotes are normal and consistent.
It could be a DNS resolution issue since you've set the system DNS to the mullvad dns servers. That can cause a chicken or egg situation with respect to establishing the WG tunnel.
From the router directly, what is the result of an nslookup to the endpoint host domain name?
and what is the output of wg show?
If the above shows that you don't have an active wg connection and there is an nslookup failure, try setting the DNS to 8.8.8.8 and restarting.
BTW, a similar thing can happen if the clock isn't synced.
Thanks for your input. I will try that later when I'm at home. Right now everything is running fine without the VPN on the router. I will set the VPN as per instructions in the link above and let you know the outputs of the mentioned commands.
What I find very weird is that yesterday I couldn't even access my router without activating Mulvad VPN client on my computer even though the computer is connected directly to the router's WiFi network.
It can be hard to track down the issue, but as I mentioned before, two possible culprits:
DNS resolution issues for the endpoint host domain
incorrect time/date on the clock
The first issue would likely appear after a reboot/power cycle if that is truly the issue.
The second one may only happen further in the future (again, after a reboot/power cycle). With the time specific issue, the thing to know is that most OpenWrt devices do not contain a battery-backed realtime clock. As a result, the system will set the initial system time (during initial boot) to that of the most recently written file in the non-volatile storage of your device -- this is the "best guess" of the time that the system can get until later in the boot cycle. Once the network is up and a wan connection is established, the system can use NTP to get the correct current time. If Wireguard starts before the NTP sync has happened, it will try to establish a tunnel, but it will fail because of the mismatched time. However, the WG route (if using 0.0.0.0/0 or equivalent) will be established, so all traffic (including the NTP sync requests) will be sent via the tunnel (which is not actually up), thus causing a chicken-or-egg for bringing up the tunnel.
Thank you for explaining - it does seem plausible. Would that explain why I couldn't access my router unless I started the VPN client / app on my device?
I still don't know why enabling the VPN locally on your computer allowed you to reach the router itself. This doesn't normally make sense -- typically this is the thing that prevents access to the router because all of the egress traffic from the host is routed through the tunnel (as a function of the host OS/kernel), so the local network may be unreachable.
