Random timeouts/cutouts from internet every few minutes for 5-15 seconds

Hi everyone, since a few days, i have a issue that on all my devices (connected to the same dynalink WRX-36 router) i am getting cutoff from the internet for some seconds every few minutes, it seems the issue is only with wireguard, but asked on their reddit and there, users do not seem to be having issues.
It is quite frustrating to be cut off from online games, and sometimes getting timeouts while browsing. The issue happens both on wifi as on my PC that's connected by lan cable.
How can we figure out the cause of this?

Here are already some logs:
config/network

root@MainRouter:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix '<redacted>'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        option ipv6 '0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option metric '1'
        option dns_metric '10'
        option delegate '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'surfshark'
        option proto 'wireguard'
        option private_key '<redacted>='
        option metric '0'
        option delegate '0'
        list addresses '<redacted>'
        list dns '100.64.0.3'

config interface 'surfsharkovpn'
        option proto 'none'
        option device 'tun0'
        option delegate '0'
        option auto '0'

config wireguard_surfshark
        option description 'de-fra-wg-401.conf'
        option public_key '<redacted>='
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '<redacted>'
        option endpoint_port '51820'
        option route_allowed_ips '1'
        option persistent_keepalive '25'

config/wireless:

root@MainRouter:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi'
        option band '5g'
        option cell_density '0'
        option htmode 'HE80'
        option channel '40'
        option country 'DE'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'BoRina Wireless'
        option encryption 'psk2'
        option key 'rUlantIca!1!'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/c000000.wifi+1'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'
        option country 'DE'
        option channel '10'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'BoRina Wireless'
        option encryption 'psk2'
        option key 'rUlantIca!1!'

config wifi-iface 'wifinet7'
        option device 'radio1'
        option mode 'mesh'
        option encryption 'sae'
        option mesh_id '189b'
        option mesh_fwding '1'
        option mesh_rssi_threshold '0'
        option key 'L0chM3sH2'
        option network 'lan'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'mesh'
        option encryption 'sae'
        option mesh_id '188b'
        option mesh_fwding '1'
        option mesh_rssi_threshold '0'
        option key 'L0chM3sH2'
        option network 'lan'

Help would be appriciated :slight_smile:

config/dhcp:

root@MainRouter:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option dnsforwardmax '350'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra_slaac '0'
        option dns_service '0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'Samsung'
        option ip '192.168.1.154'
        option mac 'F4:FE:FB:9F:21:B6'

config host
        option name 'HarmonyHub'
        option ip '192.168.1.160'
        option mac '00:04:20:FC:18:14'

config host
        option name 'hubv3-4011035646'
        option ip '192.168.1.179'
        option mac '28:6D:97:A0:53:E8'

config host
        option name 'Samsung'
        option ip '192.168.1.151'
        option mac '38:68:A4:28:D3:EC'

config host
        option name 'everything-presence-st-fa2d68'
        option ip '192.168.1.229'
        option mac 'A0:B7:65:FA:2D:68'

config host
        option name 'everything-presence-st-700718'
        option ip '192.168.1.208'
        option mac '08:B6:1F:70:07:18'

config host
        option name 'everything-presence-st-7e8058'
        option ip '192.168.1.171'
        option mac '08:B6:1F:7E:80:58'

config host
        option name 'Meshpoint2'
        option ip '192.168.1.106'
        option mac 'A4:97:33:DF:A0:AF'

config host
        option name 'Meshpoint3'
        option ip '192.168.1.219'
        option mac 'A4:97:33:DF:B1:CF'

config host
        option ip '192.168.1.243'
        option mac '6A:B2:00:2F:80:22'

config/firewall:

root@MainRouter:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'surfshark'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'surfshark'

config rule
        option name 'exceptions'
        option src 'lan'
        list src_ip '192.168.1.179'
        list src_ip '192.168.1.151'
        option dest 'wan'
        option target 'ACCEPT'
        option enabled '0'

config zone
        option name 'ovpntest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'surfsharkovpn'
        option family 'ipv4'

config forwarding
        option src 'lan'
        option dest 'surfshark'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

I'd start by disabling the VPN -- that seems like a possible culprit.

yes, it solves the issue, but i want to keep using wireguard for security.

Other than trying a different VPN endpoint there's probably not much you can do from an OpenWRT perspective. There's nothing that seems to jump out as clearly wrong. You might be better off taking it up with Surfshark.

You can try to lower MTU to 1280 on the WG interface but I concur with @krazeh

Also, don't be mislead by the idea of "security" with a commercial VPN. It simply shifts the privacy/security from your ISP to the VPN provider. Most traffic is encrypted in some way already (i.e. https), so it is difficult (nearly impossible) to snoop on the specific content of your traffic. Without a VPN, your ISP will be able to determine the destination IP addresses, and they could potentially look at your DNS requests. Beyond that, they can't see much. With a VPN, this is shifted to the VPN provider and the ISP is now unable to determine anything other than the destination addresses of the VPN.

(the story is a bit different with state level surveillance and/or censorship, or geo-ip based services).

mass suirveilance, censorship, tracking etc is all part of a big security package for me, so i'm happily using mullvad. the adapter you see in my logs still say surfshark because i didn't bother changing the names, but they are connected to mullvad.
I tried lowering the MTU but that didn't work. I will send mullvad a mail, thanks.