Raspberry pi 4 running 23.05.5 unresponsive after reboot

I am finalizing a wireguard vpn server but every time I reboot the openwrt system the RP4 becomes unresponsive. I can get it back up by pulling the power cord and plugging it back on. After that I can reach the default address and all the changes prior to the reboot are saved.
At the same time I am having issues with intermittent stoppage of the wireguard connection. I am not sure the two issues are related. I tried several mtu sizes from 1460 to 1280. Also checking the mss clamping. The intermittent stoppage still happens when making those changes.

Any help is greatly appreciated.

you won't get any, without posting your config ...

Without seeing configs, I'm going to guess that the issue is related to an incorrect clock. More on that after we see your configs.

Also, please describe what you mean by unresponsive -- how are you trying to test connectivity? And can you describe how the device is physically being used in your network (a network topology diagram could be really useful).

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I'm no expert but here are my Wireguard configs for Cloudflare warp for the reference:

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxxxx'
	option peerdns '0'  <- Disables automatic DNS
	list dns '1.1.1.1'   <- Cloudflare dns
	list addresses '2606:4700xxxxxx'  <- Provided by your VPN
	list addresses '172.xxxx/32'

config wireguard_wg0
	option description 'wgcf-profile.conf'
	option public_key 'xxxxxxxxxx'
	option endpoint_host 'engage.cloudflareclient.com'  <-Sets the host name of the Cloudflare Warp server endpoint. This is where WG will connect to establish the VPN tunnel
	option endpoint_port 'xxxx'
	list allowed_ips '::/0'  <- Enables routing all traffic through the VPN tunnel
	list allowed_ips '0.0.0.0/0' 
	option persistent_keepalive '25' <- If you're behind double NAT. Prevents NAT from closing the connection if inactive
	option route_allowed_ips '1' <- Automatically routes all IPs to WG tunnel

Everything else is same

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.1",
        "board_name": "raspberrypi,4-model-b",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd41:xxxx:xxxx::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.4'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config interface 'Wireguard'
        option proto 'wireguard'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        option listen_port '51824'
        list addresses '192.168.43.1/24'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config wireguard_Wireguard
        option description 'Galaxy S24 438'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        list allowed_ips '192.168.43.2/32'

config wireguard_Wireguard
        option description 'Livingroom_438'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        list allowed_ips '192.168.43.3/32'
        option route_allowed_ips '1'

config wireguard_Wireguard
        option description 'Bedroom_438'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        list allowed_ips '192.168.87.4/32'
        option route_allowed_ips '1'

config wireguard_Wireguard
        option description 'Laptop_438'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        option preshared_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        list allowed_ips '192.168.43.5/32'
        option route_allowed_ips '1'

config wireguard_Wireguard
        option description 'S23_438'
        option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx'
        option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxx'
        option preshared_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
        list allowed_ips '192.168.43.6/32'
        option route_allowed_ips '1'

config device
        option name 'Wireguard'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'
        option start '100'
        option limit '150'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Wireguard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Wireguard'
        option mtu_fix '1'

config forwarding
        option src 'Wireguard'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'Wireguard'

Please see the above response with the config info. TY.

I don't see any obvious issues. What do you mean by unresponsive?

Also, do you have anything plugged into any of the USB ports?

I have been changing the MTU sizes because while on social media apps I noticed that videos would stop playing for ~5-20 seconds then restart. After changing the MTU size I reboot but then I cannot reach the router. I have to pull the power cord then plug it back it. After doing that then I can reach the router and all the changes are saved.
Aside from the video pausing issue, I also noticed that the I lose connectivity (only noticed because I was on a call and person could hear me for a few seconds; I turned the VPN off and the call came back; this was on a google voice call). Not sure the two are related.

No. Nothing is plugged into the RP4 aside from the ethernet cord connecting to the primary router provided by the ISP.

Your Pi's config appears to be an inbound VPN. Specifically that of a road-warrior type configuration.

The first peer is missing the route_allowed_ips option, but otherwise this looks okay.

From where are you trying to reach it? Are you trying to reach it from another system on the lan, or are you doing this over the wireguard interface?

How are you rebooting the system?

I have tried to reach it from a system on the lan and also over the Wireguard interface. Neither works.

By clicking the reboot button under the system tab in luci.

Yes, it a road-warrior type configuration.

Connect a monitor via HDMI and let's see if it is (re)booting properly. It seems to me that the device is likely hanging and not actually rebooting.

Unfortunately I do not have a micro HDMI to connect to the RP4. Is there anything else I can try?

Do you have a serial UART cable?

Not with me currently.
I did notice one of the small chips on the back of the board loose when I mounting it last night. It was the chip labeled "na167". Aside from the above issues, everything seems to be working properly so I don't know if that loose chip is the source of the problem.

No idea off hand what that device does -- it could be part of the power circuitry. If it's loose, that probably should be addressed. Do you have the necessary equipment and skills to fix that?

I'm going to drive around town to see if I can find anyone who does soldering.
Do you think if it was that, it would be leading to the intermittent video pausing issue? The reboot problem is no big deal if the intermittent video issue goes away.

I have no idea... we don't really have enough information to understand the video pausing issue in the first place as it could be related to a number of different possible factors.

But the reboot issue either sounds like a software issue (i.e. did you install anything else aside from Wireguard relative to the default install) that is causing the hang, or a hardware problem. The reboot should 'just work' so you should make sure that's fixed first.

Only other packages installed are DNS script and a CPU temp package.

You might try without the CPU temp package, just in case that is hanging things up.

The Bedroom Wireguard allowed IP seems odd.

No input firewall rule for this UDP port.