VPN slows down + general check

I have been using OpenWrt for 6 weeks now and really like it. It was quite a steep learning curve but now I have my router mostly the way I wanted. With adblock to replace my pi-hole, unbound, policy based routing, and something I wanted to have for quite some time, a vpn server and client. So I have my adblocking and subscriptions anywhere in the world from my phone/laptop.

And a separate wi-fi for IoT stuff called Wi-Fi Local without internet access, I can control some settings from HA. Turn on/off vpn for example. And maybe most important: a safe router! I should have done this way earlier...

And I got a second T-56 with an external disk for samba, docker and just experimenting.

Anyway, I got two little things remaining at the moment. I wanted to ask for a check up, do I have some settings way wrong, unsafe, firewall not quite nailed down, or could it be improved or anything else?

And the other question could be related (meaning: caused by incorrect settings): my vpn connection slows down over time. Both the Proton connections as well as a AirVPN. Like really slow 50, 30, even 15 mbit, too slow for 1080p youtube. Sure, this could just be a problem with (both?) providers, but I kinda doubt it. A reconnect solves it. Not sure how to troubleshoot it, other then the connection does not slow down without VPN running.

So, if anybody is willing to check my config it will be highy appreciated. Here is my config:

        "kernel": "6.6.110",
        "hostname": "OpenWrt1",
        "system": "ARMv8 Processor rev 4",
        "model": "Zyxel EX5601-T0 ubootmod",
        "board_name": "zyxel,ex5601-t0-ubootmod",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.4",
                "revision": "r28959-29397011cc",
                "target": "mediatek/filogic",
                "description": "OpenWrt 24.10.4 r28959-29397011cc",
                "builddate": "1760891865"

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb3:a53:9a1b::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option type 'bridge'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'

config interface 'wg_server'
        option proto 'wireguard'
        option private_key x
        option listen_port '47110'
        list addresses '10.0.20.1/24'

config wireguard_wg_server
        option public_key x
        option private_key x
        option description 'x'
        option endpoint_port '47110'
        option persistent_keepalive '25'
        list allowed_ips '10.0.20.10/32'
        option route_allowed_ips '1'

config interface 'wg_proton_nl1'
        option proto 'wireguard'
        option private_key 'x
        list addresses '10.2.0.2'

config wireguard_wg_proton_nl1
        option description 'OpenWRT01 - NL-FREE 102'
        option public_key x
        option endpoint_host '212.8.243.7'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        option route_allowed_ips '1'
        list allowed_ips '0.0.0.0/1'
        list allowed_ips '128.0.0.0/1'
        list allowed_ips '::/1'
        list allowed_ips '8000::/1'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config interface 'guest'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '10.0.60.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-local'
        option bridge_empty '1'
        list ports 'lan4'

config interface 'local'
        option proto 'static'
        option device 'br-local'
        option ipaddr '10.0.40.1'
        option netmask '255.255.255.0'

config interface 'wg_proton_nl2'
        option proto 'wireguard'
        option private_key x
        list addresses '10.2.0.2/32'
        option auto '0'

config wireguard_wg_proton_nl2
        option description 'NL-FREE#222'
        option public_key x
        option route_allowed_ips '1'
        option endpoint_host 'x'
        option endpoint_port '51820'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/1'
        list allowed_ips '128.0.0.0/1'
        list allowed_ips '::/1'
        list allowed_ips '8000::/1'

config interface 'wg_airvpn_nl'
        option proto 'wireguard'
        option private_keyx
        list addresses 'x/32'
        list addresses x
        list dns '10.128.0.1'
        list dns 'fd7d:76ee:e68f:a993::1'
        option auto '0'

config wireguard_wg_airvpn_nl
        option description 'NL'
        option public_key 'x
        option preshared_key x
        option persistent_keepalive '15'
        option endpoint_host 'nl3.vpn.airdns.org'
        option endpoint_port '47107'
        list allowed_ips '0.0.0.0/1'
        list allowed_ips '128.0.0.0/1'
        list allowed_ips '::/1'
        list allowed_ips '8000::/1'
        option route_allowed_ips '1'

config wireguard_wg_server
        option description 'x'
        option public_key x
        option private_key 'x
        option route_allowed_ips '1'
        option endpoint_port '47110'
        option persistent_keepalive '25'
        list allowed_ips '10.0.20.20/32'

Wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option band '2g'
        option channel '1'
        option htmode 'HE20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Wi-Fi'
        option encryption 'sae'
        option key x
        option ocv '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option band '5g'
        option channel '36'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Wi-Fi'
        option encryption 'sae'
        option key x
        option ocv '0'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Wi-Fi Guest'
        option encryption 'sae-mixed'
        option key 'x'
        option ocv '0'
        option network 'guest'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Wi-Fi Local'
        option encryption 'sae-mixed'
        option key x
        option ocv '0'
        option network 'local'

DHCP

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option local '/x/'
        option domain 'x'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option noresolv '1'
        option port '1053'
        list addnmount '/var/run/pbr.dnsmasq'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option 'option:dns-server,0.0.0.0'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piofolder '/tmp/odhcpd-piofolder'

config dhcp 'guest'
        option interface 'guest'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,10.0.0.1'

config domain
        option name 'ntp.x'
        option ip '10.0.0.1'

config domain
        option name 'vpn.x'
        option ip '10.0.0.1'

config domain
        option name 'ha.x'
        option ip '10.0.0.10'

config dhcp 'local'
        option interface 'local'
        option start '100'
        option limit '150'
        option leasetime '2m'
        list dhcp_option '6,10.0.0.1'

config host
        option name 'OpenWrt2'
        option ip '10.0.0.2'
        option leasetime 'infinite'
        list mac 'x'

<lots of hosts>

config domain
        option name 'vpn_watchdog.x'
        option ip '1.1.1.1'

config domain
        option name 'vpn_watchdog.x
        option ip '8.8.8.8'

Firewall

config defaults
        option input 'REJECT'
        option output 'REJECT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wg_server'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config zone
        option name 'local_only'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan'
        list network 'local'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wg_server'
        option src 'wan'
        option src_dport '47110'
        option dest_ip '10.0.0.1'
        option dest_port '47110'
        list proto 'udp'

config zone
        option name 'wg_clients'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg_proton_nl1'
        list network 'wg_airvpn_nl'
        list network 'wg_proton_nl2'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'wg_clients'

config rule
        option dest 'wg_clients'
        option name 'DNS Block Public wg_clients'
        option dest_port '53 853 5353'
        option target 'REJECT'
        option src 'lan'

config rule
        option dest 'wan'
        option name 'DNS Block Public wan'
        option dest_port '53 853 5353'
        option target 'REJECT'
        option src 'lan'

config rule
        option src 'guest'
        option name 'DHCP Allow guest'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option src 'local_only'
        option name 'DHCP Allow local_only'
        list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option name 'DNS Allow guest'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule
        option src 'local_only'
        option name 'DNS Allow local_only'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'guest'
        option dest 'wg_clients'

config forwarding
        option src 'local_only'
        option dest 'lan'

config forwarding
        option src 'lan'
        option dest 'local_only'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'homeassistant'
        option src 'wan'
        option src_dport '8123-8124'
        option dest_ip '10.0.0.10'
        option dest_port '8123-8124'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'letsencrypt'
        option src 'wan'
        option src_dport '80'
        option dest_ip '10.0.0.10'
        option dest_port '80'
        option enabled '0'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Urbackup'
        option src 'wan'
        option src_dport '55413-55415'
        option dest_ip '10.0.0.100'
        option dest_port '55413-55415'
        list proto 'tcp'

config rule
        option src 'local_only'
        option dest 'wan'
        option name 'NTP esp05'
        list proto 'udp'
        list src_ip '10.0.40.35'
        option dest_port '123'
        option target 'ACCEPT'

config rule
        option src 'local_only'
        option dest 'wg_clients'
        option name 'NTP esp05'
        list proto 'udp'
        list src_ip '10.0.40.35'
        option dest_port '123'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option dest 'local_only'
        option name 'NTP esp05'
        list proto 'udp'
        list src_ip '10.0.40.35'
        option dest_port '123'
        option target 'ACCEPT'

config rule
        option src 'wg_clients'
        option dest 'local_only'
        option name 'NTP esp05'
        list proto 'udp'
        list src_ip '10.0.40.35'
        option dest_port '123'
        option target 'ACCEPT'

Adblock-fast

config adblock-fast 'config'
        option enabled '1'
        list allowed_domain 'cdn.jsdelivr.net'
        option allow_non_ascii '0'
        option canary_domains_icloud '0'
        option canary_domains_mozilla '0'
        option compressed_cache '0'
        option compressed_cache_dir '/etc'
        option config_update_enabled '0'
        option config_update_url 'https://cdn.jsdelivr.net/gh/openwrt/packages/net/adblock-fast/files/adblock-fast.config.update'
        option curl_max_file_size '30000000'
        option curl_retry '3'
        option debug_init_script '0'
        option debug_performance '0'
        option dns 'unbound.adb_list'
        list dnsmasq_instance '*'
        option download_timeout '10'
        option force_dns '1'
        list force_dns_port '53'
        list force_dns_port '853'
        option parallel_downloads '1'
        option pause_timeout '20'
        option procd_trigger_wan6 '0'
        option procd_boot_wan_timeout '60'
        option verbosity '2'
        option heartbeat_domain 'heartbeat.melmac.ca'
        option heartbeat_sleep_timeout '10'
        option sanity_check '1'
        option update_config_sizes '1'
        option debug '0'
        list blocked_domain '9gag.com'
        list blocked_domain 'solar-inverter.com'
        list blocked_domain 'homewizard.com'

config file_url
        option name 'Hagezi - Pro'
        option url 'https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/pro.txt'
        option size '7223149'
        option action 'block'

<lots of other urls disabled>

Unbound

config unbound 'ub_main'
        option dhcp_link 'dnsmasq'
        option exclude_ipv6_ga '0'
        option dns64 '0'
        option domain 'x'
        option edns_size '1232'
        option extended_stats '0'
        option hide_binddata '1'
        option interface_auto '1'
        option listen_port '53'
        option localservice '0'
        option manual_conf '0'
        option num_threads '1'
        option protocol 'default'
        option rate_limit '0'
        option rebind_localhost '0'
        option rebind_protection '1'
        option recursion 'default'
        option resource 'default'
        option root_age '9'
        option ttl_min '120'
        option ttl_neg_max '1000'
        option unbound_control '1'
        option validator '1'
        option verbosity '1'
        option enabled '1'
        option validator_ntp '1'
        list iface_wan 'wan'
        list iface_wan 'wan6'
        list iface_trig 'lan'
        list iface_trig 'wan'

config zone 'auth_icann'
        option enabled '0'
        option fallback '1'
        option url_dir 'https://www.internic.net/domain/'
        option zone_type 'auth_zone'
        list server 'lax.xfr.dns.icann.org'
        list server 'iad.xfr.dns.icann.org'
        list zone_name '.'
        list zone_name 'arpa.'
        list zone_name 'in-addr.arpa.'
        list zone_name 'ip6.arpa.'

config zone 'fwd_isp'
        option enabled '0'
        option fallback '1'
        option resolv_conf '1'
        option zone_type 'forward_zone'
        list zone_name 'isp-bill.example.com.'
        list zone_name 'isp-mail.example.net.'

config zone 'fwd_google'
        option enabled '0'
        option fallback '1'
        option tls_index 'dns.google'
        option tls_upstream '1'
        option zone_type 'forward_zone'
        list server '8.8.4.4'
        list server '8.8.8.8'
        list server '2001:4860:4860::8844'
        list server '2001:4860:4860::8888'
        list zone_name '.'

config zone 'fwd_cloudflare'
        option enabled '0'
        option fallback '1'
        option tls_index 'cloudflare-dns.com'
        option tls_upstream '1'
        option zone_type 'forward_zone'
        list server '1.1.1.1'
        list server '1.0.0.1'
        list server '2606:4700:4700::1111'
        list server '2606:4700:4700::1001'
        list zone_name '.'

PBR

config pbr 'config'
        option enabled '1'
        option verbosity '2'
        option strict_enforcement '1'
        option resolver_set 'dnsmasq.nftset'
        list resolver_instance '*'
        option ipv6_enabled '0'
        option rule_create_option 'add'
        option procd_boot_trigger_delay '5000'
        option procd_reload_delay '1'
        option webui_show_ignore_target '0'
        option nft_rule_counter '0'
        option nft_set_auto_merge '1'
        option nft_set_counter '0'
        option nft_set_flags_interval '1'
        option nft_set_flags_timeout '0'
        option nft_set_policy 'performance'
        list webui_supported_protocol 'all'
        list webui_supported_protocol 'tcp'
        list webui_supported_protocol 'udp'
        list webui_supported_protocol 'tcp udp'
        list webui_supported_protocol 'icmp'
        list supported_interface 'wg_proton_nl1'
        list supported_interface 'wg_airvpn_nl'
        list supported_interface 'wg_proton_nl2'
        list supported_interface 'guest'
        list supported_interface 'local'

config include
        option path '/usr/share/pbr/pbr.user.dnsprefetch'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.aws'
        option enabled '0'

config include
        option path '/usr/share/pbr/pbr.user.netflix'
        option enabled '0'

config dns_policy
        option name 'Redirect Local IP DNS'
        option src_addr '192.168.1.5'
        option dest_dns '1.1.1.1'
        option enabled '0'

config policy
        option name 'Ignore Local Requests'
        option interface 'ignore'
        option dest_addr '10.0.0.0/24 10.0.1.0/24 192.168.100.0/24 192.168.1.0/24'
        option enabled '0'

config policy
        option name 'Plex/Emby Local Server'
        option interface 'wan'
        option src_port '8096 8920 32400'
        option enabled '0'

config policy
        option name 'Plex/Emby Remote Servers'
        option interface 'wan'
        option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
        option enabled '0'

config policy
        option name 'Home Assistant'
        option src_addr '10.0.0.10'
        option interface 'wan'
        option src_port '8123-8124'

config policy
        option name 'Urbackup'
        option src_addr '10.0.0.100'
        option src_port '55413-55415'
        option interface 'wan'

config policy
        option name 'Let'\''s Encrypt'
        option src_addr '10.0.0.10'
        option src_port '80'
        option interface 'wan'
        option enabled '0'

config policy
        option enabled '0'
        option name 'x'
        option src_addr '10.0.0.100'
        option interface 'wan'

config policy
        option name 'Backblaze'
        option dest_addr '45.11.36.0/22 104.153.232.0/21 149.137.128.0/20 206.190.208.0/21 207.166.148.0/22'
        option interface 'wan6'
        option enabled '0'

config policy
        option name 'Backblaze'
        option dest_addr 'backblaze.com'
        option interface 'wan6'
        option enabled '0'

Again, thanks in advance if willing to check this config. Or for any tips VPN related.

Your NTP firewall rules aren't clear. What are you trying to accomplish?

Are those hijack/redirects?

Those NTP rules allow esp05 to synchronize the time from the internet, both through vpn or wan (whatever is applicable at the moment). This is because it's NTP server is hardcoded, so I cannot change it, and it does not let you set the time yourself. It is a solar inverter logger somebody coded himself, and it really needs the time to know when the sun is above the horizon.

It's not pretty, that's true.

Normally yyou dnat iot dns and ntp to your router.

Not sure what you mean?

I don't need any internet on all those IoT / local devices. Only said hardcoded ntp, which I discovered a bit too late too be honest, so I just poke this little hole. Is there a better way too achieve this?

This should work against hardcoded DNS and if you add 123/udp also for ntp.

• https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns
  probably you need to add some glitch against "cloud" updates if you have plenty of time.

I'll take a look into it, thanks.

No further comments on my configuration? Everything ok?

What could cause the slowing down of the VPN connection, or will it be most likely the VPN itself? I could test it with yet another paid VPN service, any recommendations for a service which are stable with long lasting connections are very welcome. I could automatically reset the connection every night, but preferably not during daytime.

Probably some external traffic management takes your VPN for torrent and brakes it down.

You mean the other side identifies I am using a VPN, an over time, gives me a slower version of their service right?

The way I measure it, besides just noticing it while browsing, is hourly speedtest in Home Assistant. Sure, it's not by any means accurate, but the difference between 250mbit en 30mbit is clear. There is no other traffic on the lan which can slow it down.

But then speedtest would slow me down, but after some hours would get me back up at full speed. And everything gets slow at the same time...

So I don't really think that's it actually.

I realize it's a vague problem, but not sure how I can make it any clearer. Some specific tests or logging? Or a good VPN provider?

No, your provider's traffic manager detect connection as a torrent or something else to slow down.

VPN or ISP provider? Don't hesitate to be more verbose.

ISP won't slow me down in The NEtherlands, and problem still exists after changing ISP. VPN is paid, AirVPN, they also won't slow me down I don't believe.

(You ISP shouldn't be able to decipher the internal tunnel traffic, so I surmise the VPN provider was the subject of the post.)