Wireguard ethernet connection problems

Hello. I have the following setup:

All my household devices are connected via Wi-Fi to the main router ( tp link c6 v2) while my laptop is connected via ethernet cable to the same router. I have no problems with this setup while my second router (tp link c6 v3, openwrt + wireguard) is turned off -> Most of the time I keep the openwrt router turned off, I only turn it on when I need to use the wireguard tunnel to access my home network from outside the household.

The problem is:
Whenever I turn on the second router for wireguard (everything is working flawlessly in this regard), my laptop that is connected to the first router via ethernet/Wi-Fi is losing connection from time to time ( about every 10 mins). It fixes itself if I unplug the ethernet cable for 5 seconds and replug it/ reconnecting to the wi-fi. This doesn't happen with my other household devices like phones or chromecast.

What is happening/ What can I do?

More about the settings I did in this setup here: https://forum.openwrt.org/t/wireguard-server-on-dumb-ap-tp-link-c6-v3/157451

Verify you don't have dumb ap running a dhcp service.
Verify there are no duplicate IP Addresses on the network.

Let's see the final config of your OpenWrt router...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACTED'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.2'
        option gateway '192.168.0.1'
        list dns '192.168.0.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option auto '0'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'wg0'
        option proto 'wireguard'
        option listen_port '1234'
        list addresses '10.14.0.1/24'
        option private_key 'REDACTED'

config wireguard_wg0
        option description 'PHONE'
        list allowed_ips '10.14.0.3/32'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        option public_key 'REDACTED'
        option private_key 'REDACTED'
        option preshared_key 'REDACTED'
        option endpoint_host 'my DDNS'
        option endpoint_port '1234'

config wireguard_wg0
        option description 'pc'
        option preshared_key 'REDACTED'
        list allowed_ips '10.14.0.4/32'
        option route_allowed_ips '1'
        option endpoint_host 'my DDNS
        option endpoint_port '1234'
        option persistent_keepalive '25'
        option public_key 'REDACTED'
        option private_key 'REDACTED'

config wireguard_wg0
        option description 'chromecast'
        option public_key 'REDACTED'
        option private_key 'REDACTED'
        option preshared_key 'REDACTED'
        list allowed_ips '10.14.0.5/32'
        option route_allowed_ips '1'
        option endpoint_host 'my DDNS'
        option endpoint_port '1234'
        option persistent_keepalive '25'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

cat /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'SOME IP'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wg0'

config forwarding
        option src 'vpn'
        option dest 'lan'

Remove the above lines from all of the wireguard peers.

reboot the device and try again.

Ok, I removed these. I will test for a couple of days and tell you the result. I assumed that these settings needed to be there because I have a dynamic ip. The connection from my phone seems to work even with them removed from openwrt (the config file on my phone was not changed).

They are not necessary for the “server” peer, since it is listening for inbound connections. It is possible this was causing traffic issues.

Yo, if the wireguard server receives a handshake from the client, and then the client reboots, if theres no rtc clock battery, it will have a different system time.

Wire guard is expecting the new handshake timestamp to be after the last sucessful handshake, if openwrt boots and uses the last modified file as its time, then its clock will be minutes, hours, days behind.

When a wireguard interface is restarted, theres no last handshake to compare against, so it accepts any timestamp.
Theres a wireguard watchdog script which will reset any peeers after a specified timeout, so theyre always ready to accept new handshake if disconnected for nore than, say 5 minutes

This could be why reconnecting the ethernet helps, because that also resets the wireguard peers.

While your statement about the requirement for accurate time is correct, it would not explain the OPs described issue where a computer (not connected to Wireguard) loses connectivity when the WG router is plugged into the main network.

Another question based on my setup is : if I enable the hardware offloading setting to try and get better speeds over wireguard - will this have an effect on my current setup? (should I leave them off - software/hardware or try to enable them?)

No, HW offloading will not affect your upstream network.

I don't know if it will help, hurt, or be neutral in terms of WG performance. You can try it -- it shouldn't cause any problems (other than potentially slower speeds if it does indeed degrade performance).

It seems that I'm still losing access to the internet from time to time ( about every 1-2 hours). I noticed that when doing heavy connection tasks like playing games via streaming on geforce now. The same fix works - removing the ethernet cable from my laptop and plugging it back in.

Can you draw a picture of your network topology, including where the laptop connects into your system? A photo of a sketch on paper is sufficient.

Also, have you attempted to replicate the problem with the WG router unplugged?

Sure.

40c553f5a9af41d2793f2bf63eec378c968cdada707×241 23.1 KB

The problem doesn't happen at all when the WG router is not plugged into power supply.

Also I think the problem happens more frequently when there are wireguard clients connected to the server.

I cannot see any network based reason why the laptop would be affected by the presence of the WG router.

There is one possible scenario, though -- you could have a marginal power supply on the first router (the C6 v2) which could cause brownouts in the device which would have the potential to hang the ethernet port. This would be triggered by events that require more electrical power such as high-bandwidth downloads, but may only be tipped over the edge when there is an additional ethernet port in use with a reasonable amount of traffic flowing through it.

So... check your power adapter -- are you using a 12V DC @ 1.0A power adapter on that device (that's the spec from the website). Do you have another one available (12V @ 1A or greater)? You could try swapping the power supplies between the two Archer C6 devices.

Both power adapters are rated 12V @ 1A, I will try to swap them, maybe the one on the main router is faulty.

I thought the problem could be from the fact that on my WG clients setup I use the DNS address of my isp, the one that also the main router ( C6 v2) is using, instead of using a public one like Cloudflare (1.1.1.1). But this might have nothing to do with it?

The WG router is acting in the capacity of a lan client to your main router. The routed clients (i.e. WG peers) are masqueraded as a function of the lan firewall zone on the WG router. This means that the main router isn't aware of anything happening on the WG router except for general traffic that is in transit... in other words, all traffic simply goes to, or comes from 192.168.0.2 -- it doesn't know anything more about the nature of that traffic or that there are WG peers that are routed through it.