I set up the VPN using the Wireguard protocol, and it works great. However, I'm facing a significant issue: whenever I disconnect my router from the power outlet, the connection breaks. When I plug the router back in, I lose internet access completely. The only way to regain my connection is by deleting the Wireguard interface, and the custom DNS server from the WAN, and adjusting the Firewall settings. After that, I have to go through the hassle of reconfiguring my VPN all over again. I live in an area with unstable power, often only having electricity for a few hours each day, which results in frequent power outages. It's incredibly frustrating to have to set up my VPN connection repeatedly each time this happens. How can I resolve this problem?
My first thought is that you are using a custom non public DNS server.
If the router reboots you first have to get DNS for the correct time and setting up the tunnel but to get DNS you need the tunnel, so you end up in a catch 22 situation.
But lets see your configs.
Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
ip route show
ip rule show
wg show
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.162",
"hostname": "OpenWrt",
"system": "MediaTek MT7621 ver:1 eco:3",
"model": "Xiaomi Mi Router 4A Gigabit Edition",
"board_name": "xiaomi,mi-router-4a-gigabit",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "ramips/mt7621",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf0:b41a:88a1::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '10.100.0.1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'DallasVPN'
option proto 'wireguard'
option private_key 'censor'
list addresses 'censor'
config wireguard_DallasVPN
option description 'Main Peer'
option public_key 'censor'
option private_key 'censor'
option preshared_key 'censor'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option route_allowed_ips '1'
option endpoint_host 'censor'
option endpoint_port '253'
option persistent_keepalive '25'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'DallasVPN'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'DallasVPN'
config forwarding
option src 'lan'
option dest 'DallasVPN'
root@OpenWrt:~# ip route show
default dev DallasVPN scope link
95.158.16.0/24 dev wan scope link src censor
censor via 95.158.16.1 dev wan
censor dev br-lan scope link src 192.168.1.1
root@OpenWrt:~# ip rule show
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@OpenWrt:~# wg show
interface: DallasVPN
public key: censor
private key: (hidden)
listening port: 52278
peer: censor
preshared key: (hidden)
endpoint: censor:253
allowed ips: 0.0.0.0/0, ::/0
latest handshake: 17 seconds ago
transfer: 3.41 GiB received, 210.80 MiB sent
persistent keepalive: every 25 seconds
10.100.0.1 seems your only DNS server and that is probably only available after the tunnel is up and to get the tunnel up you need DNS first.
As a test also add 9.9.9.9 as DNS server on the WAN and reboot the router to see if that solves your problem
I’m going to also guess that there could be a clock/time issue. If the wg tunnel attempts to start before ntp sync is complete, the time on the router will be incorrect and the tunnel will fail to come up, creating a chicken or egg situation.
Yeah, it solved my problem. After I changed DNS from 10.110.0.1 to 1.1.1.1 problem gone. Thanks.
Great to hear you solved it.
As you are routing everything via the VPN your DNS will also be routed via the VPN and 9.9.9.9 is reasonably trustworthy so i would just leave it at that.
If you really want to use 10.100.0.1 as only DNS server you can set this DNS address on the WG interface (but leave 9.9.9.9 on the WAN) and then use a hotplug script which uses 10.100.0.1 as only DNS server after the WG interface is up.
See: https://github.com/egc112/OpenWRT-egc-add-on/tree/main/stop-dns-leak/use-wireguard-dns
As I understand with public DNS and Wireguard VPN I will never leak my real DNS, I mean DNS of my ISP. Right?
Exactly so you should be good as it is
Check the time/date immediately after the reboot and when you are unable to reach the internet.
date
I'm able to reach the internet immediately after reboot.
Based on the config, you send all traffic via the Wireguard tunnel:
Therefore, if you are able to reach the internet, it means that the tunnel has not attempted to start at all. This is different than the tunnel not working.
If the tunnel starts but doesn't work properly (for example, as a result of an incorrect system clock), you will not get internet at all.
Can you please describe the specific situation with the tunnel "breaking" after reboot? Is it not starting, or does your internet not work? Or some other situation?
Yes.
I setup KillSwitch.
Every time I click the "Reboot" button in the "System" section, my router restarts, and afterward, I have internet access and my VPN functions properly. However, whenever I unplug the router from the outlet and plug it back in, I lose internet access until I reconfigure the VPN again.
This is the condition I am referring to... I believe that your VPN is not starting properly because of a time issue.
Unplug your device and leave it unplugged for a minute or two. Then plug it back in again and if the problem presents, at that moment provide the output of:
date
Yeah... the clock is wrong, as I predicted.
- Before unplugging:
November 11, 2024 14:21:55 UTC - After unplugging:
November 11, 2024 13:47:43 UTC
As you can see, the clock in this case shows about 34 minutes behind the previous time, and when you account for the 7 minutes that it was unplugged, it's probably about 41 minutes behind the correct time.
So... like I said, it's a time issue. Basically, the tunnel starts on the local side before NTP sync occurs. But the tunnel cannot be fully established because the time is wrong (all modern VPNs use time as part of the cryptographic process to prevent 'replay attacks'). This means that there is no internet access available because the tunnel isn't actually up, but the local OpenWrt routes are trying to push all traffic through the tunnel.
The system cannot get an NTP sync because the there is no internet access. There is no internet access because the traffic is being sent through a tunnel that hasn't been completed. The tunnel isn't actually up because the time is wrong. Now, you can see the chicken-or-egg situation.
This thread (and several like it) describe some modifications that can be made to the startup process to ensure NTP sync occurs before the WG tunnel attempts to start, and then starts it after the clock has been correctly set.
Also, moving forward... please do not post screenshots.
Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.
Please edit your post accordingly. Thank you! 
There are 60 posts. Can you find for me certain post with an instruction?
In /etc/config/system, specify at least one of the NTP servers by numeric IP instead of a DNS name. In /etc/config/network, install a host route (/32 or /128) to the NTP server via wan.