Wireguard VPN intermittent loss of connectivity with websites

I'm going crazy. Direct internet works like a charm.
Wireguard (proton) vpn has random drops when trying to reach websites, but those drops are not seen in a ping -t . I'm running windows here, just for you to know I cannot run linux commands.

The exact symptoms: Browsing any website may (or may not) result in infinite loading time. Completely random. Reloading sometimes makes the page show up, but sometimes it needs 2,3,4 reloads (I think this is because it needs time -for something I don't know- instead of forcing many reloads with F5 or ctrl + F5)

• Its not my browsers as they work with direct internet, also the same happens on other machine in lan with wireguard.

• All my traffic goes through vpn.

• Using cloudflare dns or proton internal dns is the same.

• Updated router openwrt to latest stable version.

• I have PBR installed but its not configured to be used on this PC. (just to give info here)

• Played with MTU to see if makes any change, but negative. (tried higher and lower)

• MSS clamping is enabled for all zones.

Let me know which command do you need me to run to give you better info.

 "kernel": "5.15.137",
        "hostname": "ROUTER",
        "system": "ARMv8 Processor rev 4",
        "model": "Linksys E8450 (UBI)",
        "board_name": "linksys,e8450-ubi",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "mediatek/mt7622",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"

root@ROUTER:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd57:02ca:f7c0::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.200.1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option type 'bridge'
        option metric '3'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '9.9.9.9'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'none'
        option reqprefix 'auto'
        option metric '20'
        option disabled '1'

config interface 'IoT'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.0'
        option device 'wl0-ap1'
        option delegate '0'
        option type 'bridge'
        option metric '800'

config device
        option name 'lan3'

config interface 'AR17'
        option proto 'wireguard'
        option private_key [redacted]
        list addresses '10.2.0.2/32'
        option peerdns '0'
        list dns '10.2.0.1'
        option metric '1'

config interface 'AR19'
        option proto 'wireguard'
        option private_key [redacted]
        list addresses '10.2.0.2/32'
        option peerdns '0'
        list dns '10.2.0.1'
        option auto '0'
        option metric '1'
        option mtu '1420'
        option delegate '0'



config wireguard_AR19
        option description 'AR-19-AR-19.conf'
        option public_key [redacted]
        list allowed_ips '0.0.0.0/0'
        option endpoint_host '66.90.72.170'
        option endpoint_port '51820'
        option route_allowed_ips '1'

config device
        option name 'AR19'
        option mtu '1420'
        option ipv6 '0'

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '0'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option sequential_ip '1'
        option noresolv '1'
        option localuse '1'
        option boguspriv '0'
        option cachesize '0'
        list server '10.2.0.1'
        list server '1.1.1.1'

config dhcp 'lan'
        option interface 'lan'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option start '3'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option peerdns '0'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'PCDESKTOP'
        option dns '1'
        option mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.200.3'

config domain
        option name 'PCDESKTOP'
        option ip '192.168.200.3'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'lan'
        option mtu_fix '1'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'
        option mtu_fix '1'
        option masq '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow - WireGuard'
        list proto 'udp'
        option dest_port '51820'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'WOL'
        list proto 'udp'
        option src 'lan'
        option src_dport '9'
        option dest_ip '192.168.200.255'
        option dest_port '9'

config forwarding
        option src 'wan'
        option dest 'lan'

config zone
        option name 'VPN'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'AR17'
        list network 'AR19'

config forwarding
        option src 'lan'
        option dest 'VPN'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
        option src 'VPN'
        option dest 'lan'

I suspect that the issue might be related to dns.

Try deleting the above from your dnsmasq config.

There may be other issues, too, but I think dns could be the main one.

If DNS change above won’t help, the other problem might be MTU. Set it to 1320 and see if that helps.

Hello! thanks both for the help; I tried both before opening this thread but I'm going to give it another shot.

@psherman : I wasn't using those proton DNS when the issues arose; I configured them thinking I had, as you say, DNS problems. I was using both cloudflare and quad9 dns servers. Truth is proton dns work as well as cloudflare for me now.

@qunvureze : I've already tried with lower MTU, even 1300 and 1200; as extreme as these may sound, just to see if anything changes, but I got worse problems, seems fragmentation made it worse somehow.

UPDATE: I've deleted the "list dns" entries as psherman said and I'm going to test it a while to see if the random problem happens again. I'm confused here with something: what are the higher priority DNS servers to be used by openwrt? since we have many places to configure them, in this case I have "dns forwards" in the "DHCP and DNS" menu (Luci) set as 10.2.0.1 (proton dns) and 1.1.1.1 as secondary while I also had (before taking psherman advice) individual DNS set per interface (each wireguard interface comes with the default proton dns configured).

PS: I have 1.1.1.1 as secondary only because I needed to use direct internet, I will probably remove it once I sort this issue out.

It seems that the issue were the DNS after all. So far I haven't experienced the loss of connectivity with websites that I was having.

@psherman can you clarify to me how the "double" DNS settings in Openwrt work? (interface individual dns and dns forwarding menu)

I'm going to mark as solved, luckily this time I won't reopen it.

Thanks for your help

Regarding DNS -- read up on the way that dnsmasq handles multiple DNS servers (read the dnsmasq upstream documentation). In OpenWrt specifically, I don't recall if there are options that are only available at compile time, or if all options can be implemented within the config file. But in short, dnsmasq can operate in a few different modes:

• send to only one DNS server normally; subsequent DNS servers only used as failovers
• send to all; use the fastest response
• And I think it also has a round-robin mode, possibly with weightings.

https://openwrt.org/docs/guide-user/base-system/dhcp.dnsmasq

I'm not actually an expert in the details of dnsmasq, but you might find this interesting:

Sorry... here again. Same problem again. It seems its not the DNS after all, and that it worked temporarily for other reasons. Websites freeze at load randomly. Tried proton DNS, cloudflare and quad9; each one as the only one at a time and all configured at same time (failover).

Any other troubleshooting you have in mind?