Flint 2 - Firmware 4.7.7 - Wireguard packet loss (Mullvad and ProtonVPN)

I tested the new firmware 4.7.7 and I'm getting some massive packet loss (>90%) after being connected to a Mullvad Wireguard server (manual configuration).I measured the packet loss also via the routers SSH console.

Reconnecting solves the problem for around 2-5 min only for it to start again. I tried also different MTUs (e.g. 1380, 1412, 1420 without success).

Downgrading to 4.5.8 solves the problem immediately.

Do you have similar problems with your Wireguard VPN connection, specially to Mullvad DE servers?

having issues with their german servers for past month and a half, switched to swiss ones (40x group) and no issues

2 Likes

and you didnt report it to them? what did they say?

Hello,

  1. May I confirm that when testing WG Mullvad VPN for v4.5.8 and v4.7.7, do you use the same one VPN profile?

  2. If test WG client with others VPN provider, does the issue reproduce?

nope I didn't report as I saw on their servers page that there were issues with some german servers so I thought it's more of location issue that they are aware of

For some reason the local dnsmasq DNS server (127.0.0.1) does not accept request from loopback anymore which means opkg update fails when wireguard is active.

This happens when 127.0.0.1 is set as DNS in /etc/resolv.conf in the router.

I set in the DNS config also to ignore resolv.conf to prevent DNS leaks (which never made a problem so far).

This can be tested with the command in openwrt:

nslookup google.com 127.0.0.1

On 4.5.8 it responds to DNS requests.

At the beginning the LED of the Flint 2 was blinking around every 2-3 minutes for around 30 seconds, indicating that there was no connection, therefore the wireguard connection was interrupted several times (problem with the WAN port or related to the DNS server on localhost not responding?).

I also tested the wireguard connection with Proton VPN and had the same problem.

The only firewall change I did was removing WAN from the LAN -> WAN/wgclient zone, to make sure that there really is no WAN traffic over LAN. I did this with many OpenWRT (also 4.5.8) installations in the past without problems.

I also had two crashes without anything in the crashlogs.

Was something changed about the firewall rules in 4.7.7? I noticed there is some port forwarding for DNS.

Edit2:

Could it be that Flint 2 is dropping pings? While a ping is showing me some massive packet loss I can use the internet fine.

Edit3:

I did some further testing.

Either I have some massive ping loss (99% according to MTR) but surfing via the VPN is fine

or I have some massive ping loss AND surfing via the VPN leads to a timeout, also no more DNS resolving is possible.

After a wireguard reconnection the line is stable for around 2 mins until it causes the mentioned symptoms again. Both via Mullvad and ProtonVPN.

When I disable the WG VPN everything is working fine.

The screenshot shows the situation where no more surfing is possible.

Via Fiber:

I even tested the same constellation via my DSL backup line, which uses a different ISP. It produces the same symptoms.

Via DSL:

Here some ping over DSL when there is packet loss according to MTR but the connection is working fine:

The good news:

With 4.8.0 I do not have connection problems to websites. The general packet loss seem to be a ProtonVPN problem but does not influence the connectivity. I will redo the test with another VPN.

1 Like