Unable to (re-)connect VPN and kept disconnecting

Technical Support for Routers VPN, DNS, Leaks
1

I have AdGuard Home enabled together with WireGuard VPN (This also happens with Open VPN) connected to ProtonVPN servers.

Without enabling VPN on my router, I was able to establish stable continuous WireGuard VPN connection using the WireGuard macOS application on my macbook Pro. <- This tells me that any issue I am encountering is 100% (or 99%) isolated from my ISP and ProtonVPN. The problem lies with my router.

Problem

  1. I am not able to get consistent VPN connection. WireGuard connection will become extremely slow (connections timeout) within an hour (sometimes within 2 minutes), logs like Wed Sep 18 21:28:48 2024 daemon.err AdGuardHome[29439]: 2024/09/19 01:28:48.210210 [error] dnsproxy: upstream 9.9.9.9:53 failed to exchange ;index.docker.io. IN A in 20.002158682s: exchanging with 9.9.9.9:53 over udp: read udp 10.2.0.2:57992->9.9.9.9:53: i/o timeout and Wed Sep 18 20:30:31 2024 daemon.err AdGuardHome[29439]: 2024/09/19 00:30:31.679653 [error] dnsproxy: 149.112.112.112:53: response received over udp: "exchanging with 149.112.112.112:53 over udp: read udp 10.2.0.2:55278->149.112.112.112:53: i/o timeout" starts to appear in System Log.
  2. Within 5 minute of the first appearance of the logs
    Note that I was unable to "View Log" of VPN
    Note that I was unable to "View Log" of VPN1060×1078 40.9 KB
    ,
    VPN goes down
    VPN goes down1071×1038 84.9 KB

    and starts leaking my real IP address. VPN never re-connects (I gave it 30 min and it just doesn't re-connect)
  3. After VPN disconnects, error logs stop showing, internet traffic (without VPN) resumes normal, AdGuard Home continues to process requests from my network clients.

My router:
Model GL Technolgies, Inc. AX1800
Architecture ARMv7 Processor rev 4 (v7l)
Target Platform ipq807x/ipq60xx
Firmware Version OpenWrt 21.02-SNAPSHOT r16399+171-c67509efd7 / LuCI openwrt-22.03 branch git-21.284.67084-e4d24f0
Kernel Version 4.4.60
GL.iNet Firmware Version 4.6.2
GL.iNet Firmware Type release2

Settings:

DNS Settings
DNS Settings1035×382 24.5 KB

Forward port has to be changed to 53 for DNS to work (with or without VPN)
Forward port has to be changed to 53 for DNS to work (with or without VPN)940×200 25.1 KB

# /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option ednspacket_max '1232'
	option localuse '0'
	option port '0'
#	option logqueries '1'
#	option localservice '0'
#	option noresolv '1'
#	list server '127.0.0.1#3053'
#	option rebind_protection '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	list dhcp_option '6,192.168.8.1'
	option force '1'
	list ra_flags 'none'
	option ignore '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'
	list ra_flags 'none'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

# /etc/config/network

config interface 'wan'
	option device 'eth0'
	option ipv6 '0'
	option metric '10'
	option proto 'pppoe'
	option username '*****'
	option password '*****'
	option vlanid '0'
	option disabled '0'
	list dns '9.9.9.9'
	list dns '149.112.112.112'
	option peerdns '0'

# /etc/AdGuardHome/config.yaml ( head -n99 config.yaml)

http:
  pprof:
    port: 6060
    enabled: false
  address: 0.0.0.0:3000
  session_ttl: 720h
users: []
auth_attempts: 5
block_auth_min: 15
http_proxy: ""
language: ""
theme: auto
dns:
  bind_hosts:
    - 0.0.0.0
  port: 53
  anonymize_client_ip: false
  ratelimit: 0
  ratelimit_subnet_len_ipv4: 24
  ratelimit_subnet_len_ipv6: 56
  ratelimit_whitelist: []
  refuse_any: true
  upstream_dns:
    - https://dns10.quad9.net/dns-query
    - tls://dns10.quad9.net
  upstream_dns_file: ""
  bootstrap_dns:
    - 94.140.14.14
    - 94.140.15.15
    - 2a10:50c0::ad1:ff
    - 2a10:50c0::ad2:ff
    - 9.9.9.9
    - 149.112.112.112
    - 2620:fe::fe
    - 2620:fe::9
  fallback_dns:
    - https://dns.adguard-dns.com/dns-query
    - tls://dns.adguard-dns.com
    - 94.140.14.14
    - 94.140.15.15
    - 2a10:50c0::ad1:ff
    - 2a10:50c0::ad2:ff
    - 9.9.9.9
    - 149.112.112.112
    - 2620:fe::fe
    - 2620:fe::9

# /etc/init.d/adguardhome

    procd_set_param command /usr/bin/AdGuardHome --glinet --no-check-update -c /etc/AdGuardHome/config.yaml -w /etc/AdGuardHome #-l syslog

Please let me know what other config files I can provide.

2

Hi,

Is these two DNS IPs auto obtaining from WAN or manually configure in the ADG?

list dns '9.9.9.9'
list dns '149.112.112.112'

Please share the syslog file with me via the PM

4

@bruce

Hi Bruce, I configured those via Luci by unchecking Use DNS servers advertised by peer and adding 9.9.9.9 and 149.112.112.112 to Use custom DNS servers

image
image890×1328 104 KB

5

@bruce

I've tried re-checking Use DNS servers advertised by peer. Problem still persists.

image
image909×1313 109 KB

image
image1014×1271 109 KB

I cannot for the love of god understand why this happens... The VPN now drops within 2 mintue of enabling it...

I was thinking of upgrading to Flint 2... Please fix it so that I can safely upgrade...

6

May I know if the router in the v4.6.4? Please export the syslog (during VPN client start and lose connection) and PM me.

then, please try to downgrade to the v4.6.2 firmware to see if the VPN works.

7

@bruce The router is in v4.6.2, never received v4.6.4 update

8

We found protovpn wireguard tcp is more robust than udp.
Is "WireGuard macOS application" provided by protovpn?

Some user report ISP do UDP filtering makes wireguard udp not work.

1 Like
9

@hansome
By WireGuard macOS application, I mean the official WireGuard Client, not the one provided by ProtonVPN.

If UDP filtering is the issue, why doesn't my macOS client face the same issue? I really wish I can change my ISP but I'm in no position to do that :frowning: At least not in 1.5 yrs...

Is there anything that I can do to fix this issue?

This doesn't happen recently (I've been using the router for nearly 3 years, and ProtonVPN for more than 6 months.) It's only happened sometime after upgrading to v4.6.2. (I can't be 100% sure it's related to the upgrade coz I don't monitor my router everyday if I don't see service degradation.

I've provided @bruce with the log export. Should I also share that with you?

Thanks a lot!

10

Thanks, bruce will add me to the session, we'll check further.

11

@hansome / @bruce
Update on the UDP suspicion:
Changing DNS in AdGuard Home to TCP doesn't work:

Wed Sep 25 10:23:05 2024 daemon.err AdGuardHome[26492]: 2024/09/25 14:23:05.330912 [error] dnsproxy: upstream tcp://94.140.15.15:53 failed to exchange ;www.google.com.	IN	 A in 20.005928979s: exchanging with tcp://94.140.15.15:53 over tcp: read tcp 10.98.0.7:39616->94.140.15.15:53: i/o timeout
12

Check your log and found you're on firmware 4.6.2, and you uncheck "dns for vpn" port forward rule, but that won't cause disconnection.

It's using tcp over udp in the case as the dns traffic is sourced from wireguard interface.
I advise you try using protonvpn openvpn tcp profile. It should have better connectivity.

13

I advise you try using protonvpn openvpn tcp profile. It should have better connectivity.

I switched to ProtonVPN OpenVPN TCP Profile, but have the same issue with DNS. The VPN connection is no more stable than WireGuard. The only difference is the ability to re-connect after maybe an hour vs never with WireGuard.

14

I guess it's related to adguardhome.
Will the connection keep working if you turn off adguardhom?
Could you share your adg config file?

cat /etc/AdGuardHome/config.yaml
1 Like
15

@bruce Same issue here on Flint with OpenVPN + Adguard since I upgraded to 4.6.4 and also 4.6.6:

It wont resolve the OpenVPN server name if Adguard is enabled and you have enabled "block non vpn traffic". it worked before 4.6.4 fine. it also works fine on my Brume 2 with 4.6.6 with same settings, except I use WG there not OpenVPN.

You need to exclude Adguard from the "block non vpn traffic", it is a service of the router itself and also the main DNS resolver if you use it.

I have not changed anything on Adguard except add more servers:

tls://unfiltered.adguard-dns.com
tls://1.1.1.1:853
tls://1.0.0.1:853
tls://8.8.8.8
tls://8.8.4.4

16

Confirmed, dns will fail when block-non VPN is on and adguardhome is on.
But that's a different issue with OP's, he's using firmware 4.6.2.

1 Like
17

So this will get fixed in the next fw? Obviously this is a nogo. The VPN wont ever connect, Adguard wont ever resolve this way, even it is the routers main resolver.

I guess you need to either exclude the VPN server names for both OpenVPN and WG, so it can resolve its own VPN server names to initiate the connection. Or make some other change for it.

The option to block non vpn traffic is meant though just for traffic comming from the clients of the router, not of the router itself.