WireGuard starts failing, anyone else with 3004.388.8_2?

[meruserasus]

For the last two weeks two different routers on 3004.388.8_2 have trouble with WireGuard and will stop working randomly, no idea why as different vpn settings too, turning it off solves issue as in internet works, but with WG sometimes it shows connected for vpn but nothing works, reboot doesn't always help either.

No issues in logs,

 

[muffintastic]

For the last two weeks two different routers on 3004.388.8_2 have trouble with WireGuard and will stop working randomly, no idea why as different vpn settings too, turning it off solves issue as in internet works, but with WG sometimes it shows connected for vpn but nothing works, reboot doesn't always help either.

No issues in logs,

Working fine on my RT-AX86U Pro, same FW version.

 

[ZebMcKayhan]

For the last two weeks two different routers on 3004.388.8_2 have trouble with WireGuard and will stop working randomly, no idea why as different vpn settings too, turning it off solves issue as in internet works, but with WG sometimes it shows connected for vpn but nothing works, reboot doesn't always help either.

No issues in logs,

working fine for me too, AX86U Pro, same firmware.

perhaps you should contact your VPN provider?

 

[bennor]

RT-AX86U Pro with 3004.388.8_2 here as well and haven't seen any issues with Wireguard not working either in Wireguard server mode or as Wireguard client (to ProtonVPN Free).

What or which VPN provider you are using/connecting to?

In addition to the other suggestion made to contact your VPN provider, also check the logs (if you can) of any upstream broadband provider equipment the Asus router is connected to see if there is an indication of an issue.

 

[user_20240830]

Mine RT-AX68U keeps rejecting configuration file with VPN provider support just referring towards strict policy from ISP. No support, no workaround, no connection. "Error - check configuration file" is the best I could get from it...

 

[meruserasus]

RT-AX86U Pro with 3004.388.8_2 here as well and haven't seen any issues with Wireguard not working either in Wireguard server mode or as Wireguard client (to ProtonVPN Free).

What or which VPN provider you are using/connecting to?

In addition to the other suggestion made to contact your VPN provider, also check the logs (if you can) of any upstream broadband provider equipment the Asus router is connected to see if there is an indication of an issue.

Proton but two different friends have same issue using different countries, etc, paid proton.

 

[muffintastic]

Proton but two different friends have same issue using different countries, etc, paid proton.

I'm on Proton VPN WG through Asus, works no issues.

 

[bennor]

Proton but two different friends have same issue using different countries, etc, paid proton.

If you haven't done so already, maybe try using different Proton VPN endpoint servers to see if that solves the issue. Could be the endpoint VPN servers are getting overloaded and booting some of their connections.

 

[user_20240830]

If you haven't done so already, maybe try using different Proton VPN endpoint servers to see if that solves the issue. Could be the endpoint VPN servers are getting overloaded and booting some of their connections.

Done that multiple times. No result.

 

[user_20240830]

RT-AX86U Pro with 3004.388.8_2 here as well and haven't seen any issues with Wireguard not working either in Wireguard server mode or as Wireguard client (to ProtonVPN Free).

What or which VPN provider you are using/connecting to?

In addition to the other suggestion made to contact your VPN provider, also check the logs (if you can) of any upstream broadband provider equipment the Asus router is connected to see if there is an indication of an issue.

Got never ending "TLS handshake error" with log like this:https://paste.debian.net/1335006/

 

[bennor]

Got never ending "TLS handshake error" with log like this:https://paste.debian.net/1335006/

@user_20240830, Are you using OpenVPN or WireGuard? This discussion is about WireGuard. It appears your log indicates OpenVPN. For example the very first line of the log you posted:
Oct 28 13:10:00 openvpn: Resetting VPN client 5 to default settings

PS: Just did a quick setup of the free ProtonVPN OpenVPN cert on a RT-AX86U Pro running 3004.388.8_2. Followed most of the steps in the ProtonVPN OpenVPN Asus-Merlin guide. Connection successfully made and network client can access internet through tunnel. One thing I did have to do was change Redirect Internet traffic through tunnel option to VPN Director (Policy Rules) and setup a VPN Director rule for my client to access the internet. Couldn't access the internet otherwise. The killswitch thing when I stop the OpenVPN tunnel is a bit goofy but that's a separate issue.

 

[user_20240830]

@user_20240830, Are you using OpenVPN or WireGuard? This discussion is about WireGuard. It appears your log indicates OpenVPN. For example the very first line of the log you posted:
Oct 28 13:10:00 openvpn: Resetting VPN client 5 to default settings

PS: Just did a quick setup of the free ProtonVPN OpenVPN cert on a RT-AX86U Pro running 3004.388.8_2. Followed most of the steps in the ProtonVPN OpenVPN Asus-Merlin guide. Connection successfully made and network client can access internet through tunnel. One thing I did have to do was change Redirect Internet traffic through tunnel option to VPN Director (Policy Rules) and setup a VPN Director rule for my client to access the internet. Couldn't access the internet otherwise. The killswitch thing when I stop the OpenVPN tunnel is a bit goofy but that's a separate issue.

Did both settings for OpenVPN and for WireGuard according to the same link. No result. Could only receive message from web-interface: " Error. Check configuration" .
My settings for WireGuard are:

Spoiler

VPN - WireGuard Client

Select client instance -> WG_US#180 - servname
...
Enable WireGuard -> Yes
Enable NAT -> Yes
Inbound Firewall -> Block
Killswitch -> No

Interface
Private Key -> KeyValue
MTU (Optional) ->
Address -> 10.2.0.2/32
DNS Server (Optional) -> 10.2.0.1

Peer
Server Public Key -> SPKValue
Preshared Key (Optional) ->
Allowed IPs -> 0.0.0.0/0
Endpoint Address ; Port -> 146.70.202.162 ; 51820
Persistent Keepalive -> 25

Whenever I hit "Apply" - got back "Stopped".

Same reply relates OpenVPN settings both UDP and TCP.
I did try to change "Redirect Internet traffic through tunnel" for OpenVPN with no success.
Tried to play with "Accept DNS Configuration" settings.
Got only "Error. Check configuration" message,
System log portion of these are given here:

Spoiler

Nov 10 15:31:06 ovpn-client2[8464]: OpenVPN 2.6.12 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Nov 10 15:31:06 ovpn-client2[8464]: library versions: OpenSSL 1.1.1w 11 Sep 2023, LZO 2.08
Nov 10 15:31:06 ovpn-client2[8465]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 10 15:31:06 ovpn-client2[8465]: TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.202.178:4569
Nov 10 15:31:06 ovpn-client2[8465]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Nov 10 15:31:06 ovpn-client2[8465]: UDPv4 link local: (not bound)
Nov 10 15:31:06 ovpn-client2[8465]: UDPv4 link remote: [AF_INET]146.70.202.178:4569
Nov 10 15:31:06 ovpn-client2[8465]: TLS: Initial packet from [AF_INET]146.70.202.178:4569, sid=[sidValue]
Nov 10 15:31:06 ovpn-client2[8465]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 10 15:32:06 ovpn-client2[8465]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 10 15:32:06 ovpn-client2[8465]: TLS Error: TLS handshake failed
Nov 10 15:32:06 ovpn-client2[8465]: SIGUSR1[soft,tls-error] received, process restarting
Nov 10 15:32:06 ovpn-client2[8465]: Restart pause, 1 second(s)
Nov 10 15:32:07 ovpn-client2[8465]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 10 15:32:07 ovpn-client2[8465]: TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.202.178:4569
Nov 10 15:32:07 ovpn-client2[8465]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Nov 10 15:32:07 ovpn-client2[8465]: UDPv4 link local: (not bound)
Nov 10 15:32:07 ovpn-client2[8465]: UDPv4 link remote: [AF_INET]146.70.202.178:4569
Nov 10 15:32:07 ovpn-client2[8465]: TLS: Initial packet from [AF_INET]146.70.202.178:4569, sid=[sidValue]
Nov 10 15:33:07 ovpn-client2[8465]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 10 15:33:07 ovpn-client2[8465]: TLS Error: TLS handshake failed
Nov 10 15:33:07 ovpn-client2[8465]: SIGUSR1[soft,tls-error] received, process restarting
Nov 10 15:33:07 ovpn-client2[8465]: Restart pause, 1 second(s)
Nov 10 15:33:08 ovpn-client2[8465]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 10 15:33:08 ovpn-client2[8465]: TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.202.178:4569
Nov 10 15:33:08 ovpn-client2[8465]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Nov 10 15:33:08 ovpn-client2[8465]: UDPv4 link local: (not bound)
Nov 10 15:33:08 ovpn-client2[8465]: UDPv4 link remote: [AF_INET]146.70.202.178:4569
Nov 10 15:33:08 ovpn-client2[8465]: TLS: Initial packet from [AF_INET]146.70.202.178:4569, sid=c83963e5 dfa866cf
Nov 10 15:34:08 ovpn-client2[8465]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Nov 10 15:34:08 ovpn-client2[8465]: TLS Error: TLS handshake failed
Nov 10 15:34:08 ovpn-client2[8465]: SIGUSR1[soft,tls-error] received, process restarting
Nov 10 15:34:08 ovpn-client2[8465]: Restart pause, 1 second(s)
Nov 10 15:34:09 ovpn-client2[8465]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 10 15:34:09 ovpn-client2[8465]: TCP/UDP: Preserving recently used remote address: [AF_INET]146.70.202.178:4569
Nov 10 15:34:09 ovpn-client2[8465]: Socket Buffers: R=[524288->524288] S=[524288->524288]
Nov 10 15:34:09 ovpn-client2[8465]: UDPv4 link local: (not bound)
Nov 10 15:34:09 ovpn-client2[8465]: UDPv4 link remote: [AF_INET]146.70.202.178:4569
Nov 10 15:34:09 ovpn-client2[8465]: TLS: Initial packet from [AF_INET]146.70.202.178:4569, sid=[sidValue]
Nov 10 15:34:13 rc_service: httpds 1119:notify_rc stop_vpnclient2;start_vpnrouting2
Nov 10 15:34:13 ovpn-client2[8465]: event_wait : Interrupted system call (fd=-1,code=4)
Nov 10 15:34:13 ovpn-client2[8465]: SIGTERM[hard,] received, process exiting
Nov 10 15:34:13 openvpn-routing: Clearing routing table for VPN client 2
Nov 10 15:40:40 acsd: acs_set_chspec: 0x1008 (8) for reason APCS_CSTIMER
Nov 10 15:57:27 rc_service: httpds 1119:notify_rc restart_wgc
Nov 10 15:57:27 kernel: wireguard: WireGuard 1.0.20220627 loaded. See www.wireguard.com for information.
Nov 10 15:57:27 kernel: wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
Nov 10 15:57:27 WireGuard: Starting client 3.
Nov 10 15:57:27 dnsmasq[22986]: read /etc/hosts - 22 names
Nov 10 15:57:27 dnsmasq[22986]: using nameserver [myISP_DNS]#53
Nov 10 15:57:27 dnsmasq[22986]: using nameserver 8.8.4.4#53
Nov 10 15:57:27 dnsmasq[22986]: using nameserver [myISP_DNS]#53
Nov 10 15:57:27 dnsmasq[22986]: using nameserver 8.8.4.4#53
Nov 10 15:57:45 rc_service: httpds 1119:notify_rc restart_wgc
Nov 10 15:57:45 dnsmasq[22986]: read /etc/hosts - 22 names
Nov 10 15:57:45 dnsmasq[22986]: using nameserver [myISP_DNS]#53
Nov 10 15:57:45 dnsmasq[22986]: using nameserver 8.8.4.4#53
Nov 10 15:57:45 dnsmasq[22986]: using nameserver [myISP_DNS]#53
Nov 10 15:57:45 dnsmasq[22986]: using nameserver 8.8.4.4#53
Nov 10 15:57:45 lldpd[1183]: removal request for address of 10.2.0.2%29, but no knowledge of it
Nov 10 15:57:45 WireGuard: Stopping client 3.
Nov 10 15:57:46 WireGuard: Starting client 3.
Nov 10 15:57:46 dnsmasq[22986]: read /etc/hosts - 22 names
Nov 10 15:57:46 dnsmasq[22986]: using nameserver [myISP_DNS]#53
Nov 10 15:57:46 dnsmasq[22986]: using nameserver 8.8.4.4#53
Nov 10 15:57:46 dnsmasq[22986]: using nameserver [myISP_DNS]#53
Nov 10 15:57:46 dnsmasq[22986]: using nameserver 8.8.4.4#53
Nov 10 15:58:17 rc_service: httpds 1119:notify_rc restart_vpnrouting0
Nov 10 15:58:46 rc_service: httpds 1119:notify_rc restart_wgc
Nov 10 15:58:46 dnsmasq[22986]: read /etc/hosts - 22 names
Nov 10 15:58:46 dnsmasq[22986]: using nameserver [myISP_DNS]#53
Nov 10 15:58:46 dnsmasq[22986]: using nameserver 8.8.4.4#53
Nov 10 15:58:46 dnsmasq[22986]: using nameserver [myISP_DNS]#53
Nov 10 15:58:46 dnsmasq[22986]: using nameserver 8.8.4.4#53
Nov 10 15:58:46 lldpd[1183]: removal request for address of 10.2.0.2%30, but no knowledge of it
Nov 10 15:58:46 WireGuard: Stopping client 3.
Nov 10 16:01:03 hostapd: eth6: STA e0:76:d0:50:18:13 WPA: group key handshake completed (RSN)
Nov 10 16:01:03 hostapd: eth5: STA d4:38:9c:01:6c:78 WPA: group key handshake completed (RSN)
Nov 10 16:01:03 hostapd: eth6: STA 3a:9f:d4:76:07:a1 WPA: group key handshake completed (RSN)
Nov 10 16:01:03 hostapd: eth6: STA 2c:d0:66:55:36:30 WPA: group key handshake completed (RSN)

 

[bennor]

@user_20240830, who is your ISP? Is it possible they may be interfering with VPN usage?
Can you use, or have you used, a computer based VPN program/software? If so does it connect without an error or issue?

 

[user_20240830]

@user_20240830, who is your ISP? Is it possible they may be interfering with VPN usage?
Can you use, or have you used, a computer based VPN program/software? If so does it connect without an error or issue?

That's who. It is not only possible but straight follows from their policy, against my contract rules, law and common sense. But neither me nor anybody else in this country can do shirt about it. Most surprising portion is Android based mobile and TV are connecting with no issue. But they use other type of connection protocol which is missing from ProtonVPN 'router' and 'Linux' versions. Proton support refers to my ISP and totally ignores my tickets and complains sending me to "future versions of ProtonVPN for Linux"...

 

[Old Fart]

Hang on. The OP has never indicated what router he is dealing with. Then @user_ chimed in indicating he has an AX68U. Now you guys with AX86U's are chiming in.
Let's compare apples with apples.
FYI: I am having the same issue with my GT-AX11000-PRO. It says that WireGuard is connected but I cannot go anywhere.

 

[user_20240830]

Hang on. The OP has never indicated what router he is dealing with. Then @user_ chimed in indicating he has an AX68U. Now you guys with AX86U's are chiming in.
Let's compare apples with apples.
FYI: I am having the same issue with my GT-AX11000-PRO. It says that WireGuard is connected but I cannot go anywhere.

Don't you think it is related to WireGuard or ISP issues and has nothing to do with hardware?

 

[bennor]

Hang on. The OP has never indicated what router he is dealing with. Then @user_ chimed in indicating he has an AX68U. Now you guys with AX86U's are chiming in.
Let's compare apples with apples.
FYI: I am having the same issue with my GT-AX11000-PRO. It says that WireGuard is connected but I cannot go anywhere.

Cannot compare apples to apples when people don't post their router when seeking help. The fact that you now post you are having issues on the GT-AX11000 PRO would seem to track with others who have different routers. That it likely isn't related to a specific router or hardware, rather an issue with either the WireGuard (or OpenVPN) settings on the router, or a problem with the VPN endpoint/provider, or a problem with the ISP. So more questions are asked. Datapoints indicating others, even using different routers, are not having issues with said VPN provider is useful.

 

[Old Fart]

After I bought the 11000-PRO I put Merlin on it and the Wireguard worked fine. Since then I have updated it with newer Merlin firmware and now it connects but access to the net fails. Draw your own conclusion.

 

[meruserasus]

If you haven't done so already, maybe try using different Proton VPN endpoint servers to see if that solves the issue. Could be the endpoint VPN servers are getting overloaded and booting some of their connections.

Tried, same issue, sadly, no idea why, just stiwched to openpvn

Hang on. The OP has never indicated what router he is dealing with. Then @user_ chimed in indicating he has an AX68U. Now you guys with AX86U's are chiming in.
Let's compare apples with apples.
FYI: I am having the same issue with my GT-AX11000-PRO. It says that WireGuard is connected but I cannot go anywhere.

I'm on RT-AX86U Pro

 

[bennor]

After I bought the 11000-PRO I put Merlin on it and the Wireguard worked fine. Since then I have updated it with newer Merlin firmware and now it connects but access to the net fails. Draw your own conclusion.

When using the latest or later Asus-Merlin firmware. Have you setup a VPN Director rule to route the client network traffic to the VPN?