Clients on split tunnel have connection problems between ~6:00pm-11:30pm on Merlin 384.19 AC68U

[alwaysCurious]

This problem is leaving me both intrigued and frustrated. I recently started with a new budget ISP. It seems to throttle/shape traffic during the evenings (approximately 6:00-11:30 daily). During this time, a 480p (sometimes even 360p) YouTube video buffers frequently, but with a VPN (NordVPN) connection, 1080p 2x speed plays flawlessly. I thought of setting up an OpenVPN connection on my router (AC68U running Merlin 384.19) as a single point of configuration to allow all devices to bypass the slowdown.

I have a split tunnel, with most devices directed through the VPN, but my gaming PC and media devices going through WAN. My VPN connection is fine in the morning and afternoon. In the evening, every 30-60 minutes, new connections (e.g., to load/reload a webpage) on VPN devices timeout. Pining VPN and DNS IP addresses from the VPN devices also timeout. WAN devices are not negatively affected at all. Interestinly, a video call on a VPN device continued uninterrupted, but I could not load any webpages. Despite this, the router reports that the VPN is connected, and the logs do not report any consistent issues. ("Recursive routing detected" entries only appeared before one occurrence.)

I have tried multiple VPN servers, TCP/UDP, ISP/VPN/Google/CloudFlare DNSes, and Yes/No for "Block routed clients if tunnel goes down". This is my first time setting up a VPN, so I am eager to learn why this isn't working. I would appreciate any suggestions or recommendations for general settings, policy rules, or custom configration options. TIA

UPDATE: I just noticed this in the logs.

Aug 21 10:52:53 dnsmasq[224]: using nameserver 208.67.222.220#53
Aug 21 10:52:53 dnsmasq[224]: using nameserver 206.248.154.22#53
Aug 21 10:52:53 dnsmasq[224]: using nameserver 8.8.8.8#53
Aug 21 10:52:53 dnsmasq[224]: using nameserver 1.1.1.1#53

The first two DNS server entries are from my last ISP configuration. They are not in the WebUI. I've tried editing /etc/resolv.conf and /tmp/resolv.conf and /tmp/resolv.dnsmasq, but they keep being overwritten. Short of a factory reset, how would I delete these entries? Are they related to my VPN issue?

 

[ColinTaylor]

What DNS settings do you have on the router's WAN page?

 

[alwaysCurious]

I have the Google and CloudFlare DNSes.

 

[ColinTaylor]

Maybe something got left over from before the upgrade. Try changing the DNS back to connecting automatically and checking the dnsmasq settings again.

Your log file isn't particularly useful as it doesn't contain much other than openvpn entries.

 

[alwaysCurious]

Thank you for the suggestion. After changing the DNS back to auto, the two old DNS entries are still there. I'm not really concerned about them, unless they are related to the VPN issue.

 

[ColinTaylor]

Thank you for the suggestion. After changing the DNS back to auto, the two old DNS entries are still there. I'm not really concerned about them, unless they are related to the VPN issue.

Well in your VPN configuration you have told it to not use NordVPN's DNS servers so it will ultimately use those set on the WAN page. I note that the first DNS entry is that of OpenDNS and the second is owned by TekSavvy and is not publicly reachable. So I'm just wondering whether the DNS issue is indicative of a larger problem. The VPN code was largely rewritten for 384.19. It's possible there are some bugs in it.

On the other hand is it simply an ISP issue? You say that during the time period you experience problems that you cannot stream 360p video. If your ISP's service is truly so bad that they have to throttle that much maybe they just can't provide a consistent connection to you?

 

[alwaysCurious]

I also had the problem with 384.16, so if it is a firmware bug, it is likely not a new one. If I have time over the weekend, I might just reset the router and reconfigure from scratch. Before that, I'd like to try other, less extreme possible solutions.

It could be an ISP issue. I'm at a loss as to what would cause a VPN device to timeout on new connections, but continue a video chat without a hiccup?

 

[alwaysCurious]

After resetting the router and re-entering all the necessary settings, I haven't (yet) experienced a drop. It was likely a conflict with a previous setting (perhaps the old DNS entries).

Update: Going through all the settings reminded me of how awesome Asuswrt-Merlin is. I just made my second donation to the project. If you are in the position to donate, please do so.