NordVPN Wireguard Config Issues - AsusMerlin 3006.102.5

[ganjah]

I'm having issues with NordVPN Wireguard setup in Asus Merlin 3006.102.5 on my Asus GT-AX11000 pro and I posted about it in the main FW thread, then was asked by @MDM and @bennor to make a new thread with settings since it's likely a config issue. Sorry it took so long to get back to you guys - I went on a 2wk holiday right after my last post and just got back this week.

Summary - after a factory reset, I change six things from factory default - radio names/pw, admin login l/p, internal IP address (192.168.1.1), DNS servers (Cloudflare 1.1.1.1 and 1.0.0.1), create a VPN Director rule to allow WG for all devices, upload the Nord WG config file to my router, and then set the Wireguard config to killswitch and then click Enable WG Client. Every time, WG works great for some period of time (from minutes to as much as 24hrs) and then dies and won't let me connect to the internet, not even after changing to OVPN, without a reboot. Rinse, repeat. OVPN works flawlessly by itself, though, but is limited to about 200mbps and I have 500/500 fiber, which is why I want to use WG.

This has been bothering me for weeks and I could use your help.

I've attached an example of one of my Nord server WG configs with private key redacted, a pic of the WG settings in the Merlin fw with private key redacted, and a recent log after performing the steps above and then rebooting and enabling WG until it dies. I'm not using DDNS and have only made the changes noted above from a fresh factory reset. I'm not the most savvy networking guy, but I can learn, so with a little patient help I can provide any details you need.

Thank you!

 

[ZebMcKayhan]

create a VPN Director rule to allow WG for all devices

How did you make these VPNDirector rules? Could you provide a picture on the VPNDirector page?

 

[ganjah]

How did you make these VPNDirector rules? Could you provide a picture on the VPNDirector page?

For both OVPN or WG, on the web interface at 192.168.1.1:8443/Advanced_VPNDirector.asp, I click the Add new rule + symbol at the bottom and add a rule that looks like this for each interface and server:

Then I enable the client, click Apply at the bottom, and that's it. My current VPN Director page looks like this:

I've tried various combos of OVPN and WG rules with single IPs enabled and all IPs enabled (which is preferred), as well as setting up a single WG rule and no OVPN, but still have the same issue. I'm open to suggestions if there's a better way of doing the rules.

 

[Viktor Jaep]

For both OVPN or WG, on the web interface at 192.168.1.1:8443/Advanced_VPNDirector.asp, I click the Add new rule + symbol at the bottom and add a rule that looks like this for each interface and server:

View attachment 67684

Then I enable the client, click Apply at the bottom, and that's it. My current VPN Director page looks like this:

View attachment 67685

I've tried various combos of OVPN and WG rules with single IPs enabled and all IPs enabled (which is preferred), as well as setting up a single WG rule and no OVPN, but still have the same issue. I'm open to suggestions if there's a better way of doing the rules.

Perhaps give VPNMON-R3 a try? It might be able to help diagnose when these issues are happening, and perhaps give you some more feedback on what the problem might be? At least it will attempt to keep your connections going hopefully without the need for a reboot?

 

[ZebMcKayhan]

For both OVPN or WG, on the web interface at 192.168.1.1:8443/Advanced_VPNDirector.asp, I click the Add new rule + symbol at the bottom and add a rule that looks like this for each interface and server:

View attachment 67684

Then I enable the client, click Apply at the bottom, and that's it. My current VPN Director page looks like this:

View attachment 67685

I've tried various combos of OVPN and WG rules with single IPs enabled and all IPs enabled (which is preferred), as well as setting up a single WG rule and no OVPN, but still have the same issue. I'm open to suggestions if there's a better way of doing the rules.

This may or may not be part of your issue but I wouldn't recommend making blank rules like this. Especially not in combination with using the kill-switch.

Set LocalIP to your lan subnet (192.160.50.0/24) atleast. Right now your router itself is over vpn and if the vpn tunnel itself tries to go over vpn it will fail, much like what you see.
Adding the killswitch may make this worse, rendering the router itself unable to do anything if the vpn fail, not even resolving new endpoint ip et.c.

You should probably also create a rule to keep router lan ip (192.168.50.1/32) on WAN to secure you always have access to router gui if vpn fails.

 

[ganjah]

Perhaps give VPNMON-R3 a try? It might be able to help diagnose when these issues are happening, and perhaps give you some more feedback on what the problem might be? At least it will attempt to keep your connections going hopefully without the need for a reboot?

Thanks, Viktor. I saw your suggestion in the release thread and I plan to do that immediately after getting a handle on my current setup and an expert's inspection of my logs to determine if there's a broader issue. VPNMON looks like a fairly steep learning curve, but, once I know there's nothing wrong with my hardware or setup and I'm not some weird outlier, I'll spend the time to install and implement it.

Set LocalIP to your lan subnet (192.160.50.0/24) atleast. Right now your router itself is over vpn and if the vpn tunnel itself tries to go over vpn it will fail, much like what you see.

I appreciate the suggestions. Before I attempt them, could you speculate why, in your hypothetical, this doesn't impact OVPN? It's unclear to me why one interface would be impacted by those rules and the other wouldn't. OVPN is 100% rock solid with these settings and I'm curious your rationale for the reco.

 

[ZebMcKayhan]

Before I attempt them, could you speculate why, in your hypothetical, this doesn't impact OVPN?

OpenVpn and Wireguard are 2 different things. For example, wireguard endpoint could change during runtime. If this happens to you, fw have special routes to ensure data to wg endpoint is kept over wan but if the endpoint changes this will be switched to vpn and your connection will fail.
Not sure how open vpn works in this regard.

I'm not saying this is your issue but it certainly makes your connection prone to fail during situations like this.