Wireguard errors (inconsistent)

[yochaigal]

Hello!

I've been using VPN Client for years with OpenVPN on my Pixel 7. Recently I switched over to Wireguard (connecting to a Ubiquiti UXG Lite firewall). It works just fine most of the time, but I experience the following behavior at random times:

• I'm at home, using home wifi (no VPN is in use)

• I go somewhere else (VPN connects to mobile network, works fine)

• I arrive at my destination (VPN disconnects from mobile network, VPN connects to wifi, stops working)

• I turn VPN off and on again (VPN works)

This happens at many different places, and I think even happens on mobile occasionally. The Log shows "write link error: Network is unreachable" over and over again until I turn the VPN off.

This never happened using my OpenVPN connection! Unfortunately it is unpredictable; I can't quite figure out what situation is triggering this behavior.

Here is my log:

Code: Select all

2025-01-22 15:58:04 VpnClientPro-google-api27-release-1.01.97 (30010197)
2025-01-22 15:58:04 Connecting request by auto connect (Mobile)
2025-01-22 15:58:07 OpenSSL 3.0.15 3 Sep 2024
2025-01-22 15:58:07 Add peer[MY IP]:51821
2025-01-22 15:58:07   -> 192.168.3.1/32
2025-01-22 15:58:07   -> 192.168.3.2/32
2025-01-22 15:58:07 Exclude nic wlan1 local subnet 10.42.1.0/24
2025-01-22 15:58:07 WARNING: nic v4-rmnet16 subnet 192.0.0.4/32 is not excluded because is not in RFC-1918
2025-01-22 15:58:07   -> 0.0.0.0/0
2025-01-22 15:58:07 Add peer [MY IP]:51821
2025-01-22 15:58:07   -> 192.168.3.1/32
2025-01-22 15:58:07   -> 192.168.3.2/32
2025-01-22 15:58:07   -> 0.0.0.0/0
2025-01-22 15:58:08 Send handshake (1) to [MY IP]
2025-01-22 15:58:08 Handshake with [MY IP] completed
2025-01-22 15:58:08 Connected
2025-01-22 16:04:42 Connectivity change detected: WiFi - RVCGuest
2025-01-22 16:04:42 write link error: Network is unreachable
2025-01-22 16:04:42 write link error: Network is unreachable
2025-01-22 16:04:47 write link error: Network is unreachable
2025-01-22 16:04:47 write link error: Network is unreachable
2025-01-22 16:04:47 write link error: Network is unreachable
2025-01-22 16:04:47 write link error: Network is unreachable
2025-01-22 16:04:47 write link error: Network is unreachable
2025-01-22 16:04:49 write link error: Network is unreachable

And here are the server logs:

Code: Select all

2025-01-22T13:51:52-05:00 UXGLite ubios-udapi-server[1743]: signal-out-notifier: Sending to mcad: EVT_VPN_ClientDisconnected Io/F9pbqFd13dzyKjn5Lo+TvE7KFCse5UuXdjCvxczQ= 172.59.138.171:48735 (via wgsrv1 192.168.3.2/32) on /vp
n/wireguard/servers/1
2025-01-22T13:55:53-05:00 UXGLite ubios-udapi-server[1743]: wan-failover-monitor-icmp: Failed to read monitor status from /run/eth1-mon6-142.250.65.238-google.com.sock: Timed out.
2025-01-22T13:55:53-05:00 UXGLite ubios-udapi-server[1743]: wan-failover-monitor-icmp: wf-monitor-eth1-6-icmp (76.28.30.144->142.250.65.238) could not read status from '/run/eth1-mon6-142.250.65.238-google.com.sock'. Received
 data: 'eth1-mon6-142.250.65.238-googl'
2025-01-22T14:54:07-05:00 UXGLite ubios-udapi-server[1743]: wan-failover-monitor-icmp: Failed to read monitor status from /run/eth1-mon2-8.8.8.8-ping.ui.com.sock: Timed out.
2025-01-22T15:58:07-05:00 UXGLite ubios-udapi-server[1743]: wireguard: Server Wireguard Peer (#1) has got peer Io/F9pbqFd13dzyKjn5Lo+TvE7KFCse5UuXdjCvxczQ= 172.56.195.179:14729 (via wgsrv1 192.168.3.2/32) (Pixel-7) connected
2025-01-22T15:58:07-05:00 UXGLite ubios-udapi-server[1743]: signal-out-notifier: Sending to mcad: EVT_VPN_ClientConnected Io/F9pbqFd13dzyKjn5Lo+TvE7KFCse5UuXdjCvxczQ= 172.56.195.179:14729 (via wgsrv1 192.168.3.2/32) on /vpn/w
ireguard/servers/1
2025-01-22T16:05:30-05:00 UXGLite ubios-udapi-server[1743]: wireguard: Server Wireguard Peer (#1) has got peer Io/F9pbqFd13dzyKjn5Lo+TvE7KFCse5UuXdjCvxczQ= 172.56.195.179:14729 (via wgsrv1 192.168.3.2/32) (Pixel-7) disconnect
ed
2025-01-22T16:05:30-05:00 UXGLite ubios-udapi-server[1743]: signal-out-notifier: Sending to mcad: EVT_VPN_ClientDisconnected Io/F9pbqFd13dzyKjn5Lo+TvE7KFCse5UuXdjCvxczQ= 172.56.195.179:14729 (via wgsrv1 192.168.3.2/32) on /vp
n/wireguard/servers/1
2025-01-22T16:05:49-05:00 UXGLite ubios-udapi-server[1743]: wireguard: Server Wireguard Peer (#1) has got peer Io/F9pbqFd13dzyKjn5Lo+TvE7KFCse5UuXdjCvxczQ= 172.56.195.179:14729 (via wgsrv1 192.168.3.2/32) (Pixel-7) connected
2025-01-22T16:05:49-05:00 UXGLite ubios-udapi-server[1743]: signal-out-notifier: Sending to mcad: EVT_VPN_ClientConnected Io/F9pbqFd13dzyKjn5Lo+TvE7KFCse5UuXdjCvxczQ= 172.56.195.179:14729 (via wgsrv1 192.168.3.2/32) on /vpn/w
ireguard/servers/1
2025-01-22T16:47:22-05:00 UXGLite ubios-udapi-server[1743]: wireguard: Server Wireguard Peer (#1) has got peer Io/F9pbqFd13dzyKjn5Lo+TvE7KFCse5UuXdjCvxczQ= 172.58.244.161:58755 (via wgsrv1 192.168.3.2/32) (Pixel-7) disconnect
ed

And here are my settings!
Unfortunately the

Thanks for any help you might offer.

[admin]

Hello,

please try to follow these steps:

• start the app

• tap on top left icon

• tap on "Global options"

• tap on "VPN options"

• select "Restart WireGuard connection when connectivity change"

• save the changes

• restart the VPN

[yochaigal]

I will try that and get back to you. Thanks!

[yochaigal]

This worked! Forgot to update

[admin]

Thank you for the feedback.

[yochaigal]

This issue is happening again. It happens a few times a day, and it isn't triggered by anything. For example, I will leave my house (whitelisted SSID), the app will connect to LTE, take a walk for ~15 minutes or so, then suddenly I will notice that my Internet on the phone isn't working. Once I disconnect the VPN and then reconnect, everything starts working again. The global app settings are set to restart the VPN on disconnect as per the developer's advice earlier in this thread.

Here is my log from the situation I described above.

Code: Select all

2025-05-18 17:09:11 WARNING: nic v4-rmnet16 subnet 192.0.0.4/32 is not excluded because is not in RFC-1918
2025-05-18 17:09:11 VpnClientPro-google-api27-release-1.02.08 (30010208)
2025-05-18 17:09:11 Connecting request by auto connect (Mobile)
2025-05-18 17:09:11 OpenSSL 3.5.0 8 Apr 2025
2025-05-18 17:09:12 Add peer [My home domain]
2025-05-18 17:09:12   set preshared key
2025-05-18 17:09:12   -> 0.0.0.0/0
2025-05-18 17:09:12 Add peer [My home domain]:51820
2025-05-18 17:09:12   set preshared key
2025-05-18 17:09:12   -> 0.0.0.0/0
2025-05-18 17:09:12 Exclude nic wlan0 local subnet 10.0.0.0/24
2025-05-18 17:09:12 WARNING: nic v4-rmnet16 subnet 192.0.0.4/32 is not excluded because is not in RFC-1918
2025-05-18 17:09:13 Connectivity change detected: WiFi - Thinknot
2025-05-18 17:09:13 The connectivity is changed.
2025-05-18 17:09:13 Restarting...
2025-05-18 17:09:13 Add peer [My home domain]:51820
2025-05-18 17:09:13   set preshared key
2025-05-18 17:09:13   -> 0.0.0.0/0
2025-05-18 17:09:13 Exclude nic wlan0 local subnet 10.0.0.0/24
2025-05-18 17:09:13 WARNING: nic v4-rmnet16 subnet 192.0.0.4/32 is not excluded because is not in RFC-1918
2025-05-18 17:09:21 Send handshake (1) to 71.192.29.191:51820
2025-05-18 17:09:22 Handshake with 71.192.29.191:51820 completed
2025-05-18 17:09:22 Connected
2025-05-18 17:09:28 Connectivity change detected: Mobile
2025-05-18 17:09:28 The connectivity is changed.
2025-05-18 17:09:28 Restarting...
2025-05-18 17:09:28 Add peer [My home domain]
2025-05-18 17:09:28   set preshared key
2025-05-18 17:09:28   -> 0.0.0.0/0
2025-05-18 17:09:28 Add peer [My home domain]:51820
2025-05-18 17:09:28   set preshared key
2025-05-18 17:09:28   -> 0.0.0.0/0
2025-05-18 17:09:28 WARNING: nic v4-rmnet16 subnet 192.0.0.4/32 is not excluded because is not in RFC-1918
2025-05-18 17:09:29 Send handshake (1) to 2607:7700:0:b:0:2:47c0:1dbf:51820
2025-05-18 17:09:29 Handshake with 2607:7700:0:b:0:2:47c0:1dbf:51820 completed
2025-05-18 17:09:29 Connected
2025-05-18 17:09:38 Connectivity change detected: WiFi - Thinknot
2025-05-18 17:09:38 The connectivity is changed.
2025-05-18 17:09:38 Restarting...
2025-05-18 17:09:38 Add peer [My home domain]:51820
2025-05-18 17:09:38   set preshared key
2025-05-18 17:09:38   -> 0.0.0.0/0
2025-05-18 17:09:38 Exclude nic wlan0 local subnet 10.0.0.0/24
2025-05-18 17:09:38 WARNING: nic v4-rmnet16 subnet 192.0.0.4/32 is not excluded because is not in RFC-1918
2025-05-18 17:10:42 Send handshake (1) to 71.192.29.191:51820
2025-05-18 17:10:42 Handshake with 71.192.29.191:51820 completed
2025-05-18 17:10:42 Connected
2025-05-18 17:11:23 Connectivity change detected: Mobile
2025-05-18 17:11:23 The connectivity is changed.
2025-05-18 17:11:23 Restarting...
2025-05-18 17:11:28 Add peer[My home domain]
2025-05-18 17:11:28   set preshared key
2025-05-18 17:11:28   -> 0.0.0.0/0
2025-05-18 17:11:28 Add peer [My home domain]:51820
2025-05-18 17:11:28   set preshared key
2025-05-18 17:11:28   -> 0.0.0.0/0
2025-05-18 17:11:28 Exclude nic wlan0 local subnet 10.42.1.0/24
2025-05-18 17:11:28 WARNING: nic v4-rmnet16 subnet 192.0.0.4/32 is not excluded because is not in RFC-1918
2025-05-18 17:11:30 Send handshake (1) to 64:ff9b::47c0:1dbf:51820
2025-05-18 17:11:35 Peer 64:ff9b::47c0:1dbf:51820 handshake timeout
2025-05-18 17:11:35 Try next peer 71.192.29.191:51820
2025-05-18 17:11:35 Send handshake (1) to 71.192.29.191:51820
2025-05-18 17:11:40 Peer 71.192.29.191:51820 handshake timeout
2025-05-18 17:11:40 Try next peer 64:ff9b::47c0:1dbf:51820
2025-05-18 17:11:40 Send handshake (2) to 64:ff9b::47c0:1dbf:51820
2025-05-18 17:11:46 Peer 64:ff9b::47c0:1dbf:51820 handshake timeout
2025-05-18 17:11:46 Try next peer 71.192.29.191:51820
2025-05-18 17:11:46 Send handshake (2) to 71.192.29.191:51820
2025-05-18 17:11:51 Peer 71.192.29.191:51820 handshake timeout
2025-05-18 17:11:51 Try next peer 64:ff9b::47c0:1dbf:51820
2025-05-18 17:11:51 Send handshake (3) to 64:ff9b::47c0:1dbf:51820
2025-05-18 17:11:57 Peer 64:ff9b::47c0:1dbf:51820 handshake timeout
2025-05-18 17:11:57 Try next peer 71.192.29.191:51820
2025-05-18 17:11:57 Send handshake (3) to 71.192.29.191:51820
2025-05-18 17:12:02 Peer 71.192.29.191:51820 handshake timeout
2025-05-18 17:12:02 Try next peer 64:ff9b::47c0:1dbf:51820
2025-05-18 17:12:02 Send handshake (4) to 64:ff9b::47c0:1dbf:51820
2025-05-18 17:12:02 Handshake with 64:ff9b::47c0:1dbf:51820 completed
2025-05-18 17:12:02 Connected

[admin]

Hello,

based on the connection logs, the issue appears to stem from an incorrect NAT64 configuration by the mobile provider. The address 64:ff9b::47c0:1dbf is the NAT64 translation of 71.192.29.191, suggesting that the mobile provider might not be allowing direct use of the IPv4 address.

It also seems that the connection via the NAT64 address isn't stable, which would explain why the VPN isn't working reliably. Interestingly, previous connections show a native IPv6 address that is no longer being utilized, and this may also be related to the mobile provider's NAT64 setup.

Considering that the mobile provider should resolve this issue, perhaps the following configuration could be helpful:

• edit the VPN profile

• tap on "Peers"

• tap on the configured peer

• select "Resolve hostname berfore reconnecting"

• set the "Protocol" to UDP4

• save the changes

• tap on "+" button

• tap on "Copy peer"

• tap the previously configured peer

• set the "Protocol" to UDP6

• save the changes

• try the VPN

This approach involves the app attempting to resolve the hostname twice: once specifically requesting IPv4 addresses and again specifically requesting IPv6 addresses. The goal is that this method will allow the use of the native IPv6 address 2607:7700:0:b:0:2:47c0:1dbf.

[yochaigal]

That may be because of the way I did find and replace to obscure my domain name; I'll DM you the logs without being redacted.