Posted: Sat Oct 03, 2020 17:07 Post subject: wireguard client re-resolve endpoint
Hello all,
I have setup wireguard to work as a client in DD wet and it is working great. The only problem I have with it is that every once in a while the endpoint which is a domain I own will change its public IP. This means that the wireguard connection on DD wet will be left hanging since the endpoint is resolved only at the beginning.
Is there a way for me to force a reresolve? I thought of a script that checks if the current IP of the endpoint matches the one wireguard is connected and if it is not then restart the WG process. But I don't know how to do that last part from a script. And I cannot find anything related to this for ddwrt.
I know that there is a.script to do just that for pc but sadly it doesn't work on DD wrt.
Has anyone stumbled across this problems with wireguard as a client on ddwrt?
Normally if you don't have a fixed IP for your domain to resolve to you would use a service like https://account.dyn.com/ rather than buying a domain. you configure the router that the server is behind with your dyn or other credentials so it always keeps it pointing to the correct ip (if its behind a DD-WRT router its configured here https://wiki.dd-wrt.com/wiki/index.php/Dynamic_DNS
there are lots of services offering this service some free some paid, myself i have never come across a service or any scripts that does the same for a domain but interested to see if anyone else posts
You maybe referring to the fact that WG only resolves an URL at startup.
However WG has built-in roaming for client and server, so actually a change of address should not be a problem, on handshake the new address should be handed over and updated.
From the WG manual:
Code:
Built-in Roaming
The client configuration contains an initial endpoint of its single peer (the server), so that it knows where to send encrypted data before it has received encrypted data. The server configuration doesn't have any initial endpoints of its peers (the clients). This is because the server discovers the endpoint of its peers by examining from where correctly authenticated data originates. If the server itself changes its own endpoint, and sends data to the clients, the clients will discover the new server endpoint and update the configuration just the same. Both client and server send encrypted data to the most recent IP endpoint for which they authentically decrypted data. Thus, there is full IP roaming on both ends.
One caveat the tunnel must be kept open, so you must enable Keep alive (from both ends)
On DDWRT you can set a watchdog and if the router looses internet connection it will reboot
(one of these days I might write a script to only restart the WG client on connection loss, but currently busy with OpenVPN 2.5)
Normally if you don't have a fixed IP for your domain to resolve to you would use a service like https://account.dyn.com/ rather than buying a domain. you configure the router that the server is behind with your dyn or other credentials so it always keeps it pointing to the correct ip (if its behind a DD-WRT router its configured here https://wiki.dd-wrt.com/wiki/index.php/Dynamic_DNS
there are lots of services offering this service some free some paid, myself i have never come across a service or any scripts that does the same for a domain but interested to see if anyone else posts
I am using freedns as ddns on my "server", the only problem was related to the rare occasions when the server public IP changes and the client connection drops and appears to not reconnect until I restart the client. I was hopping for a way to restart only the WG interface.
You maybe referring to the fact that WG only resolves an URL at startup.
However WG has built-in roaming for client and server, so actually a change of address should not be a problem, on handshake the new address should be handed over and updated.
Thank you for this info! I didn't know this part about wireguard. I thorught that the keepalive setting is placed on the client conf file only. But now I have put that setting in the server conf file too.
I will perform some tests to see if it works!
Thank you for your help!
P.S.: is a script that restarts the WG interface a better option for this problem? or is this solution preferable? I am asking because I know that on a PC, there is a script that can be setup to verify if the endpoint has changed its ip and re-resolve the endoint at regular intervals. So if the keepalive setting works, why isn't it sufficient on the PC too?
You maybe referring to the fact that WG only resolves an URL at startup.
However WG has built-in roaming for client and server, so actually a change of address should not be a problem, on handshake the new address should be handed over and updated.
Thank you for this info! I didn't know this part about wireguard. I thorught that the keepalive setting is placed on the client conf file only. But now I have put that setting in the server conf file too.
I will perform some tests to see if it works!
Thank you for your help!
P.S.: is a script that restarts the WG interface a better option for this problem? or is this solution preferable? I am asking because I know that on a PC, there is a script that can be setup to verify if the endpoint has changed its ip and re-resolve the endoint at regular intervals. So if the keepalive setting works, why isn't it sufficient on the PC too?
Good question, I can imagine a PC goes to sleep or the connection is disturbed for a longer period otherwise, in that case you have to resolve the URL again and thus restart WG. But as long as the connection is kept alive roaming should not be a problem (according to the WG documentation )
This question has not come up until now, like I said you can set the watchdog on the router so that it reboots.
This question has not come up until now, like I said you can set the watchdog on the router so that it reboots.
When I have time I can make a small script to restart WG when the connection is lost but at the moment busy with OpenVPN 2.5 and weeding out some unnecessary firewall settings on OpenVPN
Good stuff! I will try it this way and let you know how it works! I will be able to do it in about two days as I am swamped myself!
Good luck with OpenVPN 2.5! It would be great if you found some time to write the script for WG.
r40559 (maybe you were misguided by the out of date Router Database) had its very own problems.
I needed to manual up and down WG to reconnect after every disconnect.
Only alternative: keep alive reboot.
A few releases after this, the problem is gone. Reconnecting does work.
BUT my router connects to a static IPv4, nothing dynamic...
Which release X on Device Y are you using in setup Z?
r40559 (maybe you were misguided by the out of date Router Database) had its very own problems.
I needed to manual up and down WG to reconnect after every disconnect.
Only alternative: keep alive reboot.
A few releases after this, the problem is gone. Reconnecting does work.
BUT my router connects to a static IPv4, nothing dynamic...
Which release X on Device Y are you using in setup Z?
My router is TP-Link Archer C7v5, using the latest version I found to download: DD-WRT v3.0-r44483.
I will try what was mentioned above with the KeepAlive setting and if it doesn't work I will activate the watchdog too. I am not concerned with too many reboots because the ISP where my server is connected only changes the public ip when the router is restarted. Other than that I can go months without an IP change. So I should be fine!
I will try what was mentioned above with the KeepAlive setting and if it doesn't work I will activate the watchdog too. I am not concerned with too many reboots because the ISP where my server is connected only changes the public ip when the router is restarted. Other than that I can go months without an IP change. So I should be fine!
Thank you for your help!
So I have implemented the solution with KeepAlive setting in both config files (server and the client) and I can report that this does not solve the issue.
It happened that the server went down for an extended period of time (the ISP made some improvements and they had to cut the connection) and when I got line back, the client (dd wrt) did not reconnect.
So I believe that the ability to stop and start again the wg interface using a script is very important for this kind of scenario.
Rebooting the client router is a solution for the moment but it is not the most elegant.
Well it so happened that OpenVPN 2.5 seems implemented succesfully
So I have some time to work on WireGuard.
Attached a WireGuard watchdog script
But I have not tested it so chances are it is not working as intended (yet)
So your task to try it and report, debug is set on, the script reports in syslog.
Use this command:
Code:
grep -i wireguard /var/log/messages
to see what is going on
Just start the script from the CLI do not add it to Startup unless you are sure it works.
Test with just pulling your network cable.
Let me know what is (not) working
Great! Thank you! I will get right on it with the testing and will report back this week maybe! Regarding pulling the network cable is going to be difficult because the dd wrt router (the client) is in a remote location. What I can do and I believe it is more relevant is to reboot my router at home which acts as the wireguard server. This will lead to a public ip change which normally breaks the wireguard remote client.
Hopefully with your script this will not happen any longer!