What's new

Restart WireGuard client when fails

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

alisou

Occasional Visitor
Hello,

I'm using WireGuard client on my RT-AX88U. Sometimes when I lost Internet my WireGuard client doesn't reconnect automatically the connection.
I do it manually by accessing VPN -> VPN Client -> Wireguard and clicking on Apply.

I need your help to writing script to test connectivity under Wireguard VPN and restarting the WireGuard client if ping fails for example.
For example, i can't use ping under Wireguard VPN using the my VPN interface :
ping -I wgc1 google.com

Thank you.
 
Have you researched what is available already before you re-invent the wheel?

 
I'm testing "Wireguard Client VPN Failover Script" link. But I need to wait more than 120 seconds Wireguard to be restarted.
I need to reduce this time to 10 seconds. Check connectivity every 10 seconds.
 
I'm testing "Wireguard Client VPN Failover Script" link. But I need to wait more than 120 seconds Wireguard to be restarted.
I need to reduce this time to 10 seconds. Check connectivity every 10 seconds.
The script is probably based on crontab to run the check script every 2 min. The lowest time resolution for crontab is 1min so every 10s is not going to work.
Or it uses Wireguard latest-handshake timer that should reset every 2-3 min.

You may need to write your own script that runs continously and uses sleep 10 between checks.
But if it starts once and runs continuously, who checks the the check-script? You may need to write a check-script checker.

I wrote the attached script a long time ago when we used pre-compiled entware kernel modules and script files to make Wireguard run on our routers, so it won't work for you, but perhaps you can use parts of it to make your own?
 

Attachments

  • wg-watchdog.txt
    2.5 KB · Views: 94
For example, i can't use ping under Wireguard VPN using the my VPN interface :
ping -I wgc1 google.com
Reverse path filtering is blocking this from working. Try:
Code:
echo 2 > /proc/sys/net/ipv4/conf/wgc1/rp_filter
Then it should work. This sets rp_filter for wgc1 to loose instead of strict.
 
Reverse path filtering is blocking this from working. Try:
Code:
echo 2 > /proc/sys/net/ipv4/conf/wgc1/rp_filter
Then it should work. This sets rp_filter for wgc1 to loose instead of strict.

@ZebMcKayhan, thank you very much. Now is working with your solution.
I will now create script to reboot Wireguard client when connection fail.
 
@ZebMcKayhan, thank you very much. Now is working with your solution.
I will now create script to reboot Wireguard client when connection fail.
Great, good luck! And please share your script when you are done.

I'm not sure the echo 2 > ... will persist after reboot. You may need to re-apply every time wg client starts in I.e. /jffs/scripts/wgclient-start
 
Hi Everyone,
I am actually having exactly the same issue as OP here and in this thread

@alisou , can you share your solution?

I need a simple script that will be checking if wgc1 is still alive and operational and restart it if test (e.g. ping) is failed.
Thank you!
 
I need a simple script that will be checking if wgc1 is still alive and operational and restart it if test (e.g. ping) is failed.
I did put in a couple of minutes to convert my old watchdog script for merlin firmware wireguard use. You can find it here, along with some instructions:
https://github.com/ZebMcKayhan/Asus-merlin-Wireguard-Watchdog

But the instructions are not complete yet, I have not verified all aspects of the script and it lacks a lot of things, like checks on input data or even if the interface is started/enabled and such.
I don't know if it makes sense to check firewall rules or routing but it did when I wrote the script and I did not really change anything.

But it's perhaps a starting point? Feedback from anyone testing it are very welcome.

I will put some more work on it when I have time. My testing is limited due to my audio-visual internet-loss alarm that seems very easily triggered.
 
I did put in a couple of minutes to convert my old watchdog script for merlin firmware wireguard use. You can find it here, along with some instructions:
https://github.com/ZebMcKayhan/Asus-merlin-Wireguard-Watchdog
OK, when taken as-is - NAT Tables test is failing and it triggers wgc restart every time I run the script.
This is probably because of the fact that NAT is disabled on my WGC client as I am using Wireguard Site-to-Site setup.

I have commented eveything in the script except the ping test for now (I guess it is sufficient for my needs) and it seems to work fine.
Will need to test longer (until wgc ping test will fail eventually)

As for the cron, I have added the
Code:
cru a WatchWgc1 "*/10 * * * * /jffs/scripts/wgc-watchdog 1"
to the /jffs/scritps/services-start (instead of wgclient-start)

Thanks a million for the help with the script!
 
Last edited:
OK, when taken as-is - NAT Tables test is failing and it triggers wgc restart every time I run the script.
This is probably because of the fact that NAT is disabled on my WGC client as I am using Wireguard Site-to-Site setup.
yep, that makes sense. The entire firewall and route checks are probably completely unnecessary as router firmware has this under control. My checks will only show the existence of the rules anyways. I will probably delete these and only keep handshake and ping test which I believe is the most relevant tests.

I have commented eveything in the script except the ping test for now (I guess it is sufficient for my needs) and it seems to work fine.
Will need to test longer (until wgc ping test will fail eventually)
great! let me know if something is not working and I will look into it.
meanwhile I will polish the script whenever I have time. first off will be to check so that the Wireguard interface is enabled and exists which will serve both as an input check and a check if it have been turned off in the GUI.
 
Will need to test longer (until wgc ping test will fail eventually)
FYI, I did some updates to the script yesterday:
- Removed firewall and route tests
- Added check on input so it translates to a real wgcX interface and that this interface is set as "Enabled" in the GUI, otherwise it will abort with shell and syslog output.
- Added some basic shell output help text if the script input does not seem proper.
- Removed shell output from the checks and instead added some more relevant test status so it should give a better user experience when run manually.
- Updated user instruction on how to add the cron job to wgclient-start and wgclient-stop
- fixed install/download link which had been messed up somehow.

I still have a couple of ideas for improvement, amongst others add a second user input if the user needs to control which ip that is pinged - useful for i.e. site-2-site testing as 8.8.8.8 may not be available over that interface.

https://github.com/ZebMcKayhan/Asus-merlin-Wireguard-Watchdog
 
Great stuff!
I wonder only WHY wireguard watchdog was not built-in in the firmware itself as it is done for OpenVPN...
It's really worth being added as a default fw feature.
 
Great stuff!
I wonder only WHY wireguard watchdog was not built-in in the firmware itself as it is done for OpenVPN...
It's really worth being added as a default fw feature.
maybee. But as Wireguard is connection-less it is not really supposed to be needed. nothing really changes when you restart it.... well, one thing does happen - it will need to re-lookup the endpoint ip. so if your endpoint ip updates, then wireguard will stop working and will need a restart in order to perform a new lookup. There are other ways to force a re-lookup of the endpoint that perhaps is less disruptive than a complete restart of Wireguard - if that is the only problem, but the fw does other things with the endpoint, like add a specific route to it over WAN so you dont get nested tunnels.
this may not be such big problems on commercial VPNs or even on roaming devices where you use it an hour at a time or a couple of days on a PC. but on a router where it stays connected month after month you may run into this eventually.

I dont know if the firmware have some mechanism to re-lookup the endpoint ip already.
 
Wireguard is connection-less it is not really supposed to be needed.

in my specific case it's well needed. I have static ips on both ends, but once in 4-6 days my wireguard connection just dies and reconnect is not happening. I need to go to webui and just confirm the client config page (clicking on Apply without changing anyhting) to re-initiate the connection.
I know this is probably not a wide issue, but apparently it happens not only to me, but to other users as well (based on this and some other threads).
Anyway, I am glad now we have a workaround, thanks for your help!
 
I have static ips on both ends, but once in 4-6 days my wireguard connection just dies and reconnect is not happening
That's interesting... does the handshake still happen? sounds like something else is going on in the router, like something gets lost or over-prioritized by something else. Wireguard is still quite new to the firmware so it's not impossible that something have been missed...

it would be interesting to go to the bottom of it and see what is really happening (wg- tool, interface, firewall, routes...), or have you done this already?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top