VPN does not auto connect after primary WAN disconnects and Secondary WAN becomes active. When primary WAN reconnects again then VPN auto reconnects

[orudie]

VPN does not auto connect after primary WAN disconnects and secondary WAN becomes active. When primary WAN reconnects again then VPN auto reconnects

Wireguard VPN client is configured on WGC1 interface in VPN director.

Using the latest current Merlin firmware.

Suggestions?

 

[ZebMcKayhan]

Suggestions?

Wireguard should normally handle this without issues. I have no idea why some experience this.

Meanwhile, perhaps a watchdog script would ease your issues?
https://github.com/ZebMcKayhan/Asus-merlin-Wireguard-Watchdog

You decide how often it checks, down to every minute if you wish.

No usb drive or anything else required.

 

[orudie]

Thank you for the suggestion with the watchdog script. I will look into it.

Do the others with DUAL WAN setup experience a similar issue with OpenVPN as well?

If OpenVPN is better in Dual WAN setup I would switch to OpenVPN instead.

 

[ZebMcKayhan]

Do the others with DUAL WAN setup experience a similar issue with OpenVPN as well?

I'm don't know but there are more people experiencing this: https://www.snbforums.com/threads/restart-wireguard-client-when-fails.89606/post-901838
Not nessisarily dual wan but related to various happenings on wan and/or isp.

using the log files the script produces before and after restarting an interface may help pinpointing what is going on in your case. This may provide meaningful input to why it is failing to Asus and/or @RMerlin.

In your case I'm wondering if the explicit route to endpoint the fw puts in the main route tables are updated during the wan interface switch that happens during the failover. And/or what happens to the same route in the policy tables which may lead to the question of how your vpndirector rules are setup...

 

[orudie]

Last week I had a real scenario when Primary WAN connection failedover from Primary to Secondary WAN and I noticed that after the failover the VPN connection was lost.

Today I started testing failover by simply plugging different cables out of my router and fiber optic terminals.
What I noticed that when I plug the fibir optic cable from my primary WANs terminal then the connection failsover to secondary and after the failover the VPN auto connects on the secondary WAN but stays connected only for about 1 minute and then the VPN connection drops but internet keeps working. Then after I plug in the fiber optic cable back to the primary WANs terminal the connection failsover back to Primary WAN and the VPN reconnects and stays connected as it should. However, when I pull the CAT6 cable instead of the Fiber Optic cable from the router's primary WAN port, the VPN auto reconnects on the Secondary WAN and stays connected as it should. And after plugging the CAT6 cable back into the primary WAN's port the connection failsover back to primary WAN and VPN auto connects and also stays connected.

One more thing I noticed in the Merlin web ui during these test was that when I pull fiber optic cable in web ui under the primary wan it says something like "your ISP dhcp server is not working properly" which is the same message I see during the real connection interruption with the ISP. And when I pull the CAT6 cable the message that shows up under the primary wan "your primary wan cable is disconnected"

This is the difference in behavior I noticed when pulling the fiber optic cable vs pulling the CAT6 cable.

I can do more testing tomorrow, and I will also test with OpenVPN.

Any suggestions and all your replies are very helpful to me. I thought to let you know.

Regards.

 

[Viktor Jaep]

I can do more testing tomorrow, and I will also test with OpenVPN.

If you do end up pursuing OpenVPN, give VPNMON-R3 a shot to help keep your VPN connected at all times. Over the last 2-3 or so years, the only time my VPN goes down is when my ISP goes down.

 

[ZebMcKayhan]

when I plug the fibir optic cable from my primary WANs terminal then the connection failsover to secondary and after the failover the VPN auto connects on the secondary WAN but stays connected only for about 1 minute and then the VPN connection drops but internet keeps working

It's indeed interesting information. So it works initially after the failover, but stops shortly after.

I don't think the fw does anything special 1min after the failover, but I don't know. The watchdog log files may show that.

Wireguard requires handshake and new key exchange every 3 min maximum but if data over the tunnel work there's no reason the handshake and key exchange wouldn't work.

I wonder if it boils down to sessions (nat tunnels, conntrack) which would close in that general time frame, but I can't seem to make it fit. But I have very limited knowledge about it.