Connection is lost when restarting router

I have a WireGuard server, it is private (not from the companies that offer this service).

The problem is that when I create the connection following this tutorial, it works perfectly. But when I restart the router, it does not reconnect.

The tutorial is:
https://www.ivpn.net/setup/router/openwrt-wireguard/

The connection is (I changed some data):

[Interface]
PrivateKey = wNa/P3Amdv4Aadalk440a66d5zjWod1VHdJ8uq4HY=
Address = 10.2.0.80/24
DNS = 192.168.92.1

[Peer]
PublicKey = ixrWCSy1Poddcxwe90waalskdjaAAB7WnqXNFfiQGjg=
PresharedKey = ckaiXOYJiVuJ7+++94aisAAERE449J3lB5Jht18w=
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 0
Endpoint = vpn.vpnprivatedomain.com:3344

My hypothesis is that what happens is that the VPN is unable to recognize the "Endpoint" domain because the firewall is prohibiting it from connecting.

Thanks.

Youbare welvome to replace keys in your infrastructure and never ever post them in a public forum.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

I suspect that this is not the reason.

More than likely, the problem is related to time. In order for VPNs to function, the time must be correct. It is likely that the clock on the local device is not sync'd with NTP after the restart at the time that WG starts. The result is that WG cannot connect and there is no route to the NTP servers via the regular wan. It becomes a chicken or egg.

The solution is to hold WG back until NTP has sync'd. This is discussed in a bunch of threads... here's one:

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
	"model": "TP-Link Archer C7 v5",
	"board_name": "tplink,archer-c7-v5",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23xxx-23xxxa2efa",
		"target": "ath79/generic",
		"description": "OpenWrt 23.05.3 r23xxx9-23xxxefa"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fxxx:cxxf:aaxx::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth0.2'
	option macaddr 'xx:af:xx:xx:ea:xc'

config interface 'wan'
	option device 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 0t'

config interface 'ivpnXX'
	option proto 'wireguard'
	option private_key 'wNa/P3Amxxxxxxx5w66d5zjxxxxxxx4HY='
	list addresses '10.x.0.xx/24'
	list dns '192.168.97.1'
	option mtu '1412'

config wireguard_ivpnXX
	option description 'Imported peer configuration'
	option public_key 'ixrWCSyxxxxxxxcxB7WnqX7xxxxxxiQGjg='
	option preshared_key 'ckaiXOxxxxxxDjGmv9QU9+mxxxxxxxx18w='
	list allowed_ips '0.0.0.0/0'
	list allowed_ips '::/0'
	option endpoint_host 'vpn.xxxxxxxx.com'
	option endpoint_port '3478'
	option route_allowed_ips '1'
	option persistent_keepalive '25'
root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'ivpn_fw'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'ivpnXX'

config forwarding
	option src 'lan'
	option dest 'ivpn_fw'

Please change compromised keys. And attribute AI edit changes.

As mentioned already, the time on your client might be too inaccurate, when WG is started. Either to set up actual time earlier on your router (with custom patches, which I prefere to do) OR to defere start of Wireguard. There might be another problem, though: DNS not up soon enough. Which is an unpleasant consequence of the non-deterministic starts of services after boot, being in parallel, NOT seqential. Quite often a PITA, I have to note.
For verification, replace
vpn.vpnprivatedomain.com:3344
with
real.ip.ofvpnprivatedomain.com:3344

In very worst case, i.e. when using mobile connection only, this might also fail, because network not up soon enough.

For example?

Ones in your initial post.

Have you tried them? I changed the data. Thanks for the concern, but I never uploaded the real data.

1 Like