I am configuring OpenWRT as a VPN client to be run in an unfriendly environment. Think of "behind some great firewall".
I'm running my own VPN server based on Debian. It offers OpenVPN and Wireguard as well as OSPF and a DNS server.
The OpenWRT client uses its WAN port to connect to a local LAN and learn its IP, default gateway and DNS server from there.
It then connects to the OpenVPN server (using the server name) as well as the Wireguard server (using the servers IP address). This makes me independent from DNS resolution to connect to the VPN server.
On top of the OpenVPN and Wireguard tunnels runs bird 2.0 using OSPF. It connects to bird on the VPN server, chooses from all running VPN tunnels the one with the lowest cost and establishes routes to 0.0.0.0/1 and 22.214.171.124/1 through this tunnel. As soon as one of tunnels comes up, this in effect switches the default route from the local network to the VPN tunnel.
On the LAN interface I have a DHCP server running. Also the wireless network is running and connected to LAN. In effect: if someone connects to one of the LAN ports or WiFi, he gets an IP, default gateway (OpenWRT) and DNS server (dnsmasq on OpenWRT) from me. When he uses this connection, traffic flows through one of the VPN tunnels to my VPN server.
What you can do now (after some subtleties regarding forwarding/masquerading, double NAT): connect the OpenWRT router to your unfriendly ISP router, then connect your devices to the OpenWRT router through LAN or WiFi and the internet will see your devices with the source IP of my VPN server. Welcome to the free world.
There remains one problem: dnsmasq still uses the DNS server we learned from the local network, effectively leaking DNS requests to the unfriendly environment.
I know how to run a script from the OpenVPN client when the tunnel comes up or goes down. With this scrip I can manipulate dnsmasq.resolvfile to use the DNS server behind the OpenVPN tunnel.
What I am missing is a way to run a script when the Wireguard tunnel comes up or goes down. From what I have seen it does not trigger anything in hotplug when the tunnel comes up. Beware: I am not interested in doing something when the interface comes up: the wg0 interface exists long before the tunnel comes up and it does not change to UP or DOWN following the tunnel state.
Has someone got an idea how to trigger something when an Wireguard tunnel comes up / goes down?