How to keep Wireguard (WG) server active on OpenWrt, or Wake on Incoming Connection?

I've found that my WG server interface wg0 drops out quite quickly if not kept alive by a Peer.

I'm hoping to have WG on my OpenWrt Router permanently available for Road-Warrior devices to connect to my LAN for resources.

So far during setup & testing of WG on OpenWrt, I've manually restarted wg0 using

ifup wg0

or just

wg

for checking status.

How can I improve on this??

Thanks!

WireGuard is not a chatty protocol that is normal behavior but that should not prevent a reconnection unless there is something wrong with your settings.

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show
wg show
1 Like

OK, hope this helps...

ubus call system board ---

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R4S",
        "board_name": "friendlyarm,nanopi-r4s",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "rockchip/armv8",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}

cat /etc/config/network ----

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdbe:1c56:5a7f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr '****:da:d7'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'
        option macaddr '*****da:d7'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'
        option metric '1024'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'MESUUB*****='
        list addresses '192.168.9.1/24'
        option listen_port '38165'

config wireguard_wg0
        option description 'RAH.BV9300'
        option public_key 'V0w3Oyo3XWIyRjHNEIO6ZQzUAoaOABt76wTB/bXXclI='
        option private_key 'kLAhHqSxQ********='
        option preshared_key 'kAtd4Gsii0*********='
        option persistent_keepalive '15'
        option endpoint_port '38165'
        list allowed_ips '192.168.9.2/32'

cat /etc/config/dhcp ------

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wg0'
        option interface 'wg0'
        option ignore '1'

cat /etc/config/firewall ------

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone 'lan'
        option name 'lan'
        list network 'lan'
        list network 'wg0'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone 'wan'
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule 'wg'
        option name 'Allow-WireGuard'
        option src 'wan'
        option dest_port '38165'
        option proto 'udp'
        option target 'ACCEPT'

ip route show ------

root@OpenWrt:~# ip route show
default via 77.119.***.*** dev eth0  src 77.119.***.***  metric 1024
77.119.***.***/30 dev eth0 scope link  metric 1024
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1

wg show --------

root@OpenWrt:~# wg show
root@OpenWrt:~#
root@OpenWrt:~#

You can remove this:

Upgrade to version 23.05.3

The WG server listens on its interface, it is up to the client to keep a connection open or open it again.
Usually you keep it open by setting a keep alive on the client.

Otherwise it looks fine :slight_smile:

1 Like

Remove the endpoint port from the peer config:

1 Like

OK tnx, done that.

I am having continuing problems. Seems partly to do with my Blackview phone not running the WG client well enough in the background. If I run the WG client in the Foreground continually, the WG session handshakes every 2 minutes, which confuses me bc I have a 15 secs Keepalive.

I've also looked at Wireguard notes/forum elsewhere. Others are also having Keepalive issues, seems to do with NATing.... NAT entries need to be kept alive. My OpenWrt is behind NAT + Forwarded Router, but my Phone is behind nothing, on 4G.

I'm gonna post more once I've done more testing & have clearer questions.

That is the key renewal depending, on traffic it is between aprox. 1 and 4 minutes.
Keep alive is not involved other than keeping the connection up.
If the connection is down there is no handshake but as soon as your client has traffic it should open the tunnel again unless your endpoint has changed.

OK, from what I've tried my side.... The wg0 Interface IS falling over.....

Either the handshake from the client/device renews at around 2min, or if it does NOT manage to renew at around 2min, wg0 has DEF fallen over.

A quick "wg" to see NO device/daemon sitting/listening.
"ifconfig" to show Interfaces WITHOUT wg0.

Wireguard could still be running on Phone (counting time since last handshake)..... If I restart WG0 with "ifup wg0"..... Suddenly full WG connection springs into life, & Wireguard on phone tells me that a handshake has just happened. I'll post a few screenshots here, to show you the same story......

I may have to come up w a cronjob to kickstart WG0 every 30 secs -> 1 min.

Active WG Conn -----

WG.Peer.ShowsActive

Entire wg0 Interface Down -----

wg0 Interface Live -----

WG Peer Connection Lost -----

WG Peer Fresh Conn/Session -------

Does this have anything to do with my problems??

root@OpenWrt:~# crontab -l
*/10 * * * *    /usr/share/wginstaller/wg.sh cleanup_wginterfaces

That smells like a fundamental problem with your build.
My advice:
Upgrade to 23.05.3 and rebuild from scratch.

An interface should not disappear on its own

Why would you do such nonsense?

1 Like

Yes get rid of that chron process.

The wg interface should never destroy itself even if all the peers go away. wg would still show the peers with their last handshake, though it may be hours or days ago.

1 Like

That cron job is obv not me. I'm not that crazy. Somehow some installation did that, or I have a compromised OpenWrt.

already deleted..... very wierd.

I need to sleep before early rise/work tomorrow.

I really appreciate you Gentlemen assisting my efforts at screen this evening.
Its prob afternoon/morning where you are..... Tomorrow I'll try WG again, in light of a deleted cronjob.

Also need to get my head around how to upgrade the firmware.....

1 Like