Possible Wireguard connection bug?

roschelle63 · March 3, 2026, 3:01pm

Want to know if I should report this.

Formerly, a site-to-site wireguard link would stop and require a reboot ever 1-3 days. I changed from DuckDNS (which is flakey to my location) to Cloudflare (which is solid) for Dynamic DNS. Now my site-to-site wireguard link does not go down. No other change.

I am wondering if there is possibly a bug somewhere in the wireguard implementation. It would be something like “if DNS is needed to reconnect to an endpoint, and its not available, then .”

Worthwhile to submit or too weird?

jeremy

brada4 · March 3, 2026, 3:05pm

Without logs no idea.

_bernd · March 3, 2026, 3:17pm

Endpoint name resolution happens only once so you need to restart the connection on a regular basis.

However. If you have at least one site with a static IP then just use that on the other endpoint config.
The site with a static IP then uses no endpoint config.

egc · March 3, 2026, 3:34pm

There is also a WireGuard watchdog script which re-resolves the endpoint address again on link down

Or a script which does a full restart:

But no it is not a bug.

Normally the other side should notify of the change do you have keep alive set?
In practice this does not always happen hence the script which is from WireGuard and comes standard with the WireGuard tools

frollic · March 3, 2026, 3:34pm

if DNS is not available, how is it an openwrt issue ?

roschelle63 · March 3, 2026, 4:37pm

DNS is temporarily not available, but the failure to reconnect persists even when DNS comes back.

roschelle63 · March 3, 2026, 4:37pm

yes, keep alive is set.

roschelle63 · March 3, 2026, 4:39pm

yes, I was using Watchcat. That worked fine; it rebooted the router.

But I am noticing that since changing where DDNS resolved from Duck to Cloudflare, Watchcat is no longer needed.

was asking whether wireguard getting “stuck” after n days is considered normal, or a bug. And suggesting that the trigger for getting stuck seems to be flakey DNS for the DDNS.

jeremy

egc · March 3, 2026, 4:50pm

Sure it can be a DDNS problem but as already said only on start will WireGuard resolve the DNS so if that is changed WireGuard can use the wrong address until you resolve the endpoint again to get the new address.
Therefore there is this standard script included to resolve the endpoint again if the endpoint is no longer reachable.

So if you experience this kind of problems after an IP change of the other side then use the script.

systemcrash · March 3, 2026, 5:09pm

As long as both ends use keepalive, there’s no problem. WireGuard has ‘roaming’ built in by virtue of tracking the connection via the key, so both sides can change their IPs, as long as they don’t both do it at the same time.

lleachii · March 3, 2026, 5:10pm

You can use the Wireguard watchdog to have WG update itself every so often. You can place this in your scheduled tasks.

/usr/bin/wireguard_watchdog

roschelle63 · March 4, 2026, 6:39pm

Thank you all. What I learned is:

use keep alive on both ends
use watchcat/watchdog to restart or reboot wireguard when necessary

And I also think that using duckdns for DDNS was causing problems for me; happier with Cloudflare ddns.

jeremy