Wireguard VPN is setup on OpenWrt and works perfectly.
However, when I run this command to change the endpoint:
wg set wg0 peer $publickey endpoint $ip:$port
All the variables are correct of course. But I don't see any change. It's still using the old endpoint. I wish to change the endpoint without interrupting the connection by restarting the interface.
Happy about any hints.
how's that supposed to work ?
I thought it was possible. I thought it was what wireguard_watchdog is doing here:
# re-resolve endpoint hostname if not responding for too long
last_handshake=$(wg show ${iface} latest-handshakes | grep ${public_key} | awk '{print $2}')
[ -z ${last_handshake} ] && return 0;
idle_seconds=$(($(date +%s)-${last_handshake}))
[ ${idle_seconds} -lt 150 ] && return 0;
logger -t "wireguard_monitor" "${iface} endpoint ${endpoint_host}:${endpoint_port} is not responding for ${idle_seconds} seconds, trying to re-resolve hostname"
wg set ${iface} peer ${public_key} endpoint "${endpoint_host}:${endpoint_port}"
I mean, what is wg set even doing, if it doesn't have any effect?
problem isn't (re)connecting, if it happens below the timeout value for whatever application is using the tunnel, no one will (probably) notice, assuming you get the same IP back in the other end.
but if you change the end point, the IP of where the WG tunnel ends (internet ?), will change, right ?
So what's the fastest way to change the wg endpoint then?
I tried ifdown wg0 && ifup wg0 and it works, but streaming applications fail during the restart this way. Or is there no way around this?
What about wg-quick down wg0 && wg-quick up wg0? (wg-quick isn't included in wireguard-tools though, for some reason)
there isn't, AFAIK.
Okay, too bad. My reason for this is that a specific VPN server might become busy and slow, requiring to change to another less busy server.
Just curious. Is there a reason you don't try this setup this via OpenWrt configuration?
Perhaps have 2 configs, test disabling one, etc.
Maybe not what you are looking for but I use a script with which I can toggle WG tunnels on/off via the command line.
Basically I use my phone with an SSH client to switch tunnels:
I'm not sure what you mean? Can you elaborate?
Network configs for OpenWrt are made:
/etc/config/networkuci commandsluci-proto-wireguard and dependencies)I'm merely asking why you haven't mentioned making Wireguard interface configurations via one of these standard methods.
Sorry, I thought it was given that I already have such an interface configured, if my question is how to change the endpoint of it?
Can you show this Wireguard configuration in /etc/config/network
?
Redact the keys, and you can use example addresses for the endpoints.
I'm more versed in editing the file, but another user could provide the UCI commands for you to change the endpoint and reload the interface.
To be clear, in general, your streaming will stop if your TCP/IP connection parameters change (e.g. the IP of the VPN SRC traffic) - but usually that's seamless if there's a buffer on the player.
I already know how to do it with restarting the interface:
uci set network.@wireguard_"$iface"[0].endpoint_host="$new_ip"
uci commit network
ifdown "$iface" && ifup "$iface"
Question remains how to get it working without the restart, but by using wg set instead.
etc/config/network/:
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd22:cf41:ae7a::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config device
option name 'lan1'
option macaddr '94:83:c4:a5:00:d5'
config device
option name 'lan2'
option macaddr '94:83:c4:a5:00:d5'
config device
option name 'lan3'
option macaddr '94:83:c4:a5:00:d5'
config device
option name 'lan4'
option macaddr '94:83:c4:a5:00:d5'
config device
option name 'lan5'
option macaddr '94:83:c4:a5:00:d5'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth1'
option macaddr '94:83:c4:a5:00:d3'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option defaultroute '0'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'wwan'
option proto 'dhcp'
config interface 'AirVpn'
option proto 'wireguard'
option private_key 'xxxxxx'
list addresses 'xxxxxx/32'
list addresses 'xxxxxx/128'
list dns 'xxxxxx'
list dns 'xxxxxx::1'
config wireguard_AirVpn
option description 'Imported peer configuration'
option public_key 'xxxxxx'
option preshared_key 'xxxxxx'
option persistent_keepalive '25'
option endpoint_host 'xxxxxx'
option endpoint_port '1637'
option route_allowed_ips '1'
list allowed_ips '0.0.0.0/0'
list allowed_ips '8000::/1'
list allowed_ips '::/1'
Wow, gotcha. You may have to script this yourself - and if you need OpenWrt's firewall, etc., add the interface to the config as unmanaged protocol 'none'.
It's not clear why you use the UCI to configure the interface, but then wish to use underlying commands to alter it (BTW, not supported in OpenWrt).
Just curious, is there a reason for that in your use case?
Also, would you need to revert to the configuration in the UCI after altering it via the wg command?
I created the interface using luci.
My intention is simply to change the endpoint of the VPN to another server whenever the previous server becomes too loaded and thus, slow.
Using wg set however doesn't seem to do anything. A reddit user has an idea why that may be (all VPN servers use the same public key):
Are both servers using the same public key? Otherwise you need to update allowed IPs as well. Are you aware of the fact that the endpoint address will be changed when you receive (authenticated) traffic from the endpoint (i.e. identified by the public key), which means it will be reverted back to the old address if the two servers use the same public key and you receive traffic from the old server. Something you can try is to drop the old connection with conntrack, and add a firewall rule which denies traffic from the old server (in case your firewall would allow it otherwise).
The reason I use uci to change the endpoint is because it works, at least after a restart of the vpn interface. So that works. The problem with that approach is that streaming services exit the player when doing so. The video is not just paused for a second.
So I wonder whether there is a more 'graceful' approach.
I barely followed that pseudo concept you quoted.
There would be no traffic from the old IP...unless this is another value being altered and wasn't mentioned.
Just to be clear of your use case. Are you merely switching e.g. geographical servers from the same VPN service, or something else?
Basically as the quote asked, do both endpoints have your public key and allowed IP listed, correct?
Edit:
Or are you saying you have some "out-of-band" knowledge that the remote endpoint changed its IP - and that that new IP can't simply update by sending new packets?
Are you merely switching e.g. geographical servers from the same VPN service, or something else?
This. It's a very simple thing really. The only parameter that changes from server to server is the endpoint. All other things stay the same (public key, private key, allowed IPs, etc.)
Doesn't change anything, but I noticed that ifdown is unnecessary. ifup = reset