WireGuard client - restore WAN connectivity in failure case

I have completed setup of WireGuard client on my router based on this tutorial.

Now I'm searching for solutions for this task:
restore WAN connectivity in failure case

I have found Dynamic connection that is adding metric to WAN interface.
My questions for this implementation:

  • Why is no metric for wireguard interface set?
  • Is this correct: the lower the metric, the higher the priority of the relevant interface?
  • Is this correct: Dynamic connection will address the issue if wireguard interface is down?

However there's another issue: wireguard interface is up, but there's a network failure, e.g. VPN endpoint not responding, VPN DNS not responding.

Actually I would need a wireguard watchdog that pings VPN DNS, and in case there's no response restores WAN connectivity.

Mullvad is sharing a watchdog script here, but this reboots the router.

Any advise is highly appreciated.

My understanding is that this:

will automatically result in failover to 'wan' if WireGuard peer is down. Admittedly I have not been able to test this because my peer is so reliable, but if I just manually stop the WireGuard interface then traffic gets rerouted through 'wan'.

Can anyone please confirm?

I have verified Dynamic connection by taking WireGuard interface down (ifdown wg0).
The default route switches from (with wg0 up)

root@eddie:~# ip r
default dev wg0 proto static scope link 
default via dev wan proto static src metric 100 via dev wan proto static metric 100 dev wan proto static scope link metric 100 

to (with wg0 down)

root@eddie:~# ip r
default via dev wan proto static src metric 100 via dev wan proto static metric 100 dev wan proto static scope link metric 100 

In my opinion this works as expected.

Right but as for the netifd failover described above does this mean connectivity will be restored if WireGuard peer stops responding? Since taking interface down is a bit synetic isn't it? Or does it take itself down if peer stops responding? E.g. failed handshake or something?

this should help you

you can also import your WireGuard VPN settings into OpenWrt to avoid the settings and then just route your router

Or use a watchdog restart interface after fails

opkg install watchcat

Actually I'm not looking for a solution that seperates networks (or network interfaces) logically to either use a VPN connection or ISP connection for internet traffic.
Instead I want the VPN connection to be used by any subnet provided by the router.
Only in case the VPN connection has a failure WAN should be used.

As written before, for the scenario that WireGuard interface is down, Dynamic connection works as expected.

Now I added a wg-watchdog script that checks if DNS servers, that are only reachable via VPN tunnel, respond. In case there's no response WireGuard interface will be stopped.
Here's the current version of wg-watchdog.sh script:


## Ping IVPN DNS that can only be reached via the VPN tunnel.
## If no contact, put wg interface down.


while [[ $tries -lt $repeat ]]; do
	if /bin/ping -c 1 $dns1; then
		logger -t "wg0" IVPNdns1 is reachable
		exit 0
        elif /bin/ping -c 1 $dns2; then
		logger -t "wg0" IVPNdns2 is reachable
		exit 0
	elif /bin/ping -c 1 $dns3; then
		logger -t "wg0" IVPNdns3 is reachable
		exit 0
	logger -t "wg0" WireGuard failure

logger -t "wg0" WireGuard failed, putting wg interface down
ifdown $wgInterface

Network > your interface WIREGUARD CONFIG > peers > edit (peers) > Route Allowed IPs (check option) and SAVE

WireGuard will route all traffic to it

I know this already.
But this is not the topic of this discussion.

In my opinion there's an issue with function restart interface.
In case the DNS servers offered by VPN provider, that are only reachable via VPN tunnel, are not reachable, it would not help to restart the interface because there's potentially a root cause on VPN provider side for this issue.
In exactly this scenario I need to ensure that any internet connection uses WAN, means I need to take WireGuard interface down.

tried this on your firewall, put the wan interface on all the others you always want the internet to work

  • prontonvpn (my wireguard)
  • vpn (my interface default vpn)

Firewall > YOUR WIREGUARD INTERFACE > edit > Allow forward from (add the interface and you want to always have the wan interface)


don't forget to check your wireguard interface (MASQUERADE and MSS clamping)

I don't understand this setup.
Why do you configure a vpn interface with forward from wan and protonvpn?
What is the use-case for this?

I don't route all my traffic to WireGuard, I just route one interface, called "vpn"

In this interface that you see, it uses WIreGuard by default on the connection, but if the connection drops it will use WAN by default

Also, this configuration is used to use the package (vpn-policy-routing) to route a device through wg0 or wan

I understood that interface vpn is like a "consolidation interface" for any outbound traffic.
This means there could be multiple WireGuard, OpenVPN, etc. interfaces.

However I don't understand how this works if WireGuard connection drops that WAN will take over?
Could you please share the relevant network configuration?

You seem to have correctly latched onto the concern I had, namely that just because traffic is redirected when interface goes down, this doesn't necessarily mean connectivity is restored if a peer stops responding.

The netifd solution indeed seems appropriate for setting up VPN as default with 'wan' as a failover, but I'm just not sure what happens when a peer stops responding.

If WireGuard peer stops responding won't the interface go down automatically anyway?

Else the title in:

is rather misleading, right?

I guess this could be the solution I'm looking for.

However, the "big" unknown is:
How does it recognize that VPN is down or not working?

I'm not sure if WireGuard interface goes down if peer stops responding.
But I can verify this because my VPN account validity ends on Saturday. After this date I cannot connect to VPN endpoint anymore.

whats VPN provider?

So "Route LAN to VPN with failover to WAN" is the next test.
If you want to test this implementation prior to the end of your account validity anniversary; you could force the issue by changing your account credentials from/on a mobile device, thus making the routers credentials obsolete. This would kill the peer, and the next logic would be the failover to WAN.

That's a hard turn to test but an idea non-the-less.

1 Like

Is my understanding correct that these settings (with route and rule) are not required?