Hi,
I have installed Wireguard on OpenWRT.
Now I want to initiate a trigger (e.g. call to an API) when a connection is made.
Is there a hook I can configure for this type of automation?
Research hotplug: https://openwrt.org/docs/guide-user/base-system/hotplug
An example of one of my hotplug scripts which changes DNS server on ifup of the WG interface:
1 Like
Thanks, I will have a look into this and your script.
to call the API, you would add to your script something like this?:
wget -O- --post-data=‘{“data from the hook...”}'
And how would I get the device name connected?
Not sure what you want the hotplug is for actions triggered by e.g. the interface.
If your goal is to setup or change an interface you need the uci system:
https://openwrt.org/docs/guide-user/base-system/uci
I don't think the suggested idea will work. The interface doesn't change when a second client connects, and I am not even sure it happens when the first one connects, if the service Is already running.
The link state doesn't change when a new client connects. You would only see new traffic in the interface from a new IP. But other than that, no.
It would have to be a feature built into wireguard itself to call some script or best case call ubus with something you can listen to.
1 Like
I read this as: When a remote device connects to the OpenWrt WG interface, I want to trigger a hook, right? (And not, when the wg-interface comes up...)
If that's so, that's not gonna fly, because wireguard is stateless.
I get neither from wireguard nor from iproute2/ip monitor any indication that a peer just connected aka sends you data.
What do you want to do?
Edit: Besides that, a friend of mine came up with a pretty stupid solution...
The "server" blocks all traffic from a client, expect a single IP, where a web-server is running. The remote user needs to visit that site, and use 2FA, this then triggers a script which reloads/sets the firewall rules for the user and can exec various other scripts...
[quote="_bernd, post:6, topic:221709”]
I read this as: When a remote device connects to the OpenWrt WG interface, I want to trigger a hook, right? (And not, when the wg-interface comes up…)
[/quote]
Yes, this is correct.
[quote="_bernd, post:6, topic:221709”]
What do you want to do?
[/quote]
One idea I had, was, that upon connection, I get notified on e.g. telegram that xxx has joined the VPN
Next step would be to send this information to HomeAssistant for logging…
As for your friend’s idea, there may be a trick like that to what I am trying to achieve, combined with a chron job…
[quote="_bernd, post:6, topic:221709”]
wireguard is stateless
[/quote]
But Luci knows/displays that a connection is made, correct? (I am not sure about that)
I only know about what wg / wg show can give you:
root@cpe:~# wg
interface: wg0
public key: AAA
private key: (hidden)
listening port: 16384
peer: XXX
endpoint: X:37861
allowed ips: 192.168.240.2/32, fde6:a09a:b373:f0::2/128
latest handshake: 18 minutes, 36 seconds ago
transfer: 235.20 MiB received, 2.46 GiB sent
peer: YYY
endpoint: Y:54713
allowed ips: 192.168.240.4/32, fde6:a09a:b373:f0::4/128, fe80::/10
latest handshake: 11 hours, 46 minutes, 57 seconds ago
transfer: 149.36 MiB received, 8.66 GiB sent
peer: ZZZ
allowed ips: 192.168.240.3/32, fde6:a09a:b373:f0::3/128
You see, you can not determine if a peer just connected, is connected, is still connected, lost/terminated the connection.
The UDP packet hits the socket/interface, and it gets processed.
1 Like
Thanks. Even this is very useful
I can have a chron job that checks the latest handshake from each client.
I believe this could work, right?
or, I can make it even more intelligent, and compare it (except the transfered data) with the previous version and, if different, notify me
If once per minute is enough for you, then sure.
Regarding the handshake; I would set the keepalive to like 30.
Yeah, that would also be my idea. Please share the results when finished. Because I also thought that it would be helpful to know when someone connects to the VPN.
And I mean "seen recently" is good enough.
Sure, I will share here.
For the moment I am refreshing my sed skills to grab just the useful text 
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.