I'm running a openvpn server and a wireguard server on my router since a few years.
I upgraded my x86-64 router from 23.05 to 24.10 and copied the config files from the old to the new installation.
Everything seems to work, except the wireguard installation.
After a reboot, the wireguard interface vpnwg0 comes up. I can connect to the router and everything seems to work.
However, after a few minutes, the interface goes down and I cannot connect to the router anymore.
I configured the logging of hotplug and netifd to be more verbose. It seems that the hotplug daemon is trying to bring the interface down after a few minutes, but I cannot find out why.
from logread
Sun Jun 15 20:58:43 2025 daemon.notice netifd: Interface 'vpnwg0' is now up
Sun Jun 15 20:58:43 2025 daemon.err netifd[1943]: system_device_update_state(721): vpnwg0: set present=1
Sun Jun 15 20:58:43 2025 daemon.notice netifd: Network device 'vpnwg0' link is up
Sun Jun 15 20:58:43 2025 daemon.err netifd[1943]: device_set_link(994): vpnwg0: event (link_up)
Sun Jun 15 20:58:44 2025 daemon.notice netifd: Interface 'vpn0' is enabled
Sun Jun 15 20:58:44 2025 daemon.notice netifd: Interface 'vpn0' has link connectivity
Sun Jun 15 20:58:44 2025 daemon.notice netifd: Interface 'vpn0' is setting up now
Sun Jun 15 20:58:44 2025 daemon.err netifd[1943]: interface_set_available(492): Interface 'vpn0', available=1
Sun Jun 15 20:58:44 2025 daemon.err netifd[1943]: interface_queue_event(124): Queue hotplug handler for interface 'vpn0', event 'ifup'
Sun Jun 15 20:58:44 2025 daemon.notice netifd: Interface 'vpn0' is now up
Sun Jun 15 20:58:44 2025 daemon.err netifd[1943]: call_hotplug(100): Call hotplug handler for interface 'vpnwg0', event 'ifup' (vpnwg0)
Sun Jun 15 20:58:44 2025 user.notice hotplug-iface: USER=root ACTION=ifup SHLVL=1 HOME=/ HOTPLUG_TYPE=iface LOGNAME=root DEVICENAME= TERM=linux BOOT_IMAGE=/boot/vmlinuz PATH=/usr/sbin:/usr/bin:/sbin:/bin LD_PRELOAD=/lib/libsetlbf.so INTERFACE=vpnwg0 PWD=/ DEVICE=vpnwg0
Sun Jun 15 20:58:44 2025 user.notice firewall: Reloading firewall due to ifup of vpnwg0 (vpnwg0)
Sun Jun 15 20:58:44 2025 daemon.err netifd[1943]: task_complete(109): Complete hotplug handler for interface 'vpnwg0'
Sun Jun 15 20:58:44 2025 daemon.err netifd[1943]: call_hotplug(100): Call hotplug handler for interface 'vpn0', event 'ifup' (tun0)
Sun Jun 15 20:58:44 2025 user.notice hotplug-iface: USER=root ACTION=ifup SHLVL=1 HOME=/ HOTPLUG_TYPE=iface LOGNAME=root DEVICENAME= TERM=linux BOOT_IMAGE=/boot/vmlinuz PATH=/usr/sbin:/usr/bin:/sbin:/bin LD_PRELOAD=/lib/libsetlbf.so INTERFACE=vpn0 PWD=/ DEVICE=tun0
Sun Jun 15 20:58:44 2025 user.notice firewall: Reloading firewall due to ifup of vpn0 (tun0)
Sun Jun 15 20:58:44 2025 daemon.err netifd[1943]: task_complete(109): Complete hotplug handler for interface 'vpn0'
Sun Jun 15 21:00:00 2025 daemon.notice netifd: Network device 'vpnwg0' link is down
Sun Jun 15 21:00:00 2025 daemon.err netifd[1943]: system_device_update_state(721): vpnwg0: set present=1
Sun Jun 15 21:00:00 2025 daemon.err netifd[1943]: device_set_link(994): vpnwg0: event (link_down)
Sun Jun 15 21:00:00 2025 daemon.err netifd[1943]: device_hotplug_event(1466): vpnwg0: set present=0
Sun Jun 15 21:00:00 2025 daemon.err netifd[1943]: _device_set_present(974): Network device 'vpnwg0' is no longer present
Sun Jun 15 21:00:00 2025 daemon.err netifd[1943]: __device_set_present(923): vpnwg0: event (remove)
Sun Jun 15 21:00:00 2025 daemon.err netifd[1943]: device_release(757): Release Network device vpnwg0, new active count: 0
Sun Jun 15 21:00:00 2025 daemon.err netifd[1943]: device_release(763): vpnwg0: event (teardown)
Sun Jun 15 21:00:00 2025 user.notice hotplug-net: USER=root ACTION=remove SHLVL=1 HOME=/ SEQNUM=1455 IFINDEX=5 HOTPLUG_TYPE=net DEVPATH=/devices/virtual/net/vpnwg0 LOGNAME=root DEVICENAME=vpnwg0 TERM=linux SUBSYSTEM=net BOOT_IMAGE=/boot/vmlinuz PATH=/usr/sbin:/usr/bin:/sbin:/bin INTERFACE=vpnwg0 PWD=/ DEVTYPE=wireguard
Sun Jun 15 21:00:00 2025 daemon.err netifd[1943]: device_release(769): vpnwg0: event (down)
My network config:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd96:2f48:4579::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.144.2'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth1'
option proto 'static'
option ipaddr '192.168.178.21'
option netmask '255.255.255.0'
list dns '192.168.144.3'
option gateway '192.168.178.1'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
option reqaddress 'try'
option ip6assign '60'
option reqprefix '60'
option ip6hint '60'
option peerdns '0'
list dns 'fd96:2f48:4579::3'
option norelease '1'
config interface 'vpn0'
option proto 'none'
option device 'tun0'
config route
option interface 'lan'
option target '192.168.146.0'
option netmask '255.255.255.0'
option gateway '192.168.144.254'
config route
option interface 'lan'
option target '192.168.147.0'
option netmask '255.255.255.0'
option gateway '192.168.144.31'
config route
option interface 'lan'
option target '192.168.150.0/24'
option gateway '192.168.144.230'
config interface 'vpnwg0'
option proto 'wireguard'
option private_key 'HIDDENKEY'
option listen_port '51822'
list addresses '192.168.148.1/24'
list addresses 'fd00:94::1/64'
config wireguard_vpnwg0
option description 'mbn23'
option public_key 'HIDDENKEY'
option private_key 'HIDDENKEY'
option preshared_key 'HIDDENKEY'
option route_allowed_ips '1'
option persistent_keepalive '25'
list allowed_ips '192.168.148.4/32'
list allowed_ips 'fd00:94::4/128'
My firewall config:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vpn0'
list network 'vpnwg0'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-All-From-MBN-LAP-01-Inbound'
option src 'wan'
list src_ip '192.168.178.41'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-All-From-MBN-LAP-01'
option src 'wan'
list src_ip '192.168.178.41'
option dest 'lan'
option target 'ACCEPT'
option family 'ipv4'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option name 'Allow-SSH'
config rule
option name 'Allow-OpenVPN-443-UDP-Inbound'
list proto 'udp'
option src 'wan'
option dest_port '443'
option target 'ACCEPT'
config rule
option name 'Allow-OpenVPN-1194-Inbound'
option src 'wan'
option target 'ACCEPT'
option dest_port '1194'
config rule 'wg'
option name 'Allow-WireGuard0'
option src 'wan'
option dest_port '51822'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-Wireguard-53'
list proto 'udp'
option dest_port '53'
option target 'ACCEPT'
option src 'wan'
config rule
option name 'Disable 8.8.8.8'
option dest 'wan'
list dest_ip '8.8.8.8'
option target 'DROP'
option src 'lan'
config rule
option name 'Disable 8.8.4.4'
option src 'lan'
option dest 'wan'
list dest_ip '8.8.4.4'
option target 'DROP'
config redirect
option dest 'lan'
option target 'DNAT'
option name '53 UDP to Wireguard'
option family 'ipv4'
option src 'wan'
option src_dport '53'
option dest_port '51822'
option dest_ip '192.168.144.2'
list proto 'udp'
config redirect
option dest 'lan'
option target 'DNAT'
option name '443 UDP to OpenVPN'
list proto 'udp'
option src 'wan'
option src_dport '443'
option dest_ip '192.168.144.2'
option dest_port '1194'
wg show
root@wrt-router:~# wg show
interface: vpnwg0
public key: (hidden)
private key: (hidden)
listening port: 51822
peer: HIDDENKEY
preshared key: (hidden)
allowed ips: 192.168.148.4/32, fd00:94::4/128
persistent keepalive: every 25 seconds
Thank you for helping me.
BR Marc