Wireguard interface not working properly after reboot

I have wireguard successfully setup and working on my device in a "full vpn" style mode (allowed ips 0.0.0.0/0, and route allowed ips checked). Everything works until a reboot (which unfortunately happens often with power outages in my area).

After reboot, the wg interface is up yet the RX always shows 0 bytes. I can ping the wg endpoint directly, so the internet is working.

I've also tried restarting the network (via /etc/init.d/network) and bringing the wg iface down/up with luci and ip. No luck.

The "fix" is to connect to a different wireguard endpoint. I do this by entering a different endpoint and public key in luci, then save the iface. After doing this traffic flows through the tunnel as expected. Finally, I change back to my preferred endpoint (the one that was configured on boot) and it continues to work as expected.

I find this mighty strange :\ What's the deal here?

Assuming the problem is not on the other end, it sounds like the wireguard module does not properly initialize the connection, whereas the script ran on changed settings does.

Might be worth contacting the developers.

LP,
Jure

Is your firewall open for the UDP port that you used used for the wg instance?

If the port is closed, the remote endpoint cannot deliver the encrypted UDP data to the router.

1 Like

@lleachii The firewall isn't the issue, refer to my original post where I said that the wg interface works fine after I edit/change the settings. If the firewall was the issue, then merely changing the wireguard peer endpoint wouldn't make it subsequently work. Or am I mistaken here?

@dustwolf Hm, this is what I suspected. I will do so.

Could you please post the output of cat /etc/config/network and cat /etc/config/firewall? Please make sure you obscure important information in that output, such as the private and public key in the network configuration file.

Unless I'm missing something, changing endpoints could temporally fix your issue.

Why? Because you are setting a new endpoint...and likely testing connection. You wouldn't need the firewall to be open, until the initial connection state timed out, then your firewall would be closed.

Setting a keepalive might work, if you prefer to keep you firewall closed.

Also, be sure the wg packages are up to date. They were not included in a firmware (unless it's custom), so would be safe in this instance.

1 Like

This might be a DNS issue. I remember reading somewhere about wireguard being time sensitive.
I also run into this problem if my router reboots and if I set the DNS on my wan interface to something like 8.8.8.8 (Google DNS) I get no problems on router reboot...
Problem is, I'm not sure how to allow only NTP to use the Google DNS and all other traffic to be forwarded to the VPN server running wireguard..

Same issue, but i solved it now:
This issue is caused by the incorrect system time on the router after reboot, may the router can't connect to a NTP server before the wireguard connected. So the time info in the handshake package which the router send to the wireguard server, is before the time info in previous handshake packages, so the wireguard server refused it to connect.

To solved it, just change the NTP server config to an server which the router could connect it before the wireguard connected.

1 Like

Could you please elaborate a little bit more?

1 Like

Just make sure the system time on your router is correct, or the Wireguard server will refuse you to connect again.

The router usually doesn't have a RTC, so the system will be incorrect if you unplug the power for the router. Usually openwrt connect to an NTP server after boot to sync the time, then the time will be correct. But if the wireguard proxy all the traffic, the router can't reach the NTP server before the wireguard interface is connected, but the wireguard need a correct time to connect, so it is a dead loop.

To solve this, one solution is only let the Wireguard proxy all ipv4 traffic, and find and set a NTP server with support ipv6 on the router (in luci System/Time Synchronization).
Or you could apply a delay boot for the wireguard interface, give the router some time to done the time synchronization, before trying to connect to WireGuard server.

could you please specify how to add a delay for the wireguard boot up? thanks.

I had the same trouble. Wu23333 is right, router can't find the NTP servers by domain name because DNS is routed by wireguard too... So changing NTP server names to IP (I used the first link in google: ip ntp) helped me
Annotation%202019-10-22%20215032

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.