I have a wireguard interface defined using uci. The routers reboots every night. Roughly 5% of the time the interface does not come up properly, and the command wg produces no output. This happens only on 21.02
What can I run on the command line to simulate OpenWRT bringing up the wireguard interface on boot? I would like to be able to see what is happening and debug how it is breaking in 21.02. /etc/init.d/network reload does not manage to bring up the interface.
Sounds like there might be a race condition? Maybe try scripting the setup with logging along with each step?
I have encountered same problem with one of my routers. Try the time sync/race condition fix as suggested by @Borromini
See this recent post:
https://forum.openwrt.org/t/no-wireguard-handshake-double-router-configs-included/105500/2
Try to explicitly specify the tunlink option, it can affect the route to the endpoint.
What does binding the tunnel to an interface achieve?
Not sure if it's relevant but try using an IP address instead of a host name in the Endpoint Host field of peers configuration since these are resolved prior to bringing up the interface and if you're tunneling all your data through wireguard that could prevent DNS resolution.
Also use some IP address for NTP server candidates, since if DNS does't work, time isn't synced and wireguard will fail to connect since it's time sensitive.
Just had it happen again, with wg0 not defined after reboot. In my logging I can see that DNS lookups were working fine before the attempt to bring up the Wireguard interface. So that does not seem to be the problem in this case.
The upstream is only ipv4. There are no LAN clients for the router.
The tunnel can in theory send ipv6, and within wg there is an ipv6 address associated with wg0.
I do have one PBR rule in place, directing all traffic originating from the LAN to wg0. But as I mentioned there are no hosts on the LAN.
What is make/model of your openwrt router?
Then it could be a race condition related to the PBR implementation.
This is a tp link wr841n-v13. It is running OpenWrt 21.02.0-rc3
You should certainly upgrade to the latest stable release.
Would love to but I have no physical access to the router right now.
In case it is useful to anyone else, I found a decent way to restart wireguard from the command line:
# ubus call network.interface.wg0 down
# ubus call network.interface.wg0 up
One of my 21.02 final-release routers had the problem overnight. The networking config has not changed, and it has been rebooting nightly without problem for the past week.
Trying the following did not bring up wg:
ubus call network.interface.wg0 down
ubus call network.interface.wg0 up
ifdown wg0
ifup wg0
If I fully rebooted, it would likely resolve the issue. But for now I will leave it and try to diagnose...
Why do you have the router rebooting nightly? This is usually not necessary. If you have a problem that requires periodic rebooting, it is best to try to solve that issue at the root rather than masking it by rebooting on a schedule.
The respective down and up commands do the same thing... If one of them doesn't work, the other won't, either. You only need to use one (I prefer the simpler ifdown and ifup commands).
Did you check the router's time? Did you check the system log? Did you check to see that the remote peer was up and running properly and accepting connections?
So far I have only seen this problem immediately after a reboot. A daily reboot allows me to make the problem (sometimes) happen, hence I force them to reboot daily. I look forward to eventually being able to cause the problem from the command line!
The router's time is always off by about 24h immediately after reboot, and then ntp quickly synchronizes it. The time is now good and the ifup wg0 does not get me back wireguard. The other end of the connection is up and waiting
Check when the issue happens:
ifup wg0; sleep 30; wg show; ip route get 1; nslookup example.org; \
head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*