Wireguard not re-establishing connection

mkhan · March 6, 2021, 11:30pm

Hi My Wireguard connection drops every couple of days which I think is either due to VPN changing ip address or connection just dropping for unknown reason. When this happens it doesn't re-establish the Wireguard VPN connection again unless I delete the Wireguard interface and setup the connection from scratch. Even restarting the router doesn't fix the issue.

Is there a way I can get it to re-establish the VPN connection without having to set it up again?

Thanks in advance.

iplaywithtoys · March 6, 2021, 11:33pm

Are you using WireGuard on OpenWRT, or on another system?

mkhan · March 6, 2021, 11:36pm

I have a router running Openwrt 19.07.6

vgaetera · March 7, 2021, 4:06am

Apply these workarounds:

If the problem persists, then also apply this and reboot:

https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#race_conditions

mkhan · March 7, 2021, 3:28pm

Thanks, will give that a go and see what happens. The problem usually happens every 5-7 days therefore I won't know immediately if it helps but will monitor over the week.

mkhan · March 13, 2021, 10:44pm

The issue still seems to be happening after applying the workarounds. The VPN connection is not dropping but I lose connection on the device that is connected to the router via ethernet cable. This seems to happen about every 5-7 days or so. If I delete the VPN interface in network and set it up again then I'm ok for another 5-7 days.

This issue is doing my head in and I tried searching the forum and can't seem to find a solution. Can you advise?

Thanks.

vgaetera · March 13, 2021, 10:52pm

When the issue happens, collect the diagnostics from both server and client and post it to pastebin.com redacting the private parts:

ubus call system board; uci show network; uci show firewall; crontab -l; \
wg show; ip address show; ip route show table all; ip rule show; iptables-save

mkhan · March 13, 2021, 11:21pm

I have removed the private keys and ip addresses for VPN.

Thanks.

vgaetera · March 14, 2021, 12:02am

uci -q delete network.VPNUnlimited.listen_port
uci -q delete network.@wireguard_VPNUnlimited[0].allowed_ips
uci add_list network.@wireguard_VPNUnlimited[0].allowed_ips="0.0.0.0/0"
uci commit network
/etc/init.d/network restart
sleep 10
/etc/init.d/vpn-policy-routing restart

mkhan · March 14, 2021, 12:22am

I have tried the above and it's still not working. I don't think the allowed ips was the issue as it still was dropping connection to wired device when set to 0.0.0.0/0.

It is very strange that it's effecting wired connections and not when using wireless. It intially works for almost a week then drops for no reason like it don't like anything plugged into the router.

vgaetera · March 14, 2021, 12:35am

Remove the listen port from the WG interface.
Try restarting the VPN-PBR service.

mkhan · March 14, 2021, 12:09pm

I have removed listen port and restarted VPN PBR and it did not make any difference. I was thinking is there a way to add device via MAC address in VPN And PBR instead of ip and would this work?

vgaetera · March 14, 2021, 12:20pm

It is more reliable to set up static DHCP leases:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#static_leases

caxito · August 10, 2021, 9:06am

I have the same problem as topic-starter. As soon as my internet-provider drops the connection due to account arrears or ISP-router reboots, it is not possible to connect to VPN. Restarting of WG-interface, rebooting openwrt-router, etc result to nothing.

screen_2021.08.07_1

So I try to apply mentioned advises. But

screen_2021.08.10

Initially I set up my router according to this manual.

Silmilar topics:
WireGuard only TX no RX traffic
Wireguard interface not working properly after reboot
Wireguard connection not being restored

vgaetera · August 10, 2021, 12:26pm

Increasing metric on the WAN interface should be enough.

caxito · August 10, 2021, 1:27pm

I applied dynamic_connection, dynamic_address, race_conditions tweaks, but unfortunately it didn`t help. Please, take a look on the settings.
pastebin

vgaetera · August 10, 2021, 1:50pm

What is the reason for adding that static route and using the custom routing table?

caxito · August 10, 2021, 2:08pm

In order to bypass wireguard-VPN for some sites. Found the solution here.
I must admit, that everything works fine with these options, until internet connection, provided by ISP router, drops down. Or power failure. Then it is impossible to connect to VPN-server without creating new interface etc.

vgaetera · August 10, 2021, 2:21pm

Better use this:

uci -q delete network.@route[0]
for IPV in 4 6
do
uci set network.lan.ip${IPV}table="1"
uci set network.wan${IPV%4}.ip${IPV}table="2"
uci -q delete network.lan_wan${IPV%4}
uci set network.lan_wan${IPV%4}="rule${IPV%4}"
uci set network.lan_wan${IPV%4}.in="lan"
uci set network.lan_wan${IPV%4}.mark="1"
uci set network.lan_wan${IPV%4}.lookup="2"
uci set network.lan_wan${IPV%4}.priority="30000"
done
uci commit network
/etc/init.d/network restart

If the issue persists, also enable this:
https://openwrt.org/docs/guide-user/advanced/hotplug_extras

mkdir -p /etc/hotplug.d/online
cat << "EOF" > /etc/hotplug.d/online/00-vpn-reconnect
if [ "${INTERFACE}" != "VPNUnlimited" ]
then ifup VPNUnlimited
fi
EOF

caxito · August 11, 2021, 7:32am

Should I delete any existing options, when apply this?