[Wireguard] VPN Site-to-Site can't handshake randomly

Good morning!!

For the past few months, I have had a site-to-site VPN configured between two R3G routers running OpenWrt 23.05.5 and WireGuard 5.15.167. I know there are newer versions, but since it works fine, I follow the first rule of IT: If it ain’t broke, don’t fix it.

For work reasons, I need all traffic to always exit through the IP of the server router (which, in turn, connects to the ISP router), regardless of where I am working from.

Currently, my setup looks like this:

Site A (server) – ISP router – Internet – ISP router – Site B (client)

Site A is configured with a ddns.net domain.
In 99.99% of cases, Site B is (or will be) behind an ISP router.

My current configuration works perfectly until one day, out of nowhere, the handshake fails. When that happens, even restarting the interface does not reconnect it, and sometimes—only sometimes—restarting the router or leaving it for a while fixes the issue and it reconnects.

I’ve read in several posts that this might be caused by a time difference between the clocks on each side of the VPN, but I also wouldn’t be surprised if I have a misconfiguration somewhere.

In what I believe is a somewhat crude approach, I configured all traffic from Site B to go through the VPN, which is the only connection with access to the WAN. This setup is probably improvable.

A few minutes ago, I made some modifications, and immediately after, the handshake worked again. I’m sharing them here in case they were the missing configuration or if there’s another possible solution.

In the Firewall zones, I modified “lan” so that in “Advanced settings” → “Covered devices” → “radio0.network1”, which I understand makes ONLY WiFi devices use this rule.

At the same time, I created a new zone called “lan2” with the same configuration, except that this one does have access to the “wan” zone. In “Covered devices”, I selected “br-lan”, which I understand redirects the traffic of the entire network to that rule, except for what was previously mentioned in the “lan” rule.

Does this setup make sense? Could this change fix the issue with reconnections and handshakes from now on? How can I improve it?

Really thanks in advance <3

I’m attaching some configuration details that I often see being requested, these settings are from Site B:

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru

{
        "kernel": "5.15.167",
        "hostname": "WG_MAD",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Mi Router 3G",
        "board_name": "xiaomi,mi-router-3g",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb2:e4eb:bc35::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '8.8.8.8'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'WG_MAD'
        option proto 'wireguard'
        option private_key ''
        option listen_port '51820'
        list addresses '10.10.10.2/24'
        list dns '8.8.8.8'
        option mtu '1280'

config wireguard_WG_MAD
        option description 'WG_CEB'
        option public_key ''
        option route_allowed_ips '1'
        option endpoint_host 'myhost.ddns.net'
        option endpoint_port '51820'
        list allowed_ips '0.0.0.0/0'
        option persistent_keepalive '0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'radio0.network1'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'WG_MAD'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

config redirect
        option dest 'vpn'
        option target 'DNAT'
        option name 'WG'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.10.2/32'
        option dest_port '51820'

config rule
        option name 'Allow-LuCI-WAN'
        list proto 'tcp'
        option src 'wan'
        option dest_port '80'
        option target 'ACCEPT'

config rule
        option name 'Allow-SSH-WAN'
        list proto 'tcp'
        option src 'wan'
        option dest_port '22'
        option target 'ACCEPT'

config zone
        option name 'lan2'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list device 'br-lan'

config forwarding
        option src 'lan2'
        option dest 'wan'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.151/24 brd 192.168.1.255 scope global wan
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.3.1/24 brd 192.168.3.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: WG_MAD: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.10.10.2/24 brd 10.10.10.255 scope global WG_MAD
       valid_lft forever preferred_lft forever
default dev WG_MAD scope link
10.10.10.0/24 dev WG_MAD scope link  src 10.10.10.2
*.*.*.108 via 192.168.1.1 dev wan
192.168.1.0/24 dev wan scope link  src 192.168.1.151
192.168.3.0/24 dev br-lan scope link  src 192.168.3.1
local 10.10.10.2 dev WG_MAD table local scope host  src 10.10.10.2
broadcast 10.10.10.255 dev WG_MAD table local scope link  src 10.10.10.2
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 192.168.1.151 dev wan table local scope host  src 192.168.1.151
broadcast 192.168.1.255 dev wan table local scope link  src 192.168.1.151
local 192.168.3.1 dev br-lan table local scope host  src 192.168.3.1
broadcast 192.168.3.255 dev br-lan table local scope link  src 192.168.3.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

Note: "*.*.*.108" was the public IP of the Site A (server).

The maximum allowed time difference between peers is typically set to 60 seconds. If the time difference exceeds this threshold, the connection may fail to establish or may not function correctly. It's essential for both peers to have their system clocks synchronized, ideally using a time synchronization service like NTP.

Also, I would advice to use time.cloudflare.com on both ends and test that for a while.

Not to me.

Do you want e.g. your wifi clients to use the WAN and other clients use the VPN?

Got it. Thank you very much.

The problem is that with this configuration, I don't think there's any internet connection from Site B except to establish the handshake.

Some more observations as this is a roaming client meaning you do not connect form the server to this router but this router always makes the connection then I would remove the listen_port so this default port might be blocked are there might be another server using this port

In which case you can also remove:

Note: If this was intended to open the port it is actually overcomplicated

Add MSS Clamping (mtu_fix) to the zone, furthermore you do not masquerade which is fine I assume you have on the server side 192.168.3.0/24 as Allowed IPs and have Route Allowed IPs enabled for the return traffic?

You could use a hardware device for that. I read about it, but never tried it myself:
https://openwrt.org/docs/guide-user/services/ntp/gps

Thanks for your answer!

No, I want Wi-Fi clients to only use VPN (and Site A is the one providing internet access); the rest of the traffic can go out to the WAN through any site (Site B internet or VPN, regardless).

What's more, I only have three devices that I need to use VPN, but one of them has a fake MAC address (one of those that keeps changing) and I can't configure a VPN client on them due to operating system policies...

Thanks, I'll check out your advice.

This is the configuration for Site A (server).

{
        "kernel": "5.15.167",
        "hostname": "WG_CEB",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Xiaomi Mi Router 3G",
        "board_name": "xiaomi,mi-router-3g",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd4d:c889:1f68::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config device
        option name 'Wireguard'

config interface 'WG_CEB'
        option proto 'wireguard'
        option private_key ''
        option listen_port '51820'
        list addresses '10.10.10.1/24'
        option mtu '1280'

config wireguard_WG_CEB
        option description 'WG_MAD'
        option public_key ''
        list allowed_ips '10.10.10.2/32'
        list allowed_ips '192.168.3.0/24'
        option route_allowed_ips '1'

config wireguard_WG_CEB
        option description 'MiMix2'
        option public_key ''
        option private_key ''
        list allowed_ips '10.10.10.3/32'
        option route_allowed_ips '1'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'WG_CEB'

config forwarding
        option src 'lan'
        option dest 'vpn'

config forwarding
        option src 'vpn'
        option dest 'wan'

config redirect
        option dest 'vpn'
        option target 'DNAT'
        option name 'wg'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.10.1/32'
        option dest_port '51820'

config rule
        option name 'Allow-LuCI-WAN'
        list proto 'tcp'
        option src 'wan'
        option dest_port '80'
        option target 'ACCEPT'

config rule
        option name 'Allow-SSH-WAN'
        option src 'wan'
        option dest_port '22'
        option target 'ACCEPT'
        list proto 'tcp'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.130/24 brd 192.168.1.255 scope global wan
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.1/24 brd 192.168.2.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: WG_CEB: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1280 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.10.10.1/24 brd 10.10.10.255 scope global WG_CEB
       valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wan  src 192.168.1.130
10.10.10.0/24 dev WG_CEB scope link  src 10.10.10.1
10.10.10.2 dev WG_CEB scope link
10.10.10.3 dev WG_CEB scope link
192.168.1.0/24 dev wan scope link  src 192.168.1.130
192.168.2.0/24 dev br-lan scope link  src 192.168.2.1
192.168.3.0/24 dev WG_CEB scope link
local 10.10.10.1 dev WG_CEB table local scope host  src 10.10.10.1
broadcast 10.10.10.255 dev WG_CEB table local scope link  src 10.10.10.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
local 192.168.1.130 dev wan table local scope host  src 192.168.1.130
broadcast 192.168.1.255 dev wan table local scope link  src 192.168.1.130
local 192.168.2.1 dev br-lan table local scope host  src 192.168.2.1
broadcast 192.168.2.255 dev br-lan table local scope link  src 192.168.2.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

You cannot get a handshake without an internet connection.

It is possible that WireGuard kicks in too soon before time is established.
So disable WireGuard and check that the time is correct and then enable WireGuard if this is the problem you can script this

A firewall can only block traffic, for routing you clients either to WAN or VPN you need Policy Based Routing (PBR)

Your current firewall does not look OK:

The Radio's are attached to a network in the wireless settings.
A network can only be in one zone, adding the network and the device is not necessary

Yeah, I agree with this.

I meant that it's possible that by blocking traffic from going out only through "vpn," it can't sync the time until the handshake is established, and therefore, it already has an internet connection. I've occasionally seen "last handshake -45 seconds ago" or similar.

At the same time, this goes against what I'm saying because, since if there's no internet access, the handshake can never be performed, as you rightly say.

I'm a bit confused about this.

To (me) understand the flow correctly, with the "lan" firewall rule, what I'm doing is blocking all traffic from the "lan" network from going anywhere other than "vpn". But the router's own traffic (R3G) wouldn't be included in this rule, right? In other words, the R3G will always have access to the WAN for its tasks (handshake, time sync, etc.) regardless of the firewall rules.

Regarding time synchronization, it usually stops working and doesn't re-handshake (sometimes) when the connection isn't in use for a while.
For example, it had been working since Monday until this morning. The router had a 7-day uptime, and the interface had 4 (I restarted the interface on Monday because it wasn't able to establish the handshake like today).
This is what I want to fix by configuring it correctly, aside from having the option to add "Persistent Keep Alive" to force the connection to stay open (which, from what I've read, is not the proper approach).

As for PBR, I had that in mind, and now I'm clear that what I was trying to do with the firewall wasn't correct, but I think PBR is a separate topic.

Fixed, thanks! This is the change I made this morning and thought it was the solution, I see it's a mistake.

I really want to thank you for taking the time to read my comments and try to help me, really really thanks!!

That is correct for a ki8ll switch (disabling wan access for your lan clients) you only allow FORWARD from lan to vpn and not from lan to wan but the router uses the OUTPUT chain so will have access to the internet anyway.

But the router will also use the default route and if WireGuard kicks in and makes a default route and that default route is not working then the router is also dead in the water.
So if you reboot and you have no connection check the time on the router and if the time is off disable WireGuard and either reboot or do service network restart to get the default route via the WAN back.
If that helps you know it is a time problem because WireGuard is kicking in too soon.

Persistent keep alive is a good way to keep a connection.

If your connection is gone after a period of time then check if your servers IP address has changed, I assume you are using DDNS but WireGuard only resolves the servers URL at startup, if this is the problem then run the WireGuard watchdog script:
https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras#dynamic_address

If you are satisfied and your problem is solved for now, then please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!

Okay! Thanks for the advice, in case WireGuard kick too soon, I will check the script to delay start.

When the connection is lost, the server IP hasn't changed; it's been the same for several days (how about 15-20 days?), which is why it's confusing me.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.