Wireguard_watchdog not working

Hello,
I have installed Wireguard under OpenWRT and it works so far. Unfortunately it stops working as soon as the DDNS of the endpoint changes. I have added wireguard_watchdog in the scheduled tasks for this.

According to the system log wireguard_watchdog is triggered. Unfortunately it does not work. These messages repeat again and again:

Tue May  2 11:20:00 2023 user.notice wireguard_monitor: vpn endpoint example.ddns.com:1234 is not responding for 8688 seconds, trying to re-resolve hostname
Tue May  2 11:21:00 2023 cron.err crond[1635]: user root: process already running: /usr/bin/wireguard_watchdog
Tue May  2 11:22:00 2023 cron.err crond[1635]: user root: process already running: /usr/bin/wireguard_watchdog
Tue May  2 11:23:00 2023 cron.err crond[1635]: USER root pid 11073 cmd /usr/bin/wireguard_watchdog
Tue May  2 11:23:00 2023 user.notice wireguard_monitor: vpn endpoint example.ddns.com:1234 is not responding for 8868 seconds, trying to re-resolve hostname
Tue May  2 11:23:12 2023 daemon.warn odhcpd[1519]: A default route is present but there is no public prefix on lan thus we don't announce a default route!
Tue May  2 11:24:00 2023 cron.err crond[1635]: user root: process already running: /usr/bin/wireguard_watchdog
Tue May  2 11:25:00 2023 cron.err crond[1635]: user root: process already running: /usr/bin/wireguard_watchdog
Tue May  2 11:26:00 2023 cron.err crond[1635]: USER root pid 11332 cmd /usr/bin/wireguard_watchdog
Tue May  2 11:26:00 2023 user.notice wireguard_monitor: vpn endpoint example.ddns.com:1234 is not responding for 9048 seconds, trying to re-resolve hostname

Also a restart of the wireguard interface does not help. Only when I restart the router, it works again.

I have a guess for the cause of the problem, but I can't solve it:

To prevent DNS leak, I have set custom DNS server: It should always use my DNS server of the Wireguard server 10.10.10.1. Of course this only works if the Wireguard connection to exampe.ddns.com is established. Therefore I defined a DNS forwarding for example.ddns.com, so that for example.ddns.com exceptionally the DNS 8.8.8.8 is used.

When the problem occurs, is OpenWrt able to resolve the correct IP of the endpoint?
nslookup example.ddns.com 8.8.8.8
Are you routing traffic towards 8.8.8.8 via wan interface or is it trying to route via wireguard, which is not working?

3 Likes

Resolving the endpoint doesnt work:

;; connection timed out; no servers could be reached

Other hostnames can be resolved strangely enough.

Server:		127.0.0.1
Address:	127.0.0.1:53

Non-authoritative answer:
Name:	nike.com
Address: 52.222.191.66
Name:	nike.com
Address: 52.222.191.19
Name:	nike.com
Address: 52.222.191.113
Name:	nike.com
Address: 52.222.191.40

Non-authoritative answer:

How can I check this?

I hope I have set it right, but my idea is that all traffic should flow through the tunnel. And when the tunnel is down, no traffic should be able to flow. (Killswitch)

Might as well be a cached response.

ip route get 8.8.8.8

If you kill all traffic, how is it going to resolve the new IP of the tunnel endpoint?

Let's have a look how it is configured:

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; \
uci export dhcp; uci export firewall; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
1 Like

@trendy:
I want to prevent all traffic and especially DNS requests that do not go through the tunnel.

For this purpose, I have changed my OpenVPN firewall rule to Wireguard. The resolution of the IP of the endpoint should always work, because I have defined DNS forwarding for this purpose.

Here I have executed the commands:

root@OpenWrt:~# ip route get 8.8.8.8
8.8.8.8 dev vpn  src 10.10.10.203
root@OpenWrt:~# ubus call system board; \
> uci export network; \
> uci export dhcp; uci export firewall; \
> ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "xRX200 rev 1.2",
        "model": "AVM FRITZ!Box 7362 SL",
        "board_name": "avm,fritz7362sl",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.4",
                "revision": "r20123-38ccc47687",
                "target": "lantiq/xrx200",
                "description": "OpenWrt 22.03.4 r20123-38ccc47687"
        }
}
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdxxx/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'b'
        option tone 'av'
        option ds_snr_offset '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '08xxx'

config device
        option name 'lan2'
        option macaddr '08xxx'

config device
        option name 'lan3'
        option macaddr '08xxx'

config device
        option name 'lan4'
        option macaddr '08xxx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.179.1'

config device
        option name 'dsl0'
        option macaddr '08yyy'

config interface 'wan'
        option proto 'dhcp'
        option device 'lan1'
        option peerdns '0'

config interface 'wan6'
        option device '@wan'
        option proto 'dhcpv6'

config interface 'OpenVPN'
        option proto 'none'
        option device 'tun0'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'zzz'
        list addresses '10.10.10.203/24'
        list dns '10.10.10.1'

config wireguard_vpn 'wgserver'
        option public_key 'aaa'
        option preshared_key 'bbb'
        option endpoint_host 'example.ddns.com'
        option endpoint_port '123'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'

package dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '/ddns.com/8.8.8.8'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow-Admin'
        option src 'wan'
        option proto 'tcp'
        option dest_port '22 80 443'
        option target 'ACCEPT'

config zone
        option name 'OpenVPN_FW'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'vpn'

config forwarding
        option src 'lan'
        option dest 'OpenVPN_FW'

lrwxrwxrwx    1 root     root            16 Apr  9 14:27 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            47 May  3 15:02 /tmp/resolv.conf
-rw-r--r--    1 root     root           117 May  3 15:02 /tmp/resolv.conf.d/resolv.conf.auto

/tmp/resolv.conf.d:
-rw-r--r--    1 root     root           117 May  3 15:02 resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
nameserver ::1

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface vpn
nameserver 10.10.10.1
# Interface wan
# Interface wan6
nameserver fe80::1%lan1
search speedport.ip

That won't work because GoogleDNS is reachable via vpn and as long as the wireguard tunnel is up it will try to use only that and not failover to wan. Add a static route for 8.8.8.8 via wan interface

2 Likes

How can googleDNS be accessible although the wireguard tunnel is broken?

Is that static route right? I dont know the value for gateway

config route 'route_example_1'
        option interface 'wan'
        option target '8.8.8.8'
        option netmask '255.255.255.0'
        option gateway '192.168.179.1'

By using the static route.

You can omit both netmask and gateway. The host netmask will be assumed and the gateway of the parent interface will be inherited. Confirm with ip route get 8.8.8.8

Dunno if the OP is aware of it, but with this static route the dns requests are going through wan and not the vpn-interface.

Thank you @_bernd: This is not, what I want.

Yeah @_bernd feel free to suggest how the dns requests will get through when the VPN is down if they are not routed via wan.

There's a possible solution:

  • Set up PBR to route traffic from LAN clients to VPN, and traffic from the router to WAN.
  • Replace local DNS with VPN routed DNS on the clients.
for IPV in 4 6
do
uci set network.lan.ip${IPV}table="1"
uci set network.vpn.ip${IPV}table="2"
uci -q delete network.lan_vpn${IPV%4}
uci set network.lan_vpn${IPV%4}="rule${IPV%4}"
uci set network.lan_vpn${IPV%4}.in="lan"
uci set network.lan_vpn${IPV%4}.lookup="2"
uci set network.lan_vpn${IPV%4}.priority="30000"
done
uci -q delete network.vpn.dns
uci -q delete network.wan.peerdns
uci commit network
/etc/init.d/network restart
uci -q delete dhcp.lan.dhcp_option
uci add_list dhcp.lan.dhcp_option="6,10.10.10.1"
uci commit dhcp
/etc/init.d/dnsmasq restart
uci -q delete dhcp.lan.dns
uci set dhcp.lan.dns_service="0"
uci set dhcp.lan.ra_dns="0"
uci commit dhcp
/etc/init.d/odhcpd restart

@trendy:
I added the static route, but it still doesn't work :frowning:

@vgaetera:
Your last suggestion is no option for me, cause I want to force clients to use my Wireguard server's DNS. Your first suggestion might be a solution. Can you please give me the exact command like @trendy did?

ip route get 8.8.8.8 ?

@trendy:
Still the same output:

root@OpenWrt:~# ip route get 8.8.8.8
8.8.8.8 dev vpn  src 10.10.10.203

I configured the static route via Luci:

@vgaetera:
Thank you. I didnt execute the commands since I want to figure out why @trendy 's suggestion doesnt work.

What is the output of
uci export network; ip -4 addr; ip -4 ro list table all ; ip -4 ru
?

1 Like

You likely need to specify the gateway, as fetching it automatically seems broken.

1 Like

In my last post I forgot to redact the IP in the output. I have now corrected this.

Here comes the output of @trendy 's new command:

root@OpenWrt:~# uci export network; ip -4 addr; ip -4 ro list table all ; ip -4
ru
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdxxx/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'b'
        option tone 'av'
        option ds_snr_offset '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'lan1'
        option macaddr '08xxx'

config device
        option name 'lan2'
        option macaddr '08xxx'

config device
        option name 'lan3'
        option macaddr '08xxx'

config device
        option name 'lan4'
        option macaddr '08xxx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.179.1'

config device
        option name 'dsl0'
        option macaddr '08yyy'

config interface 'wan'
        option proto 'dhcp'
        option device 'lan1'
        option peerdns '0'

config interface 'wan6'
        option device '@wan'
        option proto 'dhcpv6'

config interface 'OpenVPN'
        option proto 'none'
        option device 'tun0'

config interface 'vpn'
        option proto 'wireguard'
        option private_key 'zzz'
        list addresses '10.10.10.203/24'
        list dns '10.10.10.1'

config wireguard_vpn 'wgserver'
        option public_key 'aaa'
        option preshared_key 'bbb'
        option endpoint_host 'example.ddns.com'
        option endpoint_port '123'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'

config route
        option interface 'wan'
        option target '8.8.8.8/24'

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
6: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.2.165/24 brd 192.168.2.255 scope global lan1
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.179.1/24 brd 192.168.179.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: vpn: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN qlen 1000
    inet 10.10.10.203/24 brd 10.10.10.255 scope global vpn
       valid_lft forever preferred_lft forever
default dev vpn scope link
10.10.10.0/24 dev vpn scope link  src 10.10.10.203
87.169.40.159 via 192.168.2.1 dev lan1
192.168.2.0/24 dev lan1 scope link  src 192.168.2.165
192.168.179.0/24 dev br-lan scope link  src 192.168.179.1
broadcast 10.10.10.0 dev vpn table local scope link  src 10.10.10.203
local 10.10.10.203 dev vpn table local scope host  src 10.10.10.203
broadcast 10.10.10.255 dev vpn table local scope link  src 10.10.10.203
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.2.0 dev lan1 table local scope link  src 192.168.2.165
local 192.168.2.165 dev lan1 table local scope host  src 192.168.2.165
broadcast 192.168.2.255 dev lan1 table local scope link  src 192.168.2.165
broadcast 192.168.179.0 dev br-lan table local scope link  src 192.168.179.1
local 192.168.179.1 dev br-lan table local scope host  src 192.168.179.1
broadcast 192.168.179.255 dev br-lan table local scope link  src 192.168.179.1
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

@vgaetera : Is 192.168.179.1 correct as the gateway? I'll give it a try!

Might be interesting:

root@OpenWrt:~# ip route
default dev vpn scope link
10.10.10.0/24 dev vpn scope link  src 10.10.10.203
93.234.111.165 via 192.168.2.1 dev lan1
192.168.2.0/24 dev lan1 scope link  src 192.168.2.165
192.168.179.0/24 dev br-lan scope link  src 192.168.179.1

Change it into:

config route
        option interface 'wan'
        option target '8.8.8.8'
        option gateway '192.168.2.1'
        option netmask '255.255.255.255'