Wireguard_watchdog not working

I don't know why you chose that gateway, but I executed the commands:

uci add network route
uci set network.@route[-1].interface=wan
uci set network.@route[-1].target=8.8.8.8
uci set network.@route[-1].gateway=192.168.2.1
uci set network.@route[-1].netmask=255.255.255.255
uci commit network
/etc/init.d/network reload

Now the route does show up:

root@OpenWrt:~# ip route
default dev vpn scope link
8.8.8.8 via 192.168.2.1 dev lan1
10.10.10.0/24 dev vpn scope link  src 10.10.10.203
93.234.111.165 via 192.168.2.1 dev lan1
192.168.2.0/24 dev lan1 scope link  src 192.168.2.165
192.168.179.0/24 dev br-lan scope link  src 192.168.179.1

But it still doesn't work. I think it was easier to go back to openvpn :frowning:

Because it is the wan interface gateway.
Do a traceroute to 8.8.8.8 to verify it uses the ISP uplink and not VPN.

1 Like

Here is the output of the traceroute:

traceroute to 8.8.8.8 (8.8.8.8), 20 hops max, 46 byte packets
 1  192.168.2.1  0.666 ms
 2  62.155.241.54  6.926 ms
 3  217.5.86.238  11.511 ms
 4  72.14.202.10  11.367 ms
 5  *
 6  8.8.8.8  11.349 ms

So I think the traceroute does work. But I still dont have access to the internet and the wireguard tunnel seems to be broken. The log still shows:

Fri May  5 11:08:00 2023 user.notice wireguard_monitor: vpn endpoint example.ddns:123 is not responding for 42082 seconds, trying to re-resolve hostname
Fri May  5 11:09:00 2023 cron.err crond[1635]: USER root pid 11578 cmd /usr/bin/wireguard_watchdog
Fri May  5 11:09:00 2023 user.notice wireguard_monitor: vpn endpoint example.ddns:123 is not responding for 42142 seconds, trying to re-resolve hostname

In fact, I see another problem with this solution: The gateway 192.168.2.1 is correct for the network I*m connected to right now. But I want to use the router for traveling. So the gateway's IP might change when I'm connected to another network.

Does wg show show the updated endpoint? Regarding the gateway it's noted, let's tackle one problem at a time.

wg show does show the updated IP of the endpoint. That's strange! When I manually restart the WG Interface it works :-/

Is there an updated route for the new endpoint in the routing table?
Something like this:

1 Like

Yes it is.

After reading this https://openwrt.org/docs/guide-user/services/vpn/wireguard/extras documentation this morning I added:


uci set network.wan.metric="1024"

Here are the routes:

root@OpenWrt:~# ip route
default dev vpn scope link
default via 192.168.2.1 dev lan1  src 192.168.2.165  metric 1024
8.8.8.8 via 192.168.2.1 dev lan1  metric 1024
10.10.10.0/24 dev vpn scope link  src 10.10.10.203
NEW ENDPOINT'S IP via 192.168.2.1 dev lan1  metric 1024
79.230.95.162 via 192.168.2.1 dev lan1  metric 1024
192.168.2.0/24 dev lan1 scope link  metric 1024
192.168.179.0/24 dev br-lan scope link  src 192.168.179.1

And if you traceroute to this new IP do you get there via the ISP uplink?
Do you see the packets going out the wan interface to the new endpoint?
tcpdump -i lan1 -vn udp port 123

What do you mean by "ISP uplink"? Traceroute says I get to the endpoint's new IP via 192.168.2.1.

The tcpdump command shows packets between the endpoint's IP and my WAN's IP.

That's correct then.
Doesn't the wg server receive the packets from the OpenWrt wg client?

I suppose so. But I can't test it now because I'm back home - on my wireguard server's network.

The last time it looked to me as if the problem was that the Wireguard interface was not restarting. I'm not a coding expert, but I can't see a restart of the WG interface in the Wireguard Watchdog script either.

It's my understanding that the endpoint update occurs on the fly. As long as there is a static route then the packets should be sent to the WG server via the wan.

1 Like

But that doesn't work. The traffic only flows and the endpoint update only works when I restarted the interface.

Do a tcpdump on the wan interface with the udp port you are using when the problem occurs. Does it still send tou the old address or the new?

Hi

i have similar problem on Mikrotik ROS v7.x
As i saw in connection tracking, there is still opened connections to old address
WG interface will not work until i delete these stale connections from firewall/tracking manualy

yes, it is ROS but, maybe something similar is going on here ?
only idea ...

@trendy:
I can't test it because I'm back home - on my wireguard server's network.

@NPeca75:
Yes, that sounds similar.

Use mobile phone with mobile data, make a hotspot if needed.

Now some time has passed. But today I finally got around to trying out a tcpdump.

The tcpdump points to the old IP address :frowning: