It might sound like a VPN issue, but my workaround seems more like a question for this forum.
Short description: I am using 3 wireguard instances, one of which is for a VPN provider I use and I have also setup a GW which is used by specific clients in my network. All good. Works great.
However, today my network showed that this GW was offline (red status dot). My fix was to disable and then enable this wg2 instance. Aaaand, it became green again.
So here is my question: how do I automate the restart of the wg2 instance, if the gateway (of the interface assigned to wg2) goes down?
Before using Wireguard to connect to my VPN provider, I used OpenVPN and for some reason the openvpn connection and the gateway always recovered by itself. But the Wireguard GW does not recover on its own. Strange, because wireguard is actually great becoming automatically online again after issues with an endpoint.
I suspect it is rather complicated to find out why the gateway does not recover or why the Wireguard instance seems to be in a wonky state. (Should it happen again, I will collect as much info as possible. Maybe opening a topic in the VPN forum is then warranted.)
Anyhoo, retarting the wg2 instance is an easy fix, but it has to happen automatically. I just do not know how. Any ideas, pointers, black magic rituals?
There is a cron job "Restart Wireguard on stale connections" that you can enable.
Thanks for the reply.
I checked the cron jobs before posting and the ones related to wg are:
- Renew DNS for Wireguard on stale connections
- Restart Wireguard
Both of which are not what I want. Restarting all my wireguard connections unconditionally is rather interrupting and I won't do that.
And renewing the DNS won't help, if wireguard is wonky in the first place.
But let's say there was a "Restart Wirguard instance on stale connections", how often would I run that? Every minute?
I need some other trigger. e.g. a hook to run a script when a gw goes down, or something like that. But then I still need to know how to restart a specififc wireguard instance on FreeBSD and/or OPNsense. I am great on Linux but rather inexperienced with FreeBSD.
Is there an action for gateway fail in opnsense gui?
If so you can invoke a script to bounce wg2?
Using dpinger to Invoke a Script on Monitoring Failures
Overview of dpinger
Quotedpinger is a daemon used in pfSense and OPNsense for monitoring gateway status. It sends ICMP echo requests (pings) to specified IP addresses to determine if a gateway is online or offline. If a gateway fails to respond, dpinger can trigger actions based on its configuration.
Setting Up Script Invocation
To invoke a script when monitoring fails, follow these steps:
Create Your Script
Write a shell script that performs the desired actions when a gateway goes down. Ensure it has executable permissions.
Example script (/usr/local/bin/gateway_fail.sh):
bash
#!/bin/sh
echo "Gateway is down!" >> /var/log/gateway_monitor.log
# Add additional commands here
Configure dpinger
Access the pfSense or OPNsense web interface.
Navigate to System > Routing > Gateways.
Edit the gateway you want to monitor.
Set Up the Script Trigger
In the gateway settings, look for the Advanced section.
Find the option for "Execute command on gateway failure".
Enter the path to your script (e.g., /usr/local/bin/gateway_fail.sh).
Testing the Configuration
Simulate a gateway failure by disconnecting the network or changing the monitored IP.
Check the log file (/var/log/gateway_monitor.log) to confirm that the script executed successfully.
Additional Considerations
Permissions: Ensure that the script has the correct permissions to execute and that the user running dpinger has permission to execute the script.
Logging: Implement logging within your script to track its execution and any errors that may occur.
Recovery Actions: You can also create a script for when the gateway comes back online by using the "Execute command on gateway recovery" option in the same settings.
By following these steps, you can effectively use dpinger to invoke a script when monitoring fails, allowing for automated responses to gateway issues.
Unfortunately there is no "Execute command on gateway failure" in my advanced section for gateways. I am using OPNsense 25.7.6-amd64.
These are the ones available after I slide the advanced button (image availabe for 7 days):
(https://evermeet.cx/paste/screenshot_20251024_1948.PChp.png)
This would have been exactly what I was looking for. Well, and how to actually restart a wg2 instance on OPNsense via the command line. I certainly can't do a: systemctl restart wg-quick@wg2