Restart Wireguard after WAN Interface gets ready

[sashxp]

Hi guys,

i'm having the same situation as its mentioned here: https://forum.opnsense.org/index.php?topic=18956.0

If i restart my OPNsense my WAN Interface gets only in a couple of Minutes its IP Address, this can be 1 Minute 10 Minutes . Thats a problem, because WG is not able to connect these tunnels. After the WAN Interface gets it's IP Address, the WG Interfaces are still down, until i restart WG.

Is it still not possible to do a restart after the WAN Interface gets its IP Adress?
For the Reboot thing it could be possible to do a simple crontab with an:

Code Select Expand

@reboot sleep 600 && /usr/local/etc/rc.d/wireguard restart

How do you handle this?

sash

[knn28]

I found this thread when searching for a solution for the exact same issue.

Based on the newwanip hint in the thread you linked, I cowboyed this solution together by adding the following 2 functions to /usr/local/etc/inc/plugins.inc.d/wireguard.inc.

It seems to work.

Code Select Expand

function wireguard_configure()
{
    return [
        'newwanip' => ['wireguard_configure_do'],
    ];
}

function wireguard_configure_do()
{
    mwexec("/usr/local/sbin/configctl -dq wireguard restart");
}


On WAN interface DHCP renew -

2023-08-28T14:11:22   Notice   kernel   <6>wg2: link state changed to UP   
2023-08-28T14:11:19   Notice   kernel   <6>wg1: link state changed to UP   
2023-08-28T14:11:19   Notice   kernel   <6>wg0: changing name to 'wg1'   
2023-08-28T14:11:19   Notice   kernel   <6>wg2: link state changed to DOWN   
2023-08-28T14:11:19   Notice   kernel   <6>wg1: link state changed to DOWN   
2023-08-28T14:11:19   Notice   opnsense   /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : wireguard_configure_do())

Thanks for helping me find the original thread! I hope this helps you.

[franco]

The 'vpn' hook would be more appropriate. I still have this on my list.


Cheers,
Franco

[malac]

/usr/local/sbin/configctl -dq wireguard stop

does not stop my wireguard service

/usr/local/sbin/configctl -dq wireguard restart

does not restart

also do not get an error message?

[malac]

i monitore wireguard now via monit, works fine for me

waiting for "vpn hook" ;-)

thx

[franco]

That fix is going to be on 23.7.4.


Cheers,
Franco

[FreeMinded]

i monitore wireguard now via monit, works fine for me

Would you mind posting your Monit settings? I'm struggling setting it up correctly. Thanks in advance.

[franco]

For FQDN based endpoints there will be another fix for 23.7.8. WireGuard is plug and play like that :D


Cheers,
Franco

[FreeMinded]

For FQDN based endpoints there will be another fix for 23.7.8. WireGuard is plug and play like that :D

Nice! What about the business edition? I have the feeling that I didn't have this issue before switching to the business edition but currently don't have a quick way to verify.

[FreeMinded]

I downgraded from OPNsense 23.10_2 (business) to 23.7.7_3 (community). Now the WireGuard tunnels come up automatically again on reboot.

If I can help with finding the underlying issue, let me know how.

[meyergru]

There exists a cron job that notices when a WG connection goes stale and restarts it - this can also happen when the other side changes its IP, for example. It should also take care of restarting the connection when WAN gets ready again.

[franco]

The cron job isn't sufficient for this. setconf fails if the config file contains an FQDN and that in turn prevents adding even the pub/priv keys to the instance. Fixing the endpoint with the refresh doesn't configure it. Only a syncconf will fix it without disrupting peers of other instances already connected.

We will have to issue a new business edition stable release for this (23.10.1) but we are not there yet.


Cheers,
Franco