[SOLVED] How can I automatically restart wg instance, if gw down?

Started by tessus, October 24, 2025, 01:01:32 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
Today at 08:36:11 AM #15
Unfortunately none of the solutions here worked. The Renew DNS for Wireguard on stale connections cronjob doesn't work in my case, because wg reports the connection as active (not stale) even though the gateway is down. So the action that should be triggered to restart the wg service is not triggered.

My current workaround is rather hacky (hardcoded wg service id), but it works. I will look into the script that is triggered in the previous mentioned cronjob. When I first looked into it I saw that it determined the id automatically.

Without further ado...

Use pluginctl -S wireguard to find the id of the wireguard connection. Make a note of that id.
Check which sockets are in use for your GW monitoring: ls -la /var/run/dpinger_*.sock (Make a note of the one you want to monitor. e.g. /var/run/dpinger_INTERFACE_NAME.sock)

Create a file, e.g. /root/bin/check-wg.sh (permissions 0750) and replace the values for SOCKET and WIREGUARD_ID

Code Select
#!/bin/sh

SOCKET=/var/run/dpinger_INTERFACE_NAME.sock
WIREGUARD_ID=ad78e2ad-7ed9-422d-a0b9-ee7ed2795a3

RES=$(cat $SOCKET |cut -d ' ' -f2-)
DT=$(date +"%Y-%m-%d %H:%M:%S %z")

if [[ "$RES" == "0 0 100" ]]; then
    echo -n "[$DT] "
    /usr/local/sbin/pluginctl -s wireguard restart $WIREGUARD_ID

    # If you don't use or want gotify notifications delete the following lines (except the fi)
    TOKEN="$(cat ~/.config/gotify/cli.json |jq -r .token)"
    URL="$(cat ~/.config/gotify/cli.json |jq -r .url)"
    TITLE="check-wg ($(hostname -s))"
    TEXT="Wireguard restarted"
    curl -m 10 -so /dev/null -X POST "${URL}/message?token=$TOKEN" -F "title=$TITLE" -F "message=$TEXT"
fi

Unfortunately you can't add a cronjob by using crontab -e, because any manually added entries will be removed (either after a reboot or firmware update - I didn't check which, but my entry wasn't persisted).

Thus create another file: /etc/cron.d/check-wg

Code Select
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
REQUESTS_CA_BUNDLE=/usr/local/etc/ssl/cert.pem

*/5 * * * * root /root/bin/check-wg.sh >>/var/log/check-wg.log

That's it.
Today at 09:55:48 AM #16
Your assessment:

Quote from: tessus on Today at 08:36:11 AMUnfortunately none of the solutions here worked. The Renew DNS for Wireguard on stale connections cronjob doesn't work in my case, because wg reports the connection as active (not stale) even though the gateway is down. So the action that should be triggered to restart the wg service is not triggered.

is almost surely wrong. The way the cron script detects if a wireguard connection is stale is by looking at the last handshake age and see if it is too old (> 135s). That way, you can be sure that there is still an ongoing wireguard connection. It is beyond me how that handshake should occur with the gateway down.

You can check this yourself:

https://github.com/opnsense/core/blob/ade7e9e9c7887978abf3f425c57def324ebcac03/src/opnsense/scripts/wireguard/reresolve-dns.py

The command for testing is "/usr/bin/wg show all latest-handshakes" and the last column is compared against "date +%s". If the difference is > 135, the connection is restarted. Of course, this can take up to ~2 minutes and also, if the drop is caused by the remore side changing its IP and DNS caching gets in the way, for an even longer time, because multiple tries must be taken until the connection gets up again.

If I am wrong, please create a bug report on github.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Print
Go Up Pages 1 2
User actions