restart wireguard service

Started by FredFresh, April 17, 2026, 07:58:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 17, 2026, 07:58:19 PM Last Edit: April 20, 2026, 02:02:37 PM by FredFresh Reason: Update on tests
In case of restart of wireguard service using the already available cronjob, are all the calculated keys / indexes calculated again?

I am facing a peculiar situation with the vpn provider and need to understand what he is using to keeping the ban on my request of connection. Keeping active the peer (and it costantly try to connect), the ban is never removed. If i change my ip or disable the peer for a long time, the ban is removed.

Trying also to add a second question: wireguard module used in OPNSENSE is developed by OPNSENSE team or it from FREEBSD team?

Thanks

Edit:
From my test, that can alway be relicated, after the wireguard is dropped (seems at at server/peer level because if does not reply anymore), if i disable the peer for a certain time (one hour but probably less), I re-enable that peer and restart the wireguard service, than the connection return online.

The strange things are that:
- if I do not restart the wireguard (so only working on disable/enable the peer) it si not enough;
-  if during the apparent ban time, I use the wireguard app on Windows with the same settings (ip, keys, etc...) the connection happens without problems.

Parsing the different situations, the only chaning things are the calculated keys....therefore it seems there is some key that is not properly renewed by the OPNSENSE.

April 21, 2026, 11:26:56 AM #1
Today I verified that it is enought to stop the peer for 10 minutes. Once it is enabled again, the connection is properly restored....therefore I think no more it is a ban from the vpn provider, but an issue related to the renewal of one (or more) of the key that is created with a new connection.
April 21, 2026, 01:28:30 PM #2
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
April 21, 2026, 03:59:26 PM #3
I have seen something similar in the past, here a few questions:
- what is the top priority gateway (wan or wireguard gateway?;
- dynamic gateway option is enabled?
- when you say it does not start, you referring to the wireguard peer or to the wireguard gateway monitoring?

Today at 01:02:57 PM #4
Hello,

I am not netirely sure about the root cause behind this but, I connecto to an external VPN provide and sometime the connections is dropped.

The best solution I found is to stop for at least 5 minutes that specific instance (I think I shall stop to query the server for some time) and after to enable again the instance.

The only way I found is to create script to be used through Cron, everything seems to work fine but the problem is to find a command that does not need the Administrator rights, anyone can help me on this?

Here below the script: it checks if the handhshake is older than 5 minutes and in that case it disable the interface for the needed time.


Code Select
#!/usr/local/bin/bash

# --- PARAMETERS ---
INTERFACE="wg1"             
PEER_IP="10.4.0.1"           
THRESHOLD=300               
DOWNTIME=360                
WAIT_AFTER_UP=60             

LATEST_HANDSHAKE=$(wg show "$INTERFACE" latest-handshakes | awk '{print $2}')


CURRENT_TIME=$(date +%s)
ELAPSED=$((CURRENT_TIME - LATEST_HANDSHAKE))


if [ "$ELAPSED" -gt "$THRESHOLD" ]; then
   

    ifconfig "$INTERFACE" down
   
    sleep "$DOWNTIME"
   
    ifconfig "$INTERFACE" up
   
    sleep "$WAIT_AFTER_UP"

    traceroute -n "$PEER_IP"

else

    exit 0
fi
Today at 04:59:33 PM #5
There is an existing cron job for doing exactly that, it is called "Renew DNS on stale Wireguard connections", you only have to enable it.

Matter-of-fact you need it because Wireguard does retries, but never resolves a given DNS name after it was started.

Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 450 up, Bufferbloat A+
Today at 05:16:42 PM #6
Hi thanks, for the reply. Unfortunately renew dns does not work, already tried that (without specifying parameters)

Also tried restart wireguard, both trying with the UUID or "-a".
Also tried to manually disable and re- enable immediately the wireguard whole service.

The only two things working are: changing the public ip seen on Wan or to stop the retries for 5 minutes.

I am connecting to Proton Vpn, so I am connecting to the IP of their entry point.
Today at 05:29:59 PM #7
Have this cron job for DNS-resolution for stale WG tunnels for years, working fine in general. But not in this case. Only wa to resolve after reboot: Obtain a fresh WAN IP (DHCP) by changing MAC of WAN interface. Otherwise this one specific tunnel won't come back after reboot. Very, very, very annoying. Had been doing fine for years.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Go Up Pages1
User actions