Wireguard forgets tunnel endpoint

xgwq · March 14, 2025, 7:27pm

Hi, I have configured a wireguard tunnel to some IPv6 endpoint:

@r1# show interfaces wireguard wg212895 | strip-private
 address xxxx:xxxx:f00:b8::2/64
 peer peer {
     address xxxx:xxxx:4::1
     allowed-ips ::/0
     persistent-keepalive 30
     port 44393
     public-key lgxXREeixNDJ0zdTTSvTgKI1hZuTAxyGvM0NVAad5TI=
 }
 private-key xxxxxx

Suddenly my tunnel was gone and taking a look running sudo wg showed that wireguard was trying to contact endpoint: [xxxx:xxxx:a::4]:44393 which is not configured anywhere.

Running

r1:~$ reset wireguard interface wg212895
Resetting wg212895 peer lgxXREeixNDJ0zdTTSvTgKI1hZuTAxyGvM0NVAad5TI= from [xxxx:xxxx:a::4]:44393 endpoint to xxxx:xxxx:4::1:44393 ... done

solved the issue.

I’ve now had this issue multiple times on different VyOS installs. I don’t find a command to show wireguard logs, how can I investigate further?

Viacheslav · March 14, 2025, 7:32pm

set system option kernel debug wireguard

xgwq · March 14, 2025, 7:36pm

Thanky you, I have now set that and will report with logs when it happens again.

c-po · March 15, 2025, 7:58am

Can you also check if this service is running or not: systemctl status vyos-domain-resolver

xgwq · March 15, 2025, 9:37am

○ vyos-domain-resolver.service - VyOS firewall domain resolver
     Loaded: loaded (/lib/systemd/system/vyos-domain-resolver.service; disabled; preset: enabled)
     Active: inactive (dead)

Mar 07 13:12:29 r1 systemd[1]: vyos-domain-resolver.service - VyOS firewall domain resolver was skipped because of an unmet condition check (ConditionPathExistsGlob=/run/use-vyos-domain-resolver*).
Mar 07 13:12:31 r1 systemd[1]: vyos-domain-resolver.service - VyOS firewall domain resolver was skipped because of an unmet condition check (ConditionPathExistsGlob=/run/use-vyos-domain-resolver*).
Mar 07 13:12:32 r1 systemd[1]: vyos-domain-resolver.service - VyOS firewall domain resolver was skipped because of an unmet condition check (ConditionPathExistsGlob=/run/use-vyos-domain-resolver*).
Mar 07 13:12:33 r1 systemd[1]: vyos-domain-resolver.service - VyOS firewall domain resolver was skipped because of an unmet condition check (ConditionPathExistsGlob=/run/use-vyos-domain-resolver*).
Mar 14 21:21:29 r1 systemd[1]: vyos-domain-resolver.service - VyOS firewall domain resolver was skipped because of an unmet condition check (ConditionPathExistsGlob=/run/use-vyos-domain-resolver*).
Mar 14 21:23:59 r1 systemd[1]: vyos-domain-resolver.service - VyOS firewall domain resolver was skipped because of an unmet condition check (ConditionPathExistsGlob=/run/use-vyos-domain-resolver*).

It’s not running, what does this service do?

c-po · March 15, 2025, 1:58pm

It‘s main purpose is to resolve FQDNs in the background for domain name firewall rules or dynamic WireGuard endpoints.

Do you have more then one WireGuard peer or only this one? How long does it take to disappear?

Also whats your VyOS version?

xgwq · March 15, 2025, 5:19pm

I have multiple Wireguard Tunnels. So far it always happened only to wg212895 on every install.

 wireguard wg02 {
     peer peer {
         address xxx.xxx.118.205
         allowed-ips ::/0
         port 50001
         public-key m83+9yvI33jplsXaF4GE/BH4LbwlRXQQTrTnRb8QaUE=
     }
     port 50002
     private-key xxxxxx
 }
 wireguard wg209533 {
     address xxxx:xxxx:a005::2f2/126
     peer peer {
         address xxx.xxx.85.10
         allowed-ips ::/0
         persistent-keepalive 60
         port 51900
         public-key W0pI832mL5u7JzJjiE68dyS95mIGBDqGgSxSZromEGY=
     }
     private-key xxxxxx
 }
 wireguard wg212895 {
     address xxxx:xxxx:f00:b8::2/64
     peer peer {
         address xxxx:xxxx:4::1
         allowed-ips ::/0
         persistent-keepalive 30
         port 44393
         public-key lgxXREeixNDJ0zdTTSvTgKI1hZuTAxyGvM0NVAad5TI=
     }
     private-key xxxxxx
 }
 wireguard wg213408 {
     address xxxx:xxxx:b7a::c1:2/127
     peer peer {
         address xxxx:xxxx:1c1b:f904::1
         allowed-ips ::/0
         persistent-keepalive 30
         port 60002
         public-key i6J7Cu3nUFQrpJVkchrY270hMExjO7kTjyIvVbXayUY=
     }
     port 60001
     private-key xxxxxx
 }
 wireguard wg213416 {
     address xxxx:xxxx:b7a::c1:0/127
     peer peer {
         address xxxx:xxxx:221:3401::100
         allowed-ips ::/0
         persistent-keepalive 30
         port 60000
         public-key tBisp7mr50xOpdaIO9PoYoYpU+HaRaWF2b8o0+BrmCs=
     }
     port 60000
     private-key xxxxxx
 }

Last time it tooke 9 days to act up. I do not recall how long it took before, but it should be similar.

Version:

@r1:~$ show version
Version:          VyOS 1.5-rolling-202503030030
Release train:    current
Release flavor:   generic

Built by:         [email protected]
Built on:         Mon 03 Mar 2025 00:30 UTC
Build UUID:       eaf46be4-549d-4701-b07e-e935b2b2ad2d
Build commit ID:  c54fba1fd7422e

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest
Secure Boot:      disabled

Hardware vendor:  Hetzner
Hardware model:   vServer
Hardware S/N:     60922795
Hardware UUID:    8978fc69-4826-4821-b8b8-e6cde87c408b

Copyright:        VyOS maintainers and contributors