Wireguard interface can't connect back without rebooting the router

raphielscape · April 27, 2021, 12:28pm

In some cases, when the router is used as a gateway router for Wireguard and the upstream Wireguard server went down for a while, it can’t connect back even after the upstream Wireguard server went back live even with Persistent Keepalive set, and there’s no way for restarting the Wireguard interface.

When the upstream Wireguard server went down, the interface status becomes inactive and there’s no way for bringing it back active unless the router is restarted.

I’m currently running a self-built VyOS image

Version:          VyOS 1.4-rolling-202104240328
Release Train:    sagitta

Built by:         vyos-buildhub-drone@raphielgang.org
Built on:         Sat 24 Apr 2021 03:28 UTC
Build UUID:       b21929ce-3e35-4b2a-acd2-7f45fe126109
Build Commit ID:  9e58ff67b5f330

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  Default string
Hardware model:   Default string
Hardware S/N:     Default string
Hardware UUID:    03000200-0400-0500-0006-000700080009

Copyright:        VyOS maintainers and contributors

And here’s my configuration

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    options {
        interface wg1 {
            adjust-mss 1280
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    wireguard wg1 {
        address 172.15.0.3/24
        description DO
        mtu 1280
        peer TO-DO {
            address XX.XX.XX.124
            allowed-ips 0.0.0.0/0
            persistent-keepalive 25
            port 51820
            pubkey ****************
        }
        private-key ****************
    }

load-balancing {
    wan {
        flush-connections
        interface-health eth2.99 {
            failure-count 1
            nexthop XX.XX.XX.1
            success-count 1
        }
        interface-health wg1 {
            failure-count 1
            nexthop XX.XX.XX.1
            success-count 1
        }
        rule 1 {
            failover
            inbound-interface eth2.20
            interface eth2.99 {
                weight 1
            }
            interface wg1 {
                weight 2
            }
            protocol all
        }
        rule 2 {
            failover
            inbound-interface eth2.15
            interface eth2.99 {
                weight 1
            }
            interface wg1 {
                weight 2
            }
            protocol all
        }
    }
}
nat {
    source {
        rule 1 {
            outbound-interface eth2.99
            translation {
                address masquerade
            }
        }
        rule 2 {
            description WG-DO
            outbound-interface wg1
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop XX.XX.XX.1 {
                interface eth2.99
            }
        }
        route XX.XX.XX.7/32 {
            next-hop XX.XX.XX.1 {
                interface eth2.99
            }
        }
        route XX.XX.XX.124/32 {
            next-hop XX.XX.XX.1 {
                interface eth2.99
            }
        }
    }
}
service {
    dhcp-server {
        shared-network-name INT {
            subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                range 0 {
                    start 192.168.2.10
                    stop 192.168.2.254
                }
            }
        }
        shared-network-name LAN {
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                range 0 {
                    start 192.168.1.2
                    stop 192.168.1.254
                }
            }
        }
        shared-network-name WLAN {
            subnet 10.0.0.0/24 {
                default-router 10.0.0.1
                dns-server 10.0.0.1
                range 0 {
                    start 10.0.0.5
                    stop 10.0.0.254
                }
            }
        }
    }
    lldp {
        interface eth2.5 {
        }
        management-address 192.168.2.1
    }
    mdns {
        repeater {
            interface eth2.20
            interface eth2.15
        }
    }
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name core
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
    name-server 1.1.1.1
    name-server 1.0.0.1
    ntp {
        server 0.pool.ntp.org {
        }
        server 1.pool.ntp.org {
        }
        server 2.pool.ntp.org {
        }
    }
    option {
        reboot-on-panic
        startup-beep
    }
    sysctl {
        custom net.ipv4.tcp_congestion_control {
            value bbr
        }
        custom net.ipv4.tcp_slow_start_after_idle {
            value 0
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}

Viacheslav · April 27, 2021, 2:11pm

One other option which you can use

set interfaces wireguard wg1 disable
commit
del interfaces wireguard wg1 disable
commit

I think the same behavior can be also with openvpn.

raphielscape · April 27, 2021, 3:53pm

I just tried that and it can’t bring the wireguard interface back active and I had to reboot again

Can we have a command for restarting the wireguard interface? Like restart interface wireguard wgX or disconnect interface wireguard wgX and connect interface wireguard wgX for workaround until the keep-alive issue fixed?

echowings · September 13, 2022, 8:06am

I met the same issues like. even I tried to change connection port and they are still connection on the old port .