A way to restart wireguard tunnels
-
@michmoor Wireguard is stateless. Do you mean the tunnel is not enabled after a restart? Or just that the peer is not shown as active?
I'm only using Wireguard for mobile connections and haven't used it for site to site.
-
@michmoor That would be a good thing, some watchdog that can "restart" tunnels.
But also there is a gateway external monitoring bug, at least for me with one gateway.
So with your problematic tunnels, are they monitored internally or externally? -
@Bob-Dig
Im using dpinger to do the monitoringFirewall: NetGate,Palo Alto-VM,Juniper SRX
Routing: Juniper, Arista, Cisco
Switching: Juniper, Arista, Cisco
Wireless: Unifi, Aruba IAP
JNCIP,CCNP Enterprise -
@michmoor Are you sure you have the WAN ports open? That got me once, has the wrong port open and the tunnel wouldn't come back up.
As for restarting, do you mean automatically or just looking for an easy way?
Should be able to just disable and enable the tunnel itself but I just bounce the interface since all my tunnels are assigned -
@Jarhead
This is a working deployment with WAN ports open.I just rebooted the firewall again for good measure.
In the other *.sense there is the ability to restart a single tunnel out of a bunch. I am hoping there some cli way to do it on pfsense at least.
-
@michmoor Are you sure the config is correct? Can't understand why bouncing the interface doesn't restart it. Like I said, it works for me, but I didn't do it often since mine didn't go down unless I do something I'm not supposed to and screw one of them up.
And I've never heard of anyone else having this problem, not that that means anything, but I would look for an error in the config before anything else.
Maybe using the same port for something else? -
@michmoor said in A way to restart wireguard tunnels:
Im using dpinger to do the monitoring
I am talking about the Monitor IP. With an "external" IP I have one tunnel not "coming up", where in fact it is up and running. Only the "external" monitoring has a bug there.
But especially for Privacy VPNs it would be great to let those tunnels restart automatically when there are problems. I use OpenWRT for all my Privacy VPN Tunnels because they have that.
-
@michmoor Hade you done any packet capture on the wireguard connection? It could be useful trying to understand what is going with the connection not coming up. Capture on WAN for the WG peer IP/PORT and Wireshark should show some useful data wrt WG handshaking. There is also a WG configuration option on peer to send keep-alive messages, disabled by default, but I have it set to 30s, doesn't harm having it configured I guessed.
-
@Bob-Dig said in A way to restart wireguard tunnels:
I am talking about the Monitor IP. With an "external" IP I have one tunnel not "coming up", where in fact it is up and running. Only the "external" monitoring has a bug there.
Ahh I have no external monitor IP assigned. Just uses the nexthop by default.
Its not typically a problem just when doing reboots it fails to come back online at times.@Bob-Dig said in A way to restart wireguard tunnels:
But especially for Privacy VPNs it would be great to let those tunnels restart automatically when there are problems. I use OpenWRT for all my Privacy VPN Tunnels because they have that.
Yes for sure. I thought about putting in a redmine for FR for it.
-
@pst no pcaps done. next time it happens i will take one off the firewall.
