A way to restart wireguard tunnels

michmoor

I have 4x always on wireguard peers but i noticed that when i have to reboot the firewall or otherwise bring it down for some kind of maintenance, 2 out of the 4 tunnels will not reestablish.
Tunnel1 - Linode instance. Stays up after reboot
Tunnel2 -Linode instance. Stays up after reboot
Tunnel3 - site2site. Doesnt come back up. Will need to restart the WG service on the remote end.
Tunnel4 - privacyVPN with Proton. There is no way that i know of to restart this. I have tried to bounce the interface (tun_wg3) but that makes no difference.

Is there a way to restart a specific tunnel?

This was always a problem on 23.09 and still on 24.03

ahking19

@michmoor Wireguard is stateless. Do you mean the tunnel is not enabled after a restart? Or just that the peer is not shown as active?

I'm only using Wireguard for mobile connections and haven't used it for site to site.

Bob.Dig

@michmoor That would be a good thing, some watchdog that can "restart" tunnels.

But also there is a gateway external monitoring bug, at least for me with one gateway.
So with your problematic tunnels, are they monitored internally or externally?

michmoor

@Bob-Dig
Im using dpinger to do the monitoring

Jarhead

@michmoor Are you sure you have the WAN ports open? That got me once, has the wrong port open and the tunnel wouldn't come back up.

As for restarting, do you mean automatically or just looking for an easy way?
Should be able to just disable and enable the tunnel itself but I just bounce the interface since all my tunnels are assigned

michmoor

@Jarhead
This is a working deployment with WAN ports open.

I just rebooted the firewall again for good measure.

In the other *.sense there is the ability to restart a single tunnel out of a bunch. I am hoping there some cli way to do it on pfsense at least.

Jarhead

@michmoor Are you sure the config is correct? Can't understand why bouncing the interface doesn't restart it. Like I said, it works for me, but I didn't do it often since mine didn't go down unless I do something I'm not supposed to and screw one of them up.
And I've never heard of anyone else having this problem, not that that means anything, but I would look for an error in the config before anything else.
Maybe using the same port for something else?

Bob.Dig

@michmoor said in A way to restart wireguard tunnels:

Im using dpinger to do the monitoring

I am talking about the Monitor IP. With an "external" IP I have one tunnel not "coming up", where in fact it is up and running. Only the "external" monitoring has a bug there.

But especially for Privacy VPNs it would be great to let those tunnels restart automatically when there are problems. I use OpenWRT for all my Privacy VPN Tunnels because they have that.

pst

@michmoor Hade you done any packet capture on the wireguard connection? It could be useful trying to understand what is going with the connection not coming up. Capture on WAN for the WG peer IP/PORT and Wireshark should show some useful data wrt WG handshaking. There is also a WG configuration option on peer to send keep-alive messages, disabled by default, but I have it set to 30s, doesn't harm having it configured I guessed.

michmoor

@Bob-Dig said in A way to restart wireguard tunnels:

I am talking about the Monitor IP. With an "external" IP I have one tunnel not "coming up", where in fact it is up and running. Only the "external" monitoring has a bug there.

Ahh I have no external monitor IP assigned. Just uses the nexthop by default.
Its not typically a problem just when doing reboots it fails to come back online at times.

@Bob-Dig said in A way to restart wireguard tunnels:

But especially for Privacy VPNs it would be great to let those tunnels restart automatically when there are problems. I use OpenWRT for all my Privacy VPN Tunnels because they have that.

Yes for sure. I thought about putting in a redmine for FR for it.

michmoor

@pst no pcaps done. next time it happens i will take one off the firewall.