Issue with Wireguard client and Dynamic DNS

riyas · 2022-06-11T22:29:47.854Z

Hello,

I have a problem with Wireguard client and Dynamic IP change.

I will try to explain clearly:

I have a Wireguard server in India (Installed on a raspberry Pi for several months without any problem)

I use a GL.inet opal as wireguard client in France.

In India, I have a dynamic IP address. It changes every day around 23:30 (CEST). For DDNS, I use Duckdns. It works very well. My wireguard configuration uses the DDNS address.

But I noticed that every day at 23:30 (when the IP address changes), my Opal loses the connection. It is may be normal. But it can’t connect again. It stays in “Abort” status. If I try with the same wireguard configuration with my PC and phone, I can connect and I see that my machine can get the new IP address. But Opal can’t do that. I tried to reconnect several times but it doesn’t go further than “Abort”. I restarted my Opal but still the same problem. I even left it for 10 hours thinking that it will manage to reconnect but without success.

Finally I found a workaround but it’s very annoying. I have to delete the profile and recopy the same Wireguard client profile. And then it manages to connect right away until the next IP address change. Doing this every day is not really a solution. I need to know why Opal can’t connect to my DDNS address if I don’t delete and recopy the profile.

Please tell me if there is another easier workaround.

Thanks in advance
Riyas

riyas · 2022-06-11T22:45:18.473Z

I just found this option under VPN policies : “Use VPN for all processes on the router.” Maybe the issue is because of this option. So I just enabled VPN policies and disabled only this option: Use VPN for all process on the router. Other than that, I left eveything as it is.

Let’s see. I will check tomorrow night (when the IP will change) if the issue is solved or not.

LupusE · 2022-06-12T12:55:57.437Z

It shouldn’t be, but for me it looks like a DNS caching issue.
As it is much harder to analyze it on a phone, I would at first prefere to stay on the PC.

Just perform a host [your ddns]. There should be a IP showing up.

lupus@zoe:~$ host opal01.mydomain.net
opal01.mydomain.net is an alias for hostname.somedyndns.net.
hostname.somydyndns.net has address xxx.xxx.xxx.xxx

(In my case I’ve got a CNAME between my domain and different DDNS. So I can switch to opal02.mydomain.net, if connection to dyndns opal01 is not working. Just a little hint for your topic, too)

Than, after 23:30h, do this again … Is the IP is changing?

If not: Clear your DNS cache (ipconfig /flushdns)
If yes: I have no idea right now. Maybe change DNS to a much more often updating server?

Just a start.

riyas · 2022-06-12T22:58:06.134Z

Actually the issue is not with my DDNS service. The new ip is updated very quickly. I am able to check it by connecting to the same wireguard server from my PC.

After disabling this service “Use VPN for all processes on the router”, the issue is still there. VPN goes from Connected to Abort Status. But this time I just don’t need to delete and recopy the profile. I just need click on Abort and Connect: It works. But I don’t understand why it’s not auto connecting to the server.

JERKBALL · 2022-06-13T03:03:23.168Z

Did you try to configure the Wireguard client configuration with luci?

Under Advanced you can configure many more things…

gl.net Management is great and really easy… .but when you are stuck in a problem its worht to take a look under the hood and configure the wireguard client directly…

Maybe this will solve your problem… sounds to me like an update failure in that binary part of gl-software with mwan …

riyas · 2022-06-13T08:02:34.132Z

I think I wrote too fast last time. Today, I couldn’t connect by clicking on Abort and Connect. I had too delete and recopy the same profile again. Then it works

@jerkball, I didn’t. I’ll try. I don’t know about OpenWrt. But I bought gl.inet for it’s user friendly and easy configuration method. Hope that gl.inet will solve this issue.

But you are right. I’ll try the luci method.

JERKBALL · 2022-06-13T15:28:40.647Z

It’s definetly the mix out of user friendlyness and being able to advance things up…

That makes these devices really great

riyas · 2022-06-13T19:25:49.308Z

Tried Luci. Configured wireguard by following this tutorial: OpenWRT - Configure Wireguard Client - YouTube

Wireguard is connected:

Persistent Keepalive: 25s
Latest Handshake: Mon, 13 Jun 2022 19:21:20 GMT (1m ago)
Data Received: 1 MiB
Data Transmitted: 725 KiB

Even Goodcloud.xyz mentions my VPN IP address. So the connection is working.

But unfortunately my PC connected to Opal via ethernet cable or Wifi is not routed through VPN. I am new to openwrt. I don’t know what’s wrong.

JERKBALL · 2022-06-14T00:28:45.533Z

Did you set allowed_ips to 0.0.0.0/0 ?

That routes every packet through the wireguard tunnel…

riyas · 2022-06-14T08:02:12.313Z

Yes, allowed_ips setting is 0.0.0.0./0 and I am routing all my traffic through vpn. I don’t understand why my traffic is not going through vpn.

riyas · 2022-06-15T19:32:15.402Z

I’ve contacted Gl.inet support. According to them, it’s a bug and they’ll contact the R&D team for a fix.

For information, I’ve tried with OpenVPN Client. Openvpn is able to notice the IP change and reconnect automatically after 2 or 3 minutes. So the issue is only with Wireguard.

wcs2228 · 2022-06-15T21:47:45.307Z

Until GL.iNet can provide a permanent fix, you can run the /usr/bin/wireguard_watchdog script every minute in cron:

**no reconnect wireguard client** Technical Support for Routers

Hi, it’s the same problem here. After the wireguard client got disconnected (because of server ip change), it should resolve the name again before trying to reconnect. i feel that this is a bug.

I do not work for and I do not have formal association with GL.iNet

riyas · 2022-06-16T07:52:24.407Z

Hi @wcs2228 I would love to try this solution. In order to run this script, I think I have to run it via SSH. Correct ?

From SSH, I don’t know which command I need to execute to run this script. Do you have any idea ? Thanks.

wcs2228 · 2022-06-16T15:32:47.062Z

You can set up cron to run the script in LuCI:

Go to LuCI → System → Startup and make sure that “cron” Initscript is Enabled. If not, then Enable and Start it.
Go to LuCI → System → Scheduled Tasks, then enter and save the line -
* * * * * /usr/bin/wireguard_watchdog
Go back to LuCI → System → Startup and Restart cron, or just reboot the router

Here is the header comments in the script:

# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2018 Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com>.
# Copyright (C) 2015-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
#
# This watchdog script tries to re-resolve hostnames for inactive WireGuard peers.
# Use it for peers with a frequently changing dynamic IP.
# persistent_keepalive must be set, recommended value is 25 seconds.
#
# Run this script from cron every minute:
# echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root

riyas · 2022-06-16T23:07:36.858Z

@wcs2228 thank you very much. I just configured it. I’ll wait for next ip change to check whether it works or not. Thanks again

alzhao · 2022-06-17T04:11:29.336Z

In the current firmware 3.x, Wireguard does not work with ddns change.

The router can actually deal with ddns change, but unfortunately Wireguard itself does not.

This should be resolved in firmware 4.x because the way we manage Wireguard is changed. Now you can use some watchdog scripts to monitor and reconect.

riyas · 2022-06-17T07:38:08.500Z

Hopefully, this issue with be resolved quickly. For your information, watchdog script also is not really helpful for me. As I told before, sometimes (every 2nd or 3rd reconnections), my opal is stuck with Abort status. Even if I click on Abort and connect again, it won’t go further.

riyas:

I have to delete the profile and recopy the same Wireguard client profile.

So tried the watchdog method suggested by @wcs2228, unfortunately, it was stuck in Abort status. I had to remove and recopy the same profile again.

Do you have any ETA for Firmware 4.x beta ? Apart from this issue, I really like your product. I already bought 4 devices for my family

Thanks

wcs2228 · 2022-06-17T18:12:28.191Z

Since the DNS changes regularly at 23:30, another option is to shut down the router a few minutes before and to start up the router a few minutes afterwards. This can be done with an inexpensive smart plug (e.g., I have a few TP-Link HS103 for $10-$15 each).

WireGuard should reconnect automatically on reboot and hopefully pick up the new DDNS IP address.

riyas · 2022-06-20T10:45:51.484Z

Yes, you are correct. It can be a solution. But in India, they have a regular power failure during the day. They have a power backup system but the modem will lose the connection for 30 seconds. And after 30 seconds, the IP address is changed.

Unfortunately, the best solution for me would be the fix promised by the R&D team. They told me that the ETA is around 10 days. So I am waiting

Thanks again for your help.

Barfoo · 2022-09-03T15:11:48.665Z

Watchdog seems to not work with latest stable. An iOS peer with persistent keepalive config fails to connect. Running the code in CLI gives:
root@GL-AX1800:~# /usr/bin/wireguard_watchdog jsonfilter: unrecognized option: a

Not even a full
/etc/init.d/network restart
works.
I have to power off and on the router, then stop and start the Wireguard server from the glinet UI (not LUCI).
I am behind NAT with DDNS and no issues besides this one.