Keeping Wireguard credentials up-to-date

I remember how in firmware 3.x, when pulling the VPN credentials from supported providers from within the web interface, these credentials would stop working when the provider changes them as they eventually do.

It was then necessary to log out of the integration with the provider and back in, in order to pull updated credentials to the router. If the VPN provider limits the number of devices allowed to log in, this would create a new device even though it is the same device, often causing further issues. This inconvenience has always been a downside of using the VPN on the router instead of using the client software of the provider on the PC.

Has this issue been addressed in firmware 4.x perhaps? I don’t actually know if the APIs of the providers support update polling but if they do, it would be lovely if GL could support that. Perhaps the app could send a notification when a change in credentials happens or a particular server is discontinued by the provider and prompt the user to pick a new one.

Devices are simultaneous connections typically (so your router counts as 1 device) - so downloading a new .conf file wouldn’t add another device to your account. Your router would always be 1 device - every VPN company has their own API though so there would need to be dozens of APIs added (one for each VPN provider)

Typically is the keyword. The provider I used considers every login a new device which counts towards the limit until it is manually deleted on their website.

Anyway, that is not the only inconvenience of not being able to update credentials. You don’t know why you no longer have connectivity when credentials change so you waste your time troubleshooting other aspects.

If the router could check for updates to the credentials periodically or when there is no bandwidth available despite the VPN being connected, it could inform the user of what’s going on or switch to the new credentials automatically if there is a way to distinguish discontinued servers from those for which only the IP or some other aspect has changed.

Seems like a not very good VPN provider to be fair, devices are devices, it’s not a per server change limit so that’s the way most / any I’ve tried work. Which VPN?

From a technical perspective, they’d need to integrate with the API of every VPN provider to make that work (some may not even offer public APIs to make it even possible)

So just remember that you need to change the credentials when the credentials change?
I mean … isn’t it up to you? Why should they change anyway?

Wireguard does not rely on credentials, that’s why it does not make sense to store them.

I’m using and my credentials never changed. And there are no discontinued servers. At least not in the countries where I use my servers. So maybe switch your VPN provider then?

1 Like

Maybe credentials was the wrong term. Sometimes the endpoint IPs change or entire servers are discontinued by Mullvad or replaced with new ones. When that happens, there is no error message in the firmware, just no traffic going through. Then eventually you check the server list on mullvad website and you see that your configuration is outdated. Then you have to log out in the firmware and re-log in and that creates a new device in the mullvad count of devices so you have to go back and delete the other one. It’s a hassle.

Never happen to me since all the time I use Mullvad.

Well how does GL currently obtain the list of servers after logging in through the firmware. Whatever method that is, could it not be repeated from time to time or when an endpoint IP can no longer be reached, to check for updates? That was my whole idea with this.

I probably just don’t know enough about how Wireguard works. Even using Wireguard on an iPhone with the official Wireguard app, I noticed that it was possible to use inactive (e.g. no longer paid for or changed endpoint) VPN configurations and iPhone would pretend that the VPN is established as usual. You only notice things don’t work when you try to open a website or whatever or when you don’t receive push notifications when you expect them. It makes me wonder if it is somehow not technically possible to notice and alert the user when a Wireguard connection does not work properly.