Hello,
The wireguard_watchdog script isn’t present anymore in the wireguard-tools package. It appears this is not just a glitch as the corresponding install command has also been deleted from the Makefile.
What is the rationale behind this removal ?
Regards,
Good afternoon,
After checking your query, I can confirm that our RnD team has removed unused /usr/bin/wireguard_watchdog script. As we keep hotplug’s and proto scripts running as root, there is no daemon that runs.
Regards,
Arturas
hotplug and proto scripts don’t solve the issue wireguard_watchdog does.
Hi there,
I have queried this information with our RnD departament.
I will advise, as soon as they inform me.
Thank you for your patience.
Regards,
Arturas
Have R&D got back with their observations?
I have the same question. The script isn’t used by any service normally. You just need it, when connecting to a wireguard endpoint with a dynamic IP. Therefore, it can be triggered by cron.
Look here for reference.
I simply downgraded to the last stable version. And everything is fine again. Unfortunately if downgrading you need to reconfigure everything but this was 30 minutes as well documented.
I will not upgrade anymore.
What I have done, and I assume this is all still working … no evidence so far it isn’t ….
first take a copy of the /usr/bin/wireguard_watchdog script, create a directory called /etc/opt then add a line to /etc/sysupgrade.conf to preserve the directory when upgrading firmware.
copy the wireguard_watchdog script into /etc/opt and modify it as below (thanks to @flebourse for his guidance on the mod)
run the command crontab -e and add a line * * * * * /etc/opt/wireguard_watchdog
after saving the above change, restart cron using the command /etc/init.d/cron restart
You can then upgrade to the latest releases as required, your choice
What exactly did you add to this conf?
At the end of the file, on a new line, add the directory you want to preserve. So, in this case….
/etc/opt
Save the file,
@Mike thank you for the credit.
Can you provide us the script here, as for me it is too late, and I don’t want to downgrade my RUTC50. As right now i’m recovering a lost of the wireguard S2S VPN tunnel to AVM Router with a Ping check and Reboot action. Thanks!
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (C) 2018 Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com>.
# Copyright (C) 2015-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
#
# This watchdog script tries to re-resolve hostnames for inactive WireGuard peers.
# Use it for peers with a frequently changing dynamic IP.
# persistent_keepalive must be set, recommended value is 25 seconds.
#
# Run this script from cron every minute:
# echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root
. /lib/functions.sh
check_peer_activity() {
local cfg=$1
local iface=$2
local public_key
local endpoint_host
local endpoint_port
local persistent_keepalive
local last_handshake
local idle_seconds
config_get public_key "${cfg}" "public_key"
config_get endpoint_host "${cfg}" "endpoint_host"
config_get endpoint_port "${cfg}" "endpoint_port"
persistent_keepalive=$(wg show ${iface} persistent-keepalive | grep ${public_key} | awk '{print $2}')
# only process peers with endpoints and keepalive set
[ -z ${endpoint_host} ] && return 0;
[ -z ${persistent_keepalive} -o ${persistent_keepalive} = "off" ] && return 0;
# skip IP addresses
# check taken from packages/net/ddns-scripts/files/dynamic_dns_functions.sh
local IPV4_REGEX="[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}"
local IPV6_REGEX="\(\([0-9A-Fa-f]\{1,4\}:\)\{1,\}\)\(\([0-9A-Fa-f]\{1,4\}\)\{0,1\}\)\(\(:[0-9A-Fa-f]\{1,4\}\)\{1,\}\)"
local IPV4=$(echo ${endpoint_host} | grep -m 1 -o "$IPV4_REGEX$") # do not detect ip in 0.0.0.0.example.com
local IPV6=$(echo ${endpoint_host} | grep -m 1 -o "$IPV6_REGEX")
[ -n "${IPV4}" -o -n "${IPV6}" ] && return 0;
# re-resolve endpoint hostname if not responding for too long
last_handshake=$(wg show ${iface} latest-handshakes | grep ${public_key} | awk '{print $2}')
[ -z ${last_handshake} ] && return 0;
idle_seconds=$(($(date +%s)-${last_handshake}))
[ ${idle_seconds} -lt 160 ] && return 0;
logger -t "wireguard_monitor" "${iface} endpoint ${endpoint_host}:${endpoint_port} is not responding for ${idle_seconds} seconds, trying to re-resolve hostname"
#original code belog commented out and replaced with ubus calls
wg set ${iface} peer ${public_key} endpoint "${endpoint_host}:${endpoint_port}"
#ubus call network.interface.$(iface) down
#ubus call network.interface.$(iface) up
}
# query ubus for all active wireguard interfaces
wg_ifaces=$(ubus -S call network.interface dump | jsonfilter -e '@.interface[@.up=true]' | jsonfilter -a -e '@[@.proto="wireguard"].interface' | tr "\n" " ")
# check every peer in every active wireguard interface
config_load network
for iface in $wg_ifaces; do
config_foreach check_peer_activity "wireguard_${iface}" "${iface}"
done
For me the ubus modification did not work properly, so i went back to the orginal one
@widameista what didn’t work correctly when using the ubus calls ?
Hello everyone,
Please let us know if you need any assistance from our side!
Best regards,
the router did not reconnect when mobile connection changed, with the orginal config no problem since 3 years
its in a camper, so there is lots of change in mobile connection
What is the contents of your Allowed IPs list and what is your DNS ?
the allowed IP list consist of two networks which are behind the VPN entry point
192.168.1.0/24, 192.168.0.0/24
DNS is the VPN entry point 192.168.1.101 (fritzbox)
Nothing suspicious. Have you kept logs of the failures when using the ubus calls ? Of the wg output ?
sorry no, but dont worry, as i do not have any issues, why should i switch what worked the last years?