Wireguard VPN not connecting after reboot on RUTX09

RutX09, FW 00.07.05

Since updating firmware the router will not establish a successful VPN connection. When rebooting we have no internet access.

Workaround: Disable, save, then enable save the Wireguard VPN on the VPN menu. This brings the internet alive and allows for correct routing.

Observations:
The connection on the Mobile ISP takes longer on the new version and I wonder if the VPN is trying to connect before the ISP is ready.

Is there a way to put a time delay or write a custom script to do the VPN off/on automatically at every reboot (and all the back ground policy writing that goes with switching that switch)

I have downgraded to the previous version and although connection to the VPN can take 5 min it seems to retry for a period so allowing the mobile connection to come up.

I have tried resetting to factory defaults on new firmware but this made no difference.

This happened to me in a previous version and I believe the developers had to write something for the delay or retry?

Hello,
Use the /usr/bin/wireguard_watchdog script via cron to workaround this issue, add:

* * * * * /usr/bin/wireguard_watchdog

to /etc/crontabs/root and restart cron.
You may need to comment out the

[ -z ${last_handshake} ] && return 0;

line, I would be interested to know if it works without commenting it.
Regards,

image791×339 4.54 KB

I literally “vi” in on putty and added the line, reloaded cron and then rebooted.

Still had to manually switch off and on.

Please help some more

Edit the /usr/bin/wireguard_watchdog script itself, comment out the line as described above.

Line commented out, connect to the internet now but routing does not allow it through the VPN or into the internet. Pinging any address outside (numerical) brings no reply, and pinging FQDN brings no DNS.

I think another command is needed to do something.

Help again please.

That’s another issue.
Please post the output of the wg command, mask sensitive informations.

After switching the VPN off then back on (Above)

At boot up when it is not allowing traffic out to the internet.

Your Allowed IPs list seems incorrect, if you want to send all traffic through the wg tunnel it should be:
0.0.0.0/1 + 128.0.0.0/1 + ::/0
Then of course there is a catch there must be an exception for the traffic to the wg server at the other end this one must go directly through the mobile or wan interface. One way to achieve that is to play with the metrics, set the metric of the wg interface (in Advanced Settings) to 3 and create a stactic route to the wg server via the mob1s?a1 interface with a lower metric. 2 will do.
There is no need to specify a gateway for this route.

Is the wg server the Endpoint IP in the VPN?
Whats the route type?

image1453×318 16.5 KB

So I went for it and did as I was asking the question about and it rebooted straight to the VPN.

Funny that I have never had to do this on a previous FW.

Fingers crossed it now does it itself over a number of reboots.

Many thanks @flebourse

Good. The type is effectively Unicast.
I would like to know if it still works if the commented line in the script is put back in use. Could you try that at least once (with a reboot of course) and report the result ?

Good morning

The VPN stayed up all through the night and with a reboot this morning, I could see the script working to have a second go at connection - the CPU bar increased and then the internet connected, so clearly something that TELTONIKA need to look at putting in as standard. Furthermore the static route is also working nicely- why can’t that be written when the VPN is entered by the user!

I have now removed the # from the first post advice from @flebourse and all is well so for anyone needing this post in the future the answers are even simpler.

A. Go to your router web console
B. Go into the Wireguard settings you have already created and choose advanced settings, enter a Metric number (3???) Take note of this number as you will need it for further stages.
C. Save and apply
D. Find static routes:
E. Add a static route where the Interface is your normal internet traffic - WAN or the Mobile sim slot
F. Enter the Target as the VPN endpoint address
G. Choose metric as lower than the VPN metric (2??)
H. MTU as 1400
I. Ignore all other fields except the last one and choose Unicast.

Now go into the CLI

1. PUTTY or SSH into the router - remember username is root and not admin but password is your admin password
2. type
   vi /etc/crontabs/root
3. user arrow keys to get to the bottom of the text
4. Press i and then insert

I wanted you to do this test because I have been bitten by the following scenario and it failed without the comment:

• the tunnel is established
• then the wg server disappears, the tunnel fails,
• the client reboots, the tunnel is still down. Now the output of wg show ${iface} latest-handshakes is empty so last_handshake is zero
• the server comes back, but with a different IP address.

Now the client is stuck.

If I comment out the test the client can recover.

Sorry there was a typo in a previous answer the Allowed IPs should contain 128.0.0.0/1 not 127.0.0.0/1.
Fixed.

Hi, this discussion has already been very helpful. Thank you very much.
However, I have the problem that the Wireguard connection is not established after a restart where the power was completely lost. KeepAlive is set to 25. When I manually deactivate and reactivate the VPN in the interface, a connection is established.

Does anyone have an idea of what can be done so that the connection can be reliably re-established after a restart, IP change or start after a power failure?

Router: RUT240
Firmware: 07.05

Could you execute the following commands just after a reboot but before disabling / re-enabling the wg tunnel:

ifconfig
wg

from ssh or CLI and post the results ?

Hi, thank you for the quick answer. Here is the requested output.

root@Teltonika-RUT240:~# ifconfig
MYVPN     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.13.13.5  P-t-P:10.13.13.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1420  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:25 errors:0 dropped:1362 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:3700 (3.6 KiB)

br-lan    Link encap:Ethernet  HWaddr 00:1E:42:4B:49:84
          inet addr:192.168.178.1  Bcast:192.168.178.255  Mask:255.255.255.0
          inet6 addr: fe80::21e:42ff:fe4b:4984/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2858 errors:0 dropped:0 overruns:0 frame:0
          TX packets:227 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:240159 (234.5 KiB)  TX bytes:30991 (30.2 KiB)

eth0      Link encap:Ethernet  HWaddr 00:1E:42:4B:49:84
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:52 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2257 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5954 (5.8 KiB)  TX bytes:224269 (219.0 KiB)
          Interrupt:5

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:84 errors:0 dropped:0 overruns:0 frame:0
          TX packets:84 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6312 (6.1 KiB)  TX bytes:6312 (6.1 KiB)

qmimux0   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.137.121.178  P-t-P:10.137.121.178  Mask:255.255.255.255
          inet6 addr: fe80::74d4:6207:25f7:c602/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1160 (1.1 KiB)  TX bytes:5695 (5.5 KiB)

wlan0     Link encap:Ethernet  HWaddr 00:1E:42:4B:49:86
          inet6 addr: fe80::21e:42ff:fe4b:4986/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2886 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2460 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:285386 (278.6 KiB)  TX bytes:298687 (291.6 KiB)

wwan0     Link encap:Ethernet  HWaddr 2A:B3:3B:AE:C9:7A
          inet6 addr: fe80::28b3:3bff:feae:c97a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:4096  Metric:1
          RX packets:8 errors:0 dropped:8 overruns:0 frame:0
          TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1104 (1.0 KiB)  TX bytes:6917 (6.7 KiB)

root@Teltonika-RUT240:~# wg
interface: MYVPN
  public key: M5IzjksDaEY7fIRhRECD5ztBE2rtwZS9LgTZIPyU03I=
  private key: (hidden)
  listening port: 51820

peer: 5sR1M/ZUjS2U8TAGX1lXo7qAvuXsN/YJsfoTC82Qiws=
  preshared key: (hidden)
  endpoint: XX.XX.XX.XX:51820
  allowed ips: 0.0.0.0/1, 128.0.0.0/1
  transfer: 0 B received, 5.20 KiB sent
  persistent keepalive: every 25 seconds

5.2 KiB sent … Sure, but where ?
At the moment the simplest is to add a route and change the metrics as described above.
There is a cleaner solution you can look at it here it works for me but the other user is still struggling with it. If you want to give it a try …

Thank you. I can try it next week. I already followed the steps above mostly.

I think the problem is that wireguard tries to connect before the internet connection is established. Maybe you other solution works.