WireGuard
peer endpoint goes missing from the active configuration after reboot with no internet
Package version
1.0.20220627-1
Firmware version
2.0.9-hotfix.7
Device
EdgeRouter X (SFP, 10 X, EP-R6) - e50
Issue description
Hi, I've had a few cases where the peer endpoint goes missing after a reboot with no internet. This was very problematic because the missing endpoint setting propagated to the boot configuration without me knowing.
This seems similar to GH-124.
Using set interfaces wireguard wg0 route-allowed-ips false was mentioned at GH-124 but didn't help.
I ended up doing a cron script that checks if the endpoint is missing from the active configuration and adds it back.
Thanks.
Configuration and log output
set interfaces wireguard wg0 address 10.99.1.2/32
set interfaces wireguard wg0 mtu 1420
set interfaces wireguard wg0 peer X5uDAzbQ/sm0gmYPSkQVzRYG3A4pUExZbZKTEt+BrnA= allowed-ips 10.99.0.0/16
set interfaces wireguard wg0 peer X5uDAzbQ/sm0gmYPSkQVzRYG3A4pUExZbZKTEt+BrnA= endpoint '<redacted>:20525'
set interfaces wireguard wg0 peer X5uDAzbQ/sm0gmYPSkQVzRYG3A4pUExZbZKTEt+BrnA= persistent-keepalive 10
set interfaces wireguard wg0 private-key <redacted>
set interfaces wireguard wg0 route-allowed-ips true
The same thing happens to me, although the configuration is saved on reboot, it is lost. The only thing that is kept are the rules. The rest, the interface and the peers, are lost after the reboot.
My hardware:
- EdgeRouter 4, firmware v2.0.9-hotfix.7
- Package version wireguard: 1.0.20220627
Steps:
curl -OL https://github.com/WireGuard/wireguard-vyatta-ubnt/releases/download/1.0.20220627-1/e300-v2-v1.0.20220627-v1.0.20210914.deb
sudo dpkg -i e300-v2-v1.0.20220627-v1.0.20210914.deb
sudo wg --version
wireguard-tools v1.0.20210914 - https://git.zx2c4.com/wireguard-tools/
wg genkey | tee /config/auth/wg.key | wg pubkey > /config/auth/wg.pub
wg genpsk | tee /config/auth/wg.psk
configure
set firewall name WAN_LOCAL rule 20 description 'Allow WireGuard'
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 protocol udp
set firewall name WAN_LOCAL rule 20 destination port 51820
commit
set interfaces wireguard wg0 description "WireGuard"
set interfaces wireguard wg0 private-key /config/auth/wg.key
set interfaces wireguard wg0 address 10.5.1.1/24
set interfaces wireguard wg0 listen-port 51820
set interfaces wireguard wg0 route-allowed-ips false
commit
set interfaces wireguard wg0 peer {peer key pub} description "Android"
set interfaces wireguard wg0 peer {peer key pub} allowed-ips 192.168.1.0/24
set interfaces wireguard wg0 peer {peer key pub} endpoint {sub.domain.com}:51820
set interfaces wireguard wg0 peer {peer key pub} persistent-keepalive 15
set interfaces wireguard wg0 peer {peer key pub} preshared-key /config/auth/wg.psk
commit ;save
If the router is not rebooted, the configuration is maintained, but after rebooting... you have to reconfigure the interface and peers.
I got tired of this happening like 3 times per year, and just made a script, this always happens when power comes back on but internet (maybe the pppoe link is down after the node is restarting) then wireguard decides to delete the endpoint.
#!/bin/vbash
#
# Self-healing WireGuard endpoint script for EdgeOS v1.2
#
# --- CONFIGURATION ---
WG_INTERFACE="wg0" # Your WireGuard interface name
PEER_PUBLIC_KEY="<paste peer here>"
ENDPOINT_DOMAIN="<paste endpoint domain here>"
ENDPOINT_PORT="51820"
# --- VARS ---
# This is the direct, non-interactive command for configuration changes
cmd=/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper
LOG_TAG="WireGuard-Endpoint-Fix"
# --- IP ---
# Get the new IP by pinging the domain once.
# OLD METHOD: NEW_IP=$(ping -c 1 $ENDPOINT_DOMAIN | head -n 1 | cut -d'(' -f2 | cut -d')' -f1)
NEW_IP=$(getent hosts $ENDPOINT_DOMAIN | awk '{ print $1 }')
# Check if ping returned a valid IP
if [ -z "$NEW_IP" ]; then
/usr/bin/logger -t "$LOG_TAG" -p local7.warning "DNS resolution failed for $ENDPOINT_DOMAIN. Will try again later."
exit 1
fi
# Get the current endpoint IP WireGuard is using.
# Note: The 'sudo' command is not needed here as we will run this as root.
CURRENT_ENDPOINT=$(wg show $WG_INTERFACE endpoints | grep $PEER_PUBLIC_KEY | awk '{print $2}')
# === SELF-HEALING ===
# Check if the endpoint is missing entirely.
if [ -z "$CURRENT_ENDPOINT" ] || [ "$CURRENT_ENDPOINT" == "(none)" ]; then
/usr/bin/logger -t "$LOG_TAG" -p local7.warning "Endpoint for peer $PEER_PUBLIC_KEY is MISSING. Restoring configuration."
# Use the direct command wrapper to make changes
$cmd begin
$cmd set interfaces wireguard $WG_INTERFACE peer $PEER_PUBLIC_KEY endpoint "$ENDPOINT_DOMAIN:$ENDPOINT_PORT"
$cmd commit
$cmd save
$cmd end
/usr/bin/logger -t "$LOG_TAG" -p local7.info "Endpoint restored to $ENDPOINT_DOMAIN:$ENDPOINT_PORT and saved to boot config."
exit 0
fi
# === DYNAMIC IP UPDATE ===
CURRENT_IP=$(echo $CURRENT_ENDPOINT | cut -d: -f1)
# Compare and update if necessary
if [ "$CURRENT_IP" != "$NEW_IP" ]; then
/usr/bin/logger -t "$LOG_TAG" -p local7.info "IP for $ENDPOINT_DOMAIN has changed to $NEW_IP. Updating."
wg set $WG_INTERFACE peer $PEER_PUBLIC_KEY endpoint "$NEW_IP:$ENDPOINT_PORT"
else
# This message is optional, but good for confirming the script is running
# /usr/bin/logger -t "$LOG_TAG" -p local7.info "IP for $ENDPOINT_DOMAIN is unchanged ($CURRENT_IP)."
:
fi
install:
sudo vi /config/scripts/update-wg-endpoint.sh
Press i to enter "Insert Mode", then paste the script code. Press Esc, then type :wq and press Enter to save and quit vi.
sudo chmod +x /config/scripts/update-wg-endpoint.sh
configure
set system task-scheduler task update-wg-endpoint executable path /config/scripts/update-wg-endpoint.sh
set system task-scheduler task update-wg-endpoint interval 5m
commit
save
exit
To test the script
sudo /config/scripts/update-wg-endpoint.sh
show log | grep "WireGuard-Endpoint-Fix"
This should fix most of #160 #124 #157 #95
