WireGuard on KnightLi Blog https://knightli.com/en/tags/wireguard/ Recent content in WireGuard on KnightLi Blog Hugo -- gohugo.io en Sun, 19 Jan 2025 00:00:00 +0000 How to solve the problem that wireguard does not automatically reconnect under openwrt https://knightli.com/en/2025/01/19/openwrt-wireguard-auto-reconnect/ Sun, 19 Jan 2025 00:00:00 +0000 https://knightli.com/en/2025/01/19/openwrt-wireguard-auto-reconnect/ <h2 id="how-to-solve-the-problem-that-wireguard-does-not-automatically-reconnect-under-openwrt">How to solve the problem that wireguard does not automatically reconnect under openwrt </h2><p>In the past two days, I have been struggling with the Wireguard interconnection under OpenWrt, and I discovered a problem after using it for a day. It was originally connected using dynamic DNS, and the IP will be automatically changed after 48 hours. At this time, Wireguard will not automatically reconnect, and it needs to be connected manually to normalize.</p> <h3 id="use-the-following-script">Use the following script </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="cp">#!/bin/sh </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> ! ping -c <span class="m">3</span> 对方wgIP <span class="m">3</span> &gt; /dev/null 2&gt;<span class="p">&amp;</span><span class="m">1</span> <span class="p">;</span><span class="k">then</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;The Wireguard is down! Now try restarting wg0!\n&#34;</span> &gt;&gt; ./ddns-wg0.log </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">ifdown wg0 <span class="c1">#wg0是你的wg接口名称</span> </span></span><span class="line"><span class="cl">sleep <span class="m">3</span> </span></span><span class="line"><span class="cl">ifup wg0 </span></span><span class="line"><span class="cl"><span class="k">fi</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="use-the-script-that-comes-with-openwrt">Use the script that comes with openwrt </h3><p>The script is located at /usr/bin/wireguard_watchdog</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="o">.</span> <span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">functions</span><span class="o">.</span><span class="n">sh</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">check_peer_activity</span><span class="p">()</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">local</span> <span class="n">cfg</span><span class="o">=$</span><span class="mi">1</span> </span></span><span class="line"><span class="cl"> <span class="n">local</span> <span class="n">iface</span><span class="o">=$</span><span class="mi">2</span> </span></span><span class="line"><span class="cl"> <span class="n">local</span> <span class="n">public_key</span> </span></span><span class="line"><span class="cl"> <span class="n">local</span> <span class="n">endpoint_host</span> </span></span><span class="line"><span class="cl"> <span class="n">local</span> <span class="n">endpoint_port</span> </span></span><span class="line"><span class="cl"> <span class="n">local</span> <span class="n">persistent_keepalive</span> </span></span><span class="line"><span class="cl"> <span class="n">local</span> <span class="n">last_handshake</span> </span></span><span class="line"><span class="cl"> <span class="n">local</span> <span class="n">idle_seconds</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">config_get</span> <span class="n">public_key</span> <span class="s2">&#34;${cfg}&#34;</span> <span class="s2">&#34;public_key&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">config_get</span> <span class="n">endpoint_host</span> <span class="s2">&#34;${cfg}&#34;</span> <span class="s2">&#34;endpoint_host&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">config_get</span> <span class="n">endpoint_port</span> <span class="s2">&#34;${cfg}&#34;</span> <span class="s2">&#34;endpoint_port&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">persistent_keepalive</span><span class="o">=$</span><span class="p">(</span><span class="n">wg</span> <span class="n">show</span> <span class="o">$</span><span class="p">{</span><span class="n">iface</span><span class="p">}</span> <span class="n">persistent</span><span class="o">-</span><span class="n">keepalive</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">$</span><span class="p">{</span><span class="n">public_key</span><span class="p">}</span> <span class="o">|</span> <span class="n">awk</span> <span class="s1">&#39;{print $2}&#39;</span><span class="p">):</span><span class="mi">1</span><span class="o">/</span><span class="mi">128</span> <span class="n">Scope</span><span class="p">:</span><span class="n">Host</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># only process peers with endpoints and keepalive set</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span> <span class="o">-</span><span class="n">z</span> <span class="o">$</span><span class="p">{</span><span class="n">endpoint_host</span><span class="p">}</span> <span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span> <span class="o">-</span><span class="n">z</span> <span class="o">$</span><span class="p">{</span><span class="n">persistent_keepalive</span><span class="p">}</span> <span class="o">-</span><span class="n">o</span> <span class="o">$</span><span class="p">{</span><span class="n">persistent_keepalive</span><span class="p">}</span> <span class="o">=</span> <span class="s2">&#34;off&#34;</span> <span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># skip IP addresses</span> </span></span><span class="line"><span class="cl"> <span class="c1"># check taken from packages/net/ddns-scripts/files/dynamic_dns_functions.sh</span> </span></span><span class="line"><span class="cl"> <span class="n">local</span> <span class="n">IPV4_REGEX</span><span class="o">=</span><span class="s2">&#34;[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">local</span> <span class="n">IPV6_REGEX</span><span class="o">=</span><span class="s2">&#34;\(\([0-9A-Fa-f]\{1,4\}:\)\{1,\}\)\(\([0-9A-Fa-f]\{1,4\}\)\{0,1\}\)\(\(:[0-9A-Fa-f]\{1,4\}\)\{1,\}\)&#34;</span><span class="mi">80</span><span class="p">:</span><span class="n">b91d</span><span class="o">/</span><span class="mi">128</span> <span class="n">Scope</span><span class="p">:</span><span class="n">Link</span> </span></span><span class="line"><span class="cl"> <span class="n">local</span> <span class="n">IPV4</span><span class="o">=$</span><span class="p">(</span><span class="n">echo</span> <span class="o">$</span><span class="p">{</span><span class="n">endpoint_host</span><span class="p">}</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="n">m</span> <span class="mi">1</span> <span class="o">-</span><span class="n">o</span> <span class="s2">&#34;$IPV4_REGEX$&#34;</span><span class="p">)</span> <span class="c1"># do not detect ip in 0.0.0.0.example.comrors:0 dropped:3224 overruns:0 frame:0</span> </span></span><span class="line"><span class="cl"> <span class="n">local</span> <span class="n">IPV6</span><span class="o">=$</span><span class="p">(</span><span class="n">echo</span> <span class="o">$</span><span class="p">{</span><span class="n">endpoint_host</span><span class="p">}</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="n">m</span> <span class="mi">1</span> <span class="o">-</span><span class="n">o</span> <span class="s2">&#34;$IPV6_REGEX&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span> <span class="o">-</span><span class="n">n</span> <span class="s2">&#34;${IPV4}&#34;</span> <span class="o">-</span><span class="n">o</span> <span class="o">-</span><span class="n">n</span> <span class="s2">&#34;${IPV6}&#34;</span> <span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1"># re-resolve endpoint hostname if not responding for too long</span> </span></span><span class="line"><span class="cl"> <span class="n">last_handshake</span><span class="o">=$</span><span class="p">(</span><span class="n">wg</span> <span class="n">show</span> <span class="o">$</span><span class="p">{</span><span class="n">iface</span><span class="p">}</span> <span class="n">latest</span><span class="o">-</span><span class="n">handshakes</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">$</span><span class="p">{</span><span class="n">public_key</span><span class="p">}</span> <span class="o">|</span> <span class="n">awk</span> <span class="s1">&#39;{print $2}&#39;</span><span class="p">)</span><span class="mi">6</span> <span class="n">addr</span><span class="p">:</span> <span class="n">fe80</span><span class="p">::</span><span class="n">ded8</span><span class="p">:</span><span class="mi">7</span><span class="n">cff</span><span class="p">:</span><span class="n">fe40</span><span class="p">:</span><span class="mi">7</span><span class="n">c82</span><span class="o">/</span><span class="mi">64</span> <span class="n">Scope</span><span class="p">:</span><span class="n">Link</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span> <span class="o">-</span><span class="n">z</span> <span class="o">$</span><span class="p">{</span><span class="n">last_handshake</span><span class="p">}</span> <span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">idle_seconds</span><span class="o">=$</span><span class="p">((</span><span class="o">$</span><span class="p">(</span><span class="n">date</span> <span class="o">+%</span><span class="n">s</span><span class="p">)</span><span class="o">-$</span><span class="p">{</span><span class="n">last_handshake</span><span class="p">}))</span> </span></span><span class="line"><span class="cl"> <span class="p">[</span> <span class="o">$</span><span class="p">{</span><span class="n">idle_seconds</span><span class="p">}</span> <span class="o">-</span><span class="n">lt</span> <span class="mi">150</span> <span class="p">]</span> <span class="o">&amp;&amp;</span> <span class="k">return</span> <span class="mi">0</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">logger</span> <span class="o">-</span><span class="n">t</span> <span class="s2">&#34;wireguard_monitor&#34;</span> <span class="s2">&#34;${iface} endpoint ${endpoint_host}:${endpoint_port} is not responding for ${idle_seconds} seconds, trying to re-resolve hostname&#34;</span> </span></span><span class="line"><span class="cl"> <span class="n">wg</span> <span class="n">set</span> <span class="o">$</span><span class="p">{</span><span class="n">iface</span><span class="p">}</span> <span class="n">peer</span> <span class="o">$</span><span class="p">{</span><span class="n">public_key</span><span class="p">}</span> <span class="n">endpoint</span> <span class="s2">&#34;${endpoint_host}:${endpoint_port}&#34;</span><span class="mi">00</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># query ubus for all active wireguard interfaces</span> </span></span><span class="line"><span class="cl"><span class="n">wg_ifaces</span><span class="o">=$</span><span class="p">(</span><span class="n">ubus</span> <span class="o">-</span><span class="n">S</span> <span class="n">call</span> <span class="n">network</span><span class="o">.</span><span class="n">interface</span> <span class="n">dump</span> <span class="o">|</span> <span class="n">jsonfilter</span> <span class="o">-</span><span class="n">e</span> <span class="s1">&#39;@.interface[@.up=true]&#39;</span> <span class="o">|</span> <span class="n">jsonfilter</span> <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">e</span> <span class="s1">&#39;@[@.proto=&#34;wireguard&#34;].interface&#39;</span> <span class="o">|</span> <span class="n">tr</span> <span class="s2">&#34;</span><span class="se">\n</span><span class="s2">&#34;</span> <span class="s2">&#34; &#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># check every peer in every active wireguard interface</span> </span></span><span class="line"><span class="cl"><span class="n">config_load</span> <span class="n">network</span> </span></span><span class="line"><span class="cl"><span class="k">for</span> <span class="n">iface</span> <span class="ow">in</span> <span class="o">$</span><span class="n">wg_ifaces</span><span class="p">;</span> <span class="k">do</span> </span></span><span class="line"><span class="cl"> <span class="n">config_foreach</span> <span class="n">check_peer_activity</span> <span class="s2">&#34;wireguard_${iface}&#34;</span> <span class="s2">&#34;${iface}&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">done</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="add-the-above-script-to-crontab">Add the above script to crontab </h3><p>You can use any of the above scripts</p> <h4 id="add-via-interface">Add via interface </h4><ol> <li>Open System &ndash;&gt; Scheduled Tasks</li> <li>Enter the following content and save</li> </ol> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"> * * * * * /usr/bin/wireguard_watchdog </span></span></code></pre></td></tr></table> </div> </div><h4 id="add-via-command-line">Add via command line </h4><ol> <li>ssh to openwrt</li> <li>crontab -e</li> <li>Add * * * * * /usr/bin/wireguard_watchdog</li> <li>Save</li> </ol> Use OpenWrt and WireGuard to Connect Two Remote LANs over the Internet https://knightli.com/en/2022/04/14/openwrt-wireguard-connect-two-lans/ Thu, 14 Apr 2022 00:00:00 +0000 https://knightli.com/en/2022/04/14/openwrt-wireguard-connect-two-lans/ <p>WireGuard can be used on OpenWrt routers to connect two LANs in different locations. After configuration, devices on both sides can access each other as if they were connected through a private routed network.</p> <p>This is useful for home labs, NAS access, remote monitoring, backup synchronization and small office interconnection.</p> <h2 id="basic-topology">Basic Topology </h2><p>Assume there are two sites:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Site A LAN: 192.168.1.0/24 </span></span><span class="line"><span class="cl">Site B LAN: 192.168.2.0/24 </span></span><span class="line"><span class="cl">WireGuard tunnel: 10.10.10.0/24 </span></span></code></pre></td></tr></table> </div> </div><p>Each OpenWrt router runs WireGuard. One side can act as the peer with a public endpoint, or both sides can connect through a reachable server.</p> <h2 id="install-wireguard">Install WireGuard </h2><p>On OpenWrt, install the required packages:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">opkg update </span></span><span class="line"><span class="cl">opkg install wireguard-tools luci-proto-wireguard </span></span></code></pre></td></tr></table> </div> </div><p>After installation, the LuCI web interface can configure WireGuard interfaces.</p> <h2 id="create-keys">Create Keys </h2><p>Generate private and public keys for each side:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">wg genkey <span class="p">|</span> tee privatekey <span class="p">|</span> wg pubkey &gt; publickey </span></span></code></pre></td></tr></table> </div> </div><p>Keep private keys secret. Exchange only public keys between the two routers.</p> <h2 id="configure-the-tunnel">Configure The Tunnel </h2><p>Create a WireGuard interface on each router, for example <code>wg0</code>.</p> <p>Example tunnel addresses:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">Site A wg0: 10.10.10.1/24 </span></span><span class="line"><span class="cl">Site B wg0: 10.10.10.2/24 </span></span></code></pre></td></tr></table> </div> </div><p>For Site A, add Site B as a peer and set allowed IPs to:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">10.10.10.2/32 </span></span><span class="line"><span class="cl">192.168.2.0/24 </span></span></code></pre></td></tr></table> </div> </div><p>For Site B, add Site A as a peer and set allowed IPs to:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-text" data-lang="text"><span class="line"><span class="cl">10.10.10.1/32 </span></span><span class="line"><span class="cl">192.168.1.0/24 </span></span></code></pre></td></tr></table> </div> </div><p>These routes tell each router which remote subnet should go through the WireGuard tunnel.</p> <h2 id="firewall-and-routing">Firewall And Routing </h2><p>Create or assign a firewall zone for the WireGuard interface. Allow forwarding between LAN and WireGuard zones according to your policy.</p> <p>At minimum, each side needs:</p> <ul> <li>LAN to WireGuard forwarding;</li> <li>WireGuard to LAN forwarding;</li> <li>UDP port open for WireGuard on the side with a public endpoint;</li> <li>correct allowed IPs for the remote subnet.</li> </ul> <p>If NAT is not required, routed access is cleaner. Each LAN should know that the other LAN is reachable through the WireGuard router.</p> <h2 id="test-connectivity">Test Connectivity </h2><p>After both sides are configured, test the tunnel address first:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ping 10.10.10.1 </span></span><span class="line"><span class="cl">ping 10.10.10.2 </span></span></code></pre></td></tr></table> </div> </div><p>Then test a host in the remote LAN:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ping 192.168.2.1 </span></span></code></pre></td></tr></table> </div> </div><p>If tunnel IPs work but LAN hosts fail, check firewall forwarding and remote subnet routes.</p> <h2 id="summary">Summary </h2><p>OpenWrt plus WireGuard is a lightweight way to connect two remote LANs. The important points are key exchange, tunnel addresses, allowed IPs, firewall forwarding and correct routing between the two LAN segments.</p>