User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
gentoo:wireguard [2025/02/06 10:03] – [Port Forwarding] willygentoo:wireguard [2026/03/19 08:21] (current) – [Watchdog] willy
Line 1: Line 1:
-====== WireGuard ======+====== J) WireGuard ======
  
 [[https://en.wikipedia.org/wiki/WireGuard|WireGuard]] is a modern VPN tunnel solution which is quickly taking the place of OpenVPN. Some of the strong key points of WireGuard are, beside a supposedly more secure implementation, the ease of setup and how it simply merge with the overall linux network management. [[https://en.wikipedia.org/wiki/WireGuard|WireGuard]] is a modern VPN tunnel solution which is quickly taking the place of OpenVPN. Some of the strong key points of WireGuard are, beside a supposedly more secure implementation, the ease of setup and how it simply merge with the overall linux network management.
Line 70: Line 70:
 rc-update add wg-quick.wg0 default rc-update add wg-quick.wg0 default
 </code> </code>
 +
 +===== Watchdog =====
 +
 +In my experience, when the main router reboots or the internet connection is switched, the wireguard tunnel might hang up for a very long time. I am not sure why this happen, it shouldn't, specially with the //PersistentKeepAlive = 25// setting, but it does anyway. 
 +
 +To ensure this doesn't happen, i have written a small OpenRC script that pings the Wireguard remote server and restart the wg-quick interface when the ping fails. Drop the following script as **/etc/init.d/tunnel-watchdog**:
 +<file - tunnel-watchdog>
 +#!/sbin/openrc-run
 +
 +description="Dead‑man switch: ping a host, restart a service if ping fails"
 +
 +# The services you want to restart
 +SERVICES="wg-quick.wg0 wg-quick.wg1"
 +PING_HOST="10.70.0.2"
 +LOG="/var/log/tunnel-watchdog.log"
 +FAIL_COUNT_LIMIT=5
 +PING_TIMEOUT=1
 +PING_COUNT=1
 +
 +restart_service() {
 +    for i in ${SERVICES}
 +    do
 +        einfo "Restarting $i"
 +        /etc/init.d/$i restart
 +    done
 +}
 +
 +depend() {
 +    need net
 +}
 +
 +start() {
 +    ebegin "Starting tunnel-watchdog daemon"
 +    echo $(date)" Starting tunnel watchdog on IP $PING_HOST"  >> ${LOG}
 +    while : ; do
 +        # Perform a quick ping.  -q quiet, -c N packets, -W T timeout
 +        if ! ping -q -c ${PING_COUNT} -W ${PING_TIMEOUT} ${PING_HOST} >/dev/null 2>&1; then
 +            fail_count=$((fail_count + 1))
 +            echo $(date)" Ping to ${PING_HOST} failed (attempt ${fail_count})" >> ${LOG}
 +        else
 +            fail_count=0
 +        fi
 +
 +        # If we hit the threshold, restart
 +        if [ "${fail_count}" -ge "${FAIL_COUNT_LIMIT}" ]; then
 +            echo $(date)" Consecutive failures reached ${FAIL_COUNT_LIMIT}: restarting ${SERVICES}" >> ${LOG}
 +            restart_service
 +            fail_count=0
 +        fi
 +
 +        # Wait a bit before the next check
 +        sleep 5
 +    done &
 +    PID=$!
 +    echo ${PID} > /var/run/tunnel-watchdog.pid
 +    eend 0
 +}
 +
 +stop() {
 +    ebegin "Stopping ping‑restart daemon"
 +    if [ -f /var/run/tunnel-watchdog.pid ]; then
 +        PID=$(cat /var/run/tunnel-watchdog.pid)
 +        kill -9 "${PID}" 2>/dev/null
 +        rm /var/run/tunnel-watchdog.pid
 +    else
 +        eend 255
 +    fi
 +    eend 0
 +}
 +</file>
 +
 +Now make it executable add to the runlevel default and start it:
 +<code bash>
 +chmod +x /etc/init.d/tunnel-whatchdog
 +rc-update add tunnel-whatchdog default
 +/etc/init.d/tunnel-whatchdog start
 +</code>
 +
 +As a final note, don't forget to put log file **/var/log/tunnel-watchdog.log** in your logrotate facility.
 +
  
 ===== Remote access ===== ===== Remote access =====