[BUG] - No reconncetion in case of DDNS IP address change

[dreasb]

Constellation
I have a permanent VPN wireguard connection from my google pixel 6 (android 14) smartphone to my fritzbox router. The fritzbox is connected to an internet provider, which enforces randomly a re-connection of the internet connection. In that case the IP addresses (ipv4 + ipv6) of the fritzbox will be changed. I use a dynamic DNS provider. The fritzbox updates the IP address to my DDNS provider immediately after the re-connection. The DDNS name is part of the Wireguard configuration (Endpoint).

Defect
The wireguard app didn't recognize the IP-Address change and my vpn connection is still running, but no longer working. After a disable / enable click everything works well.

The app is hanging up in and endless loop with the following log messages every 5 seconds.

Log-message
D WireGuard/GoBackend/wg_config: peer(R274…Z2To) - Handshake did not complete after 5 seconds, retrying (try 2) D WireGuard/GoBackend/wg_config: peer(R274…Z2To) - Sending handshake initiation

Expected behavior
The exception should be catched and a reconnection should be enforced / retried after a few seconds.

Reproducable

1. Setup a Wireguard connection to an router, use a DDNS Endpoint instead of a static ip
2. Use the mobile phone, connect the wireguard connection via mobile network (positive)
3. Reconnect the router to a new IP address
4. Check the log files, no internet connection via DDNS possible anymore

[bobdig]

Support for changing D(yn)DNS-addresses would be my reason for using wgtunnel.

[ElbPirat]

Do you have "Restart on Ping Error (Beta)" in the auto tunneling settings enabled?
I think this helped me in a similar case. But haven't checked since a few weeks/month, as I am not connected to VPN if at home.

[dreasb]

The Option Restart on Ping Error (Beta) is enabled.

[devastgh]

I'm having the same issue, even with Restart on ping error enabled. I need to manually toggle the tunner to regain the connection.

[zaneschepke]

I'm having the same issue, even with Restart on ping error enabled. I need to manually toggle the tunner to regain the connection.

Have you tried the new nightly version? I am improved the restart on ping feature and added a customization option per tunnel where you can customize the ping intervals and ping ip.

[devastgh]

I'm having the same issue, even with Restart on ping error enabled. I need to manually toggle the tunner to regain the connection.

Have you tried the new nightly version? I am improved the restart on ping feature and added a customization option per tunnel where you can customize the ping intervals and ping ip.

Unfortunately i still can't get it to work, even with the nightly. Also, does the software expect the custom ping ip to be an ip address inside the tunnel, right? I use selective tunneling, and also tried adding the wg tunnel app into include listfor the pings to work, but no go there either.

On a separate note, i don't understand the need for pings for this purpose. A tunnel is expected to be always on if in the config the peer has an endpoint address and keepalive set. Then you can just monitor the latest handshake, for the status of that tunnel, and restart after that hits a high enough number.
For reference, this works perfectly on my openwrt devices

[zaneschepke]

I'm having the same issue, even with Restart on ping error enabled. I need to manually toggle the tunner to regain the connection.

Have you tried the new nightly version? I am improved the restart on ping feature and added a customization option per tunnel where you can customize the ping intervals and ping ip.

Unfortunately i still can't get it to work, even with the nightly. Also, does the software expect the custom ping ip to be an ip address inside the tunnel, right? I use selective tunneling, and also tried adding the wg tunnel app into include listfor the pings to work, but no go there either.

On a separate note, i don't understand the need for pings for this purpose. A tunnel is expected to be always on if in the config the peer has an endpoint address and keepalive set. Then you can just monitor the latest handshake, for the status of that tunnel, and restart after that hits a high enough number. For reference, this works perfectly on my openwrt devices

The custom ping IP can be whatever you want as long as it is a valid IP (of course it should be within the tunnel or else it is pretty useless). It is probably best not to set a custom ping IP and just let it ping the IP of the peer(s) by default. As for handshake, this is also a good approach, but handshakes are not always sent at a regular interval depending on the configuration.

Can you share what about it is not working properly? You must have auto tunneling enabled for this feature to function.

[devastgh]

As for handshake, this is also a good approach, but handshakes are not always sent at a regular interval depending on the configuration.

I think you misunderstand the handshake. It's not an user configurable parameter. According to the protocol description handshakes occur "every few minutes". In practice, it always happens every 2min + couple of seconds or so, if the keepalive parameter is set.

It is probably best not to set a custom ping IP and just let it ping the IP of the peer(s) by default.

I'm not sure it's viable in my case, as all my clients have AllowedIPs = 0.0.0.0/0 in the config. I'm pretty sure you can't ping 0.0.0.0. In the AllowedIPs field you can use multiple ip addresses, and/or ip address ranges, i don't really know how you could reliable determine what's the actual IP of the device at the other end of the tunnel from that.

Can you share what about it is not working properly? You must have auto tunneling enabled for this feature to function.

My wireguard server has dynamic ip, and i used cloudflare dns to make my domain always point to the actual ip address of the server.
I use auto tunneling on different android tv devices. Android tv devices are never turned off basically, and they never roam, or change wifi. When the vpn server changes ip address, the tunnels managed by wg-tunnel clients stay offline. All of them. All other tunnel endpoints connected to the same server using the mentioned wireguard watchdog script can always recover. On wg-tunnel i can see that the tunnel is enabled, and the counter for last handshake is just keeps increasing. Obviously, i have the "restart on ping fail" enabled. Manually turning the tunnel off and on, or rebooting the device makes the tunnel recover.

[tomtomclub]

You have to ping your Own IP 80.45.34.42 something like that. DDns op is not working jet

[zaneschepke]

As for handshake, this is also a good approach, but handshakes are not always sent at a regular interval depending on the configuration.

I think you misunderstand the handshake. It's not an user configurable parameter. According to the protocol description handshakes occur "every few minutes". In practice, it always happens every 2min + couple of seconds or so, if the keepalive parameter is set.

It is probably best not to set a custom ping IP and just let it ping the IP of the peer(s) by default.

I'm not sure it's viable in my case, as all my clients have AllowedIPs = 0.0.0.0/0 in the config. I'm pretty sure you can't ping 0.0.0.0. In the AllowedIPs field you can use multiple ip addresses, and/or ip address ranges, i don't really know how you could reliable determine what's the actual IP of the device at the other end of the tunnel from that.

Can you share what about it is not working properly? You must have auto tunneling enabled for this feature to function.

My wireguard server has dynamic ip, and i used cloudflare dns to make my domain always point to the actual ip address of the server. I use auto tunneling on different android tv devices. Android tv devices are never turned off basically, and they never roam, or change wifi. When the vpn server changes ip address, the tunnels managed by wg-tunnel clients stay offline. All of them. All other tunnel endpoints connected to the same server using the mentioned wireguard watchdog script can always recover. On wg-tunnel i can see that the tunnel is enabled, and the counter for last handshake is just keeps increasing. Obviously, i have the "restart on ping fail" enabled. Manually turning the tunnel off and on, or rebooting the device makes the tunnel recover.

We can continue this discussion on Discord. I definitely see value in what I read from your explanation there. Likely, I will want to create a separate issue/feature request to track progress on getting it implemented. Chat more soon!

[zaneschepke]

The latest release of 3.5.2 should close this issue. Note, the restart on ping feature works when auto tunneling is active. I'll discuss more with @devastgh about probably replacing this in the near future with a more elegant solution based on handshakes. If there are still issues getting this feature to work, let me know and I will reopen this issue.

[devastgh]

I would like to reopen this issue, as the restart on ping feature does not seem to work for this at all, on any of my devices (2x android 11 tv os, 2x fire stick os based on android 11).

This is how all of them end up after my wireguard server changes its ip address:

Logs are empty:

I need to manually disable the tunnel and enable it again to recover.