Does wgclient-start Script Run Before Or After WireGuard Client Is Started?

[HarryMuscle]

Does anyone know if the wgclient-start script is called before a WireGuard client is started or after a client is started? Also if it's before, is it a blocking script (ie: the client doesn't start until the wgclient-start script finishes)? The wiki unfortunately doesn't specify any of these details.

Thanks,
Harry

 

[RMerlin]

Before, so it can be used to customize the config file. I don't remember if it was blocking or not, this is something I will need to revise at some point for all scripts because I don't believe I paid much attention when adding new scripts except in the initial few ones 8-9 years ago.

 

[ZebMcKayhan]

Does anyone know if the wgclient-start script is called before a WireGuard client is started or after a client is started? Also if it's before, is it a blocking script (ie: the client doesn't start until the wgclient-start script finishes)? The wiki unfortunately doesn't specify any of these details.

Thanks,
Harry

As @RMerlin mentioned changing the config file, I haver never had any luck with that. Not saying that Merlin is wrong (he rarely is) but the way I read the firmware code the hook file is called after the peer is started, just before the log message is put and thats it. And the stop file is called before the peer is stopped. So it works as PostUp or PreDown directive.

I can successfully use wg set commands in the start hook file which shows the config is loaded and active at this point.

Using wg set is in my opinion much more convenient than changing the config file:

set <interface> [listen-port <port>] [fwmark <fwmark>] [private-key <file-path>] [peer <base64-public-key> [remove] [preshared-key <file-path>] [endpoint <ip>:<port>] [persistent-keepalive <interval seconds>] [allowed-ips <ip1>/<cidr1>[,<ip2>/<cidr2>]...]

Most stuff could be fetched directly from nvram, such as I use this to periodically force a re-lookup of endpoint domain name:

ClientNr=1
wg set wgc"$ClientNr" peer $(nvram get wgc"$ClientNr"_ppub) endpoint $(nvram get wgc"$ClientNr"_ep_addr):$(nvram get wgc"$ClientNr"_ep_port)

Or in wgserver-start to add an endpoint to a server peer to have it connect out to my VPS as Im behind cgnat:

EndPoint=aaa.bbb.ccc.ddd:xyz
ClientNr=1
wg set wgs1 peer $(nvram get wgs1_c"$ClientNr"_pub) endpoint $EndPoint persistent-keepalive 25

 

[RMerlin]

but the way I read the firmware code the hook file is called after the peer is started, just before the log message is put and thats it. And the stop file is called before the peer is stopped. So it works as PostUp or PreDown directive.

It's very possible that it's the case. I just can't remember exactly, as both cases could make sense (first one would be for modifying the config, second one would be for applying firewall/routing rules).

I guess someone could also use that script to modify the config, and then apply his changes. A lot of changes can be directly applied with the userspace tool as well, once the tunnel is up.

 

[RMerlin]

I reviewed how it was implemented, here are the details (which make more sense):

1) wgclient-start is run after the tunnel is established. It's a non-blocking script, and its goal is to allow you to modify an existing tunnel (for instance through wgc commands).

2) wgclient%d.postconf (%d = unit number, between 1 and 5) is the postconf script that is run after the config file is created, but before connecting the tunnel. That script is blocking, and will allow you to customize a config file before the client gets started.

The postconf scripts are what I had in mind when I first answered, sorry for the confusion.

 

[ZebMcKayhan]

wgclient%d.postconf (%d = unit number, between 1 and 5) is the postconf script that is run after the config file is created, but before connecting the tunnel. That script is blocking, and will allow you to customize a config file before the client gets started.

I was not aware that postconf script was added to Wireguard, thanks! That may come handy!
However, I have yet to find anything in Wireguard config I couldnt change with wg set but it will be after the peer is up. Not that I care about that, but others may and this is where the postconf script may be important.

 

[HarryMuscle]

I was not aware that postconf script was added to Wireguard, thanks! That may come handy!
However, I have yet to find anything in Wireguard config I couldnt change with wg set but it will be after the peer is up. Not that I care about that, but others may and this is where the postconf script may be important.

I think for my use case that will be the script file to use since I'm trying to duplicate the functionality of the PreUp option which runs a command before the tunnel is established.