Wireguard server does not work after reboot

[jebnz]

This is strange maybe someone has some insight...

I have a WG client configured and a WG server configured which allows intranet traffic. If I reboot my router I can connect to the WG server but not traffic is allowed until I restart the WG client and then all works fine. Any ideas??

 

[ZebMcKayhan]

This is strange maybe someone has some insight...

I have a WG client configured and a WG server configured which allows intranet traffic. If I reboot my router I can connect to the WG server but not traffic is allowed until I restart the WG client and then all works fine. Any ideas??

I have the same setup and I don't have this problem.
Which router do you have?
Was this something that used to work and then stopped, or has it never worked?

 

[jebnz]

I have the GT-AX6000 with latest merlin firmware.

Wireguard client to vpn.
Vpn director to route traffic
Wireguard server.

 

[ZebMcKayhan]

I have the GT-AX6000 with latest merlin firmware.

Wireguard client to vpn.
Vpn director to route traffic
Wireguard server.

Are you using any 3rd party scripts or apps?

Again, Was this something that used to work and then stopped, or has it never worked?

 

[jebnz]

No. Nothing. Standard stuff and only config done through UI. What's so strange is if I restart the WGC my phone on mobile data and connected to the WGS works. Intranet and internet.

 

[ZebMcKayhan]

No. Nothing. Standard stuff and only config done through UI. What's so strange is if I restart the WGC my phone on mobile data and connected to the WGS works. Intranet and internet.

How is your VPNDirector rules setup? Could you post a picture?

What type of access are you missing when its not working? Can you access router gui? Access local lan? Access internet? Or all?

 

[jebnz]

Zero access. No internet or intranet.

I also just ssh into the router and ran

service restart_wgc

and this instantly fixed the issue which I guess is the same as me pressing the apply button on the WGC setup menu which also fixes this as I mentioned above.

 

[ZebMcKayhan]

Zero access. No internet or intranet.

I also just ssh into the router and ran

service restart_wgc

and this instantly fixed the issue which I guess is the same as me pressing the apply button on the WGC setup menu which also fixes this as I mentioned above.

View attachment 52100

Not sure if this fixes all your issue, but try to add a new rule:
Description: ToServerUseMain
Local IP: leave blank
Remote ip: 10.6.0.0/24
Iface: WAN

It would take care of routing issue lan to server when lan is using vpn as server routes are not included in policy routing table.

 

[jebnz]

I'll add that rule now and give it a reboot and see if that fixes the issue.

 

[jebnz]

Not sure if this fixes all your issue, but try to add a new rule:
Description: ToServerUseMain
Local IP: leave blank
Remote ip: 10.6.0.0/24
Iface: WAN

It would take care of routing issue lan to server when lan is using vpn as server routes are not included in policy routing table.

That fixed it. Thank you. Could you please explain why that worked to me like I'm a 6 year old and why restarting the WGC would also work?

 

[ZebMcKayhan]

Could you please explain why that worked to me like I'm a 6 year old

Not sure that is possible. But when you create wgcX you also create a new routing table. Routing tables are processed in prio order and according to rules until a route is found. The kernel (mostly) maintains the main routing table which should be complete and also the lowest priority. The policy route table is maintained by whatever software created it. Typically its a snapshot of the main routing table so it might not be as up to date as the main routing table. But in my case the policy route table does not include any routes to any other vpn, including wgs1. So if a lan client is set to use policy table it wont find a route to wgs1 there. That is normally ok as the process would continue if it was not for the policy route included a default route. This means that any unknown destinations (internet) would be sent to wgc1, so this is where data to wgs1 would end up. So a route is found and further traversal of routing tables stopped.

You could check routing rules by ssh command:

ip rule

This should reflect your vpndirector rules.

And routing tables:

ip route show table wgc2

ip route show table main

The added rule redirects packets TO server clients to the main routing table where a route exists. WAN rules have higher priority then vpn rules so processed earlier.

why restarting the WGC would also work?

No idea, probably an update of the routing tables. You could compare them before and after bouncing the client to se what happens.

 

[jebnz]

Thank you very much. You're a star!