Open cmonty14 opened 2 years ago
Why does
- Ping Reboot: reboot the OpenWrt device if a ping to a specific host fails
- Restart Interface: restart a network interface if a ping to a host over that interface fails
not work? As I understand your description, if the wireguard VPN tunnel is set up but not functioning, there is no internet access, and ping should fail. Why does it not?
And: If the router is rebooted/ the WireGuard interface is taken down and then up again, but the WireGuard connection could not be established, the WireGuard interface should not succeed to an "up" state. Does it anyway report beeing "up" even if it cannot negociate with the other side?
I think the scenario
there's a failure with the tunnel and failover to WAN must be triggered
is use-case dependent: Do you want guaranteed security (i.e. not allow any internet if the VPN is not working) or guaranteed connectivity (also allow non-VPN internet if the VPN is not working)? The user should be able to decide.
Thanks for your feature request!, this are only my comments, I am not a developer or maintainer at all.
Configuring WireGuard client documented here will setup default route using WireGuard interface. The default route exists as long as WireGuard interface is up.
The default route exists as long as WireGuard interface is up.
And wireguard interface will succeed to go to "up" state even if wireguard cannot negotiate with the other side and does not establish a tunnel?
And wireguard interface will succeed to go to "up" state even if wireguard cannot negotiate with the other side and does not establish a tunnel?
Yes, because endpoint is available, means I can ping that IP.
Maintainer: @nickberry17 Environment: OpenWrt 21.02.3
Feature request: Add function Taking down WireGuard interface in case VPN tunnel has failure.
Use case: WireGuard VPN tunnel depends on endpoint, port and other technical objects. Above all it depends on an active account with the VPN provider. If this account is deactivated, WireGuard VPN tunnel won't work anymore. However, as long as WireGuard interface is up, the router will route packages to this tunnel. And this results in a severe failure because packages will get lost.
Package watchcat provides these 3 functions:
Non of these 3 functions will resolve this issue described above.
Workaround: This script will ping DNS servers of VPN provider IVPN; these DNS servers are only accessible through VPN tunnel. If none of the DNS servers reponds, there's a failure with the tunnel and failover to WAN must be triggered by taking down WireGuard interface. Prerequisite for failover to WAN is WireGuard - Dynamic Connection. The script is scheduled in cron for regular execution.