Since switching from OpenVPN to WireGuard, my intranet speeds tripled and my ping also reduced significantly. “Everything’s fine” one might say, but there was a last nagging behaviour indeed. When booting my OpenWrt Router (the WireGuard Client), the Internet connection couldn’t be established reliably.
This is because the WireGuard Client tried to connect to the Server before the internet connection itself was even online. Thus the VPN connection failed and blocked the actual connection to WAN.
To solve this odd behaviour, this article is going to describe on how to start the WireGuard Client on OpenWrt, only after the underlying internet connection itself has been established.
Note: This article assumes that you already installed the WireGuard Client on your OpenWrt Router using the
luci-proto-wireguard packages and set up the associated firewall rules.
Step 1: Disable “Bring up on Boot” on the VPN Interface
As a first step, please make sure to disable the “Bring up on Boot” option within your VPN Interface. This is because we want to stop the WireGuard Client from starting itself in a uncoordinated fashion. Rather, an OpenWrt Hotplug – which has yet to be set up – should be the instance on deciding when to start the WireGuard Client.
Step 2: Set up NTP Hotplug
To dig a little deeper, the WireGuard Client fails to find the VPN server not because the DNS cannot be reached, but because the WireGuard Client requires a precise timestamp while initializing. Since many routers do not have a real-time-clock (RTC) built in, the client tries to resort to an external NTP time-server. But such a server is also not reachable, because – you’ve guessed it – the internet connection is not established yet. A typical deadlock situation.
Luckily however, there’s a functionality within OpenWrt coming to our rescue: Hotplugs.
Hotplugs are like triggers/hooks for external scripts to be executed when something happens with or on the system. This can be a new detected USB device, the activation of the Wi-Fi antennas or like in our case, the initialization of the NTP time.
Please make sure to have SSH with Root Login enabled on your OpenWrt Router and continue to establish a new SSH session to the device.
Make sure to have some basic understanding of the
vim text editor and continue to set up the NTP hotplug script:
#!/bin/sh [ "$ACTION" = stratum ] || exit 0 ubus call network.interface.WireGuard up
Please be aware that my WireGuard VPN interface name is called
WireGuard, so the statement results in
network.interface.WireGuard. Make sure to name your statement according to your interface name as well. If your interface is called
wg0 for instance, your statement would be
Step 3: Wrapping up
That was already everything. Now issue one final restart and your WireGuard Client should now only start after OpenWrt has successfully retrieved the current time from an external NTP server (Internet has been established, so to speak).