Introduction
Since switching from OpenVPN to WireGuard, my intranet speeds tripled and my ping also reduced significantly. “Everything’s fine” one might say, but there was a last nagging behaviour indeed. When booting my OpenWrt Router (the WireGuard Client), the Internet connection couldn’t be established reliably.
This is because the WireGuard Client tried to connect to the Server before the internet connection itself was even online. Thus the VPN connection failed and blocked the actual connection to WAN.
To solve this odd behaviour, this article is going to describe on how to start the WireGuard Client on OpenWrt, only after the underlying internet connection itself has been established.
Note: This article assumes that you already installed the WireGuard Client on your OpenWrt Router using the wireguard-tools, kmod-wireguard, luci-app-wireguard and luci-proto-wireguard packages and set up the associated firewall rules.
Step 1: Disable “Bring up on Boot” on the VPN Interface
As a first step, please make sure to disable the “Bring up on Boot” option within your VPN Interface. This is because we want to stop the WireGuard Client from starting itself in a uncoordinated fashion. Rather, an OpenWrt Hotplug – which has yet to be set up – should be the instance on deciding when to start the WireGuard Client.
Step 2: Set up NTP Hotplug
To dig a little deeper, the WireGuard Client fails to find the VPN server not because the DNS cannot be reached, but because the WireGuard Client requires a precise timestamp while initializing. Since many routers do not have a real-time-clock (RTC) built in, the client tries to resort to an external NTP time-server. But such a server is also not reachable, because – you’ve guessed it – the internet connection is not established yet. A typical deadlock situation.
Luckily however, there’s a functionality within OpenWrt coming to our rescue: Hotplugs.
Hotplugs are like triggers/hooks for external scripts to be executed when something happens with or on the system. This can be a new detected USB device, the activation of the Wi-Fi antennas or like in our case, the initialization of the NTP time.
Please make sure to have SSH with Root Login enabled on your OpenWrt Router and continue to establish a new SSH session to the device.
ssh root@<YOUR-ROUTERS-IP-ADDRESS>Make sure to have some basic understanding of the vim text editor and continue to set up the NTP hotplug script:
vim /etc/hotplug.d/ntp/90-wireguard#!/bin/sh
[ "$ACTION" = stratum ] || exit 0
ubus call network.interface.WireGuard upPlease be aware that my WireGuard VPN interface name is called WireGuard, so the statement results in network.interface.WireGuard. Make sure to name your statement according to your interface name as well. If your interface is called wg0 for instance, your statement would be network.interface.wg0
Step 3: Wrapping up
That was already everything. Now issue one final restart and your WireGuard Client should now only start after OpenWrt has successfully retrieved the current time from an external NTP server (Internet has been established, so to speak).
reboot
5 comments
Amazing 🙂
It solved my problems with not reconnecting WireGuard VPN connections between two OpenWrt routers.
Hi, the tutorial works! Thank you.
Hey Mustafa, thank you for the heads-up! Of course, you are right with this observation. I wrote a new paragraph pointing this out.
Thank you for the info. Resolved my issues with the WireGuard connection after reboot.
One thing to mention related to the 90-wireguard script file is that it assumes your Wireguard interface is named “WireGuard”, but it may be different for different users (i.e. mine is wg0). You may want to point that out as well, so that it doesn’t fail for the people who have different interface names.
Thanks for the trick, it worked like a charm!