This article refers to OpenWrt v19.07 and its accompanying WireGuard packages. The situation for OpenWrt v21.02 is something yet to be tested.

Introduction

Since switching from OpenVPN to WireGuard, my intranet speeds tripled and my ping also reduced significantly. “Everything’s fine” one might say, but there was a last nagging behaviour indeed. When booting my OpenWrt Router (the WireGuard Client), the Internet connection couldn’t be established reliably.

This is because the WireGuard Client tried to connect to the Server before the internet connection itself was even online. Thus the VPN connection failed and blocked the actual connection to WAN.

To solve this odd behaviour, this article is going to describe on how to start the WireGuard Client on OpenWrt, only after the underlying internet connection itself has been established.

Note: This article assumes that you already installed the WireGuard Client on your OpenWrt Router using the wireguard-tools, kmod-wireguard, luci-app-wireguard and luci-proto-wireguard packages and set up the associated firewall rules.

Step 1: Disable “Bring up on Boot” on the VPN Interface

As a first step, please make sure to disable the “Bring up on Boot” option within your VPN Interface. This is because we want to stop the WireGuard Client from starting itself in a uncoordinated fashion. Rather, an OpenWrt Hotplug – which has yet to be set up – should be the instance on deciding when to start the WireGuard Client.

Step 2: Set up NTP Hotplug

To dig a little deeper, the WireGuard Client fails to find the VPN server not because the DNS cannot be reached, but because the WireGuard Client requires a precise timestamp while initializing. Since many routers do not have a real-time-clock (RTC) built in, the client tries to resort to an external NTP time-server. But such a server is also not reachable, because – you’ve guessed it – the internet connection is not established yet. A typical deadlock situation.

Luckily however, there’s a functionality within OpenWrt coming to our rescue: Hotplugs.

Hotplugs are like triggers/hooks for external scripts to be executed when something happens with or on the system. This can be a new detected USB device, the activation of the Wi-Fi antennas or like in our case, the initialization of the NTP time.

Please make sure to have SSH with Root Login enabled on your OpenWrt Router and continue to establish a new SSH session to the device.

ssh root@<YOUR-ROUTERS-IP-ADDRESS>

Make sure to have some basic understanding of the vim text editor and continue to set up the NTP hotplug script:

vim /etc/hotplug.d/ntp/90-wireguard
#!/bin/sh
 
[ "$ACTION" = stratum ] || exit 0
ubus call network.interface.WireGuard up

Step 3: Wrapping up

That was already everything. Now issue one final restart and your WireGuard Client should now only start after OpenWrt has successfully retrieved the current time from an external NTP server (Internet has been established, so to speak).

reboot
1 comment
Leave a Reply

Your email address will not be published.

You May Also Like