One cannot tease with such a script and then not provide it. Do we have to beg, pray or pay for it? ))This used to be an issue in earlier versions of 7.1rc , I think it was solved in rc6.
Strange it pops up again...
I circumvented it with a script. Maybe it's because that script is still running I haven't noticed on the devices which I upgraded to 7.1...
Yes -- please do. Thanks!I know.
Was planning to do just that tomorrow.
:delay 25
/interface wireguard peer disable 0
:delay 5
/interface wireguard peer enable 0
:log info "WGPeer toggled"
I am not good with all this so can you tell me where/how you implemented this? (Does this run only on startup?) If so how do you do that?
For archive purposes, this is a script you can use if you do have this problem (raw version which works for me. Could be fine tuned with proper search of ITF name etc etc)
Code: Select all:delay 25 /interface wireguard peer disable 0 :delay 5 /interface wireguard peer enable 0 :log info "WGPeer toggled"
Interesting inch worm that was an early question of mine somewhere in some thread somewhere that probably no one from MT read or ignored.You have a dns name (not just an ip address) in peer's endpoint-address, right. This is still an issue, I have an open issue with SUP-62097.
Looks like the peer does not come up when the first resolve fails. If this happens again, please check if peer's current-endpoint-address is empty.
Same here. Not reconnecting after a failure (keeping my remote devices without communication after the daily reboot)You have a dns name (not just an ip address) in peer's endpoint-address, right. This is still an issue, I have an open issue with SUP-62097.
Looks like the peer does not come up when the first resolve fails. If this happens again, please check if peer's current-endpoint-address is empty.
Solution for now.Tool Netwatch
Host, ip address on other side of tunnel
Down script. Paste script from above
Time to check. Up to you. I would say 1 to 5 minutes. It should only run after a reboot.
link is not okAlternatively check the script under this heading
(2) MYNETNAME - SPECIAL CONSIDERATION FOR ENDPOINT
found at this link - posting.php?mode=edit&p=906311#preview
Sweet but as indicated before, I can and will not take credit for it.What is wrong with the link? Ahh weird, fixed and THANKS!!
Check it out, especially sol/n 2
The endpoint is configured on the phone only. On Mikrotik, this field is empty.On your phone the issue will never occur.
The program will refuse to start wireguard when it can not resolve the endpoint name.
At that same time, there is no problem on the server since no request has been send
Try it on your phone
Yes, client will start, but mikrotik will not start (no traffic). Then i disable/enable peer on mikrotik over the script - no result. Then i disable/enable peer on mikrotik via winbox - all is ok and traffic forwarded.No, it's normal with the Tik having peers with dynamic addresses. It can not know where to start.
The clients will start, Tik will follow.
If dynamic address of client changes, Tik will follow shortly after. That's the beauty of Wireguard.
Yes, it is. I imagine it the same way. But for some reason, after turning on the Mikrotik after a reboot, the peer becomes working and forwarded traffic only if it is manually turned off first and then turned on.Nope.
If client starts connection, mikrotik will know where to go back to.
It does not initiate, it responds.
Big difference.
Are you saying you are effectively seeing this happen ?
Agree.16 seconds to bring up the peer for the 2nd interface is kinda a lot of time. Something is wrong there.
Are both WG i̶n̶t̶e̶r̶f̶a̶c̶e̶s̶ peers defined with FQDN names or one IP and the other FQDN name ?Are both WG interfaces defined with FQDN names or one IP and the other FQDN name ?16 seconds to bring up the peer for the 2nd interface is kinda a lot of time. Something is wrong there.
What exactly do you mean "toggle"? Make a try to ping from that router to my localization? If yes, I didn't try that. I try ping from other side (from my router to that localization), and it doesn't work.Agree.16 seconds to bring up the peer for the 2nd interface is kinda a lot of time. Something is wrong there.
@madejson
when it fails and you toggle the peer status, does it activate then ?
if so, it still might point to DNS resolve issue.
Are both WG interfaces defined with FQDN names or one IP and the other FQDN name ?
Thank you for informations. Is there any way to check it, whats possibly goes wrong?16 seconds to bring up the peer for the 2nd interface is kinda a lot of time. Something is wrong there.
Ok thank you! No I didn't try that but I think it might be help. I used a script for work-around to fix that issue which restarting interface (not peer) and it was working well. Next time when I lose connection I will try your suggestion.Wireguard / peer
Select peer
Toggle status ( disable and enable again)
That's what I mean.
Yes you are right. When I'm using that script it's working well, and in logging I saw that's was triggered from time to time. But I think this script is work-around, somebody before said that problem is no longer exists. As we see problem still present, but I think earlier that was much more offen. Even after correct reboot WG link doesn't up. Now it looks ok, but not when power outage.If that works, it is a possible indication of the dns resolving problem.
Which some declare a bug in ROS but can be circumvented quite easily using a small script.
It doesn't hurt to apply the script anyhow. Your logging should show if it has been used or not.
But at least the connection should come up.
Totally with you on that last commentSince the Wireguard protocol doesn't have something like this and still requires external scripting, I'm trusting more a script that I write instead of something pushed via a vague changelog.
Sob is correct the other wannabee misses the mark entirely in terms of providing customer service based on expected use. There are many linux WG 'helper apps' and 'addons' in the wild because such practical approaches ( be it domain name solving or something else) are common, and the WG protocol in of itself itself is not intended/designed to do "ALL" things.It's just basic expected level of user friendliness. If I use hostname with any other VPN type in RouterOS (IPSec, SSTP, ...) and it can't be resolved, it keeps trying. It would be really weird and unexpected if it didn't, right? Is there any good reason why Wireguard should be different?
Yes, it's slightly different, because there's not exactly distinct client-server connection as in other protocols, communication can be initiated from both sides, there's built-in roaming, etc. But it only changes how it should be evaluated. It shouldn't aggressively re-resolve peer's hostname all the time and change address, but if there's hostname as peer's endpoint and the peer it clearly inactive, then it should do it. It may be optional, but it should be built-it.
My bad, I didnt read your second sentence where you clearly point out that the OS handling of this issue is piss poor. Corrected.....This wannabee was actually making the same point unless I was hugely misunderstood...