Wireguard VPN Issues

CCTVCam · Jul 9, 2023

Hi,

Can anyone shed any light on this and what action is needed.

I have Wireguard working. However, it seems whenever I disconnect the router physically from the rj45 wall socket and thus internet, or reboot the router, I can no longer access my BI server.

Checking in my router I've noticed 2 things have changed:

1. The End Point IP address is different

2. The private key is changed although the public key remains the same

Why the changes and how do I prevent these?

Thanks.

SpacemanSpiff · Jul 9, 2023

Which IP address is changing... LAN or WAN?

CCTVCam · Jul 10, 2023

Neither. End Point IP.

duplo · Jul 10, 2023

Dont know what you mean by "endpoint ip".

You only have WAN and LAN ips.
The Wireguard server ip is your wan when connecting from outside. Your router forwards the traffic from wan to lan via port forwarding.

Do you have dynamic wan ip or fixed ?

Wireguard cannot handle changes of public ip. So if your public ip changes, you need to manually reconnect (disable/enable) any client.

p.s.

in the wireguard world there is no server/client scheme. everyone is just a peer. For understanding it is still useful to talk about server/client. otherwise people get confused easy.

cyberwolf_uk · Jul 10, 2023

duplo said:
Dont know what you mean by "endpoint ip".

You only have WAN and LAN ips.
The Wireguard server ip is your wan when connecting from outside. Your router forwards the traffic from wan to lan via port forwarding.

Do you have dynamic wan ip or fixed ?

Wireguard cannot handle changes of public ip. So if your public ip changes, you need to manually reconnect (disable/enable) any client.

p.s.

in the wireguard world there is no server/client scheme. everyone is just a peer. For understanding it is still useful to talk about server/client. otherwise people get confused easy.

The Endpoint IP, is the WAN IP provided by your ISP (i.e your external IP address) or this could by your DDNS if you have configured it this way (If you want to access your VPN from outside your network)

By default when configuring WireGuard it will be populated with your external IP address and port number you set when setting up your WireGuard server.

If your external IP address is changing every time you reboot the router your ISP is assigning you a new IP every time, bit strange as ISP usually leave you with the same IP address for a number of weeks / months.

duplo · Jul 10, 2023

cyberwolf_uk said:
If your external IP address is changing every time you reboot the router your ISP is assigning you a new IP every time, bit strange as ISP usually leave you with the same IP address for a number of weeks / months.

A few years back in germany it was quite normal that the ISP disconnected you every 24 hours. With every disconnect you got a new IP.

Now most disconnect you any 150-180days, some (O2 Telefonica) still disconnect any 24 hours.

But if you reconnect yourself (reboot router, lost power...) then you still receive a new IP.

I think most PPPoE connections work this way. Docsis connections may differ. In Germany we only have docsis and pppoe for private home users.

Some ISP removed public IPv4 , so need to use IPv6 which is more complicated with wireguard.

The Automation Guy · Jul 10, 2023

For the endpoint IP, it sounds like you need to use a dyndns forwarding service. This will give you a fixed IP address that you point your VPN to which will forward the traffic to your actual endpoint IP address even after it changes. Of course you need to set this up correctly so the router notifies the service anytime your endpoint address changes.

I have no idea why the private key would be changing. That doesn't match my limited experience with Wireguard (but admittedly I am still using OpnVPN for my connections right now).

duplo · Jul 10, 2023

The Automation Guy said:
it sounds like you need to use a dyndns forwarding service. This will give you a fixed IP address

nope, you still have a dynamic IP. wireguard cant handle dynamic ips. it only resolve the dyndns once you turn it on, then never again. thatswhy you have to disable/enable the client on ip change.

The Automation Guy said:
That doesn't match my limited experience with Wireguard (but admittedly I am still using OpnVPN for my connections right now).

openvpn works different than wireguard. it sends continously keep-alive messages to the server and check if server is alive. thats why openvpn is shit and drain lot of battery if you dont turn it off.

biggen · Jul 10, 2023

duplo said:
nope, you still have a dynamic IP. wireguard cant handle dynamic ips. it only resolve the dyndns once you turn it on, then never again. thatswhy you have to disable/enable the client on ip change.

openvpn works different than wireguard. it sends continously keep-alive messages to the server and check if server is alive. thats why openvpn is shit and drain lot of battery if you dont turn it off.

There is a keep alive options available for Wireguard as well. I've never used it but I wonder if that would allow it to keep a tunnel open if a IP address change occurred.

duplo · Jul 10, 2023

biggen said:
There is a keep alive options available for Wireguard as well. I've never used it but I wonder if that would allow it to keep a tunnel open if a IP address change occurred.

it does not work. The problem is that it never resolve the host again. there are some ways to implement auto re-resolve. But this is impossible on iphone and on android with root maybe. More a linux/windows thing.

How to automatically re-resolve DNS in Wireguard on Linux - TechOverflow

When installing wireguard-tools on Linux, it includes a script called reresolve-dns.sh. This will take care of automatically re-resolving. According to its documentation, you should run it every 30 seconds or so. So we can just create a systemd timer to run it every 30 seconds. Easy way Use our...

techoverflow.net

The Automation Guy · Jul 10, 2023

duplo said:
openvpn works different than wireguard. it sends continously keep-alive messages to the server and check if server is alive. thats why openvpn is shit and drain lot of battery if you dont turn it off.

First off, OpenVPN isn't shit. Sure Wireguard is a much more streamlined protocol, but the trade off is limitations/issues when it comes to managing VPN connections.

Second off, I don't want or need a full time VPN running on any mobile device. Therefore the battery usage doesn't really matter to me. I actually do run a full time VPN between two physical locations, but that is handled at the firewall level at each location and again isn't being supported by a device running off battery power.

duplo · Jul 10, 2023

The Automation Guy said:
second off, I don't want or need a full time VPN running on any mobile device. Therefore the battery usage doesn't really matter to me. I actually do run a full time VPN between two physical locations, but that is handled at the firewall level at each location and again isn't being supported by a device running off battery power.

Thats why using wireguard. It isnt connected and draining battery. Only if you want to reach an IP it opens the tunnel and sending data. just enable and forget.

So for the normal user its just like using port forwarding/p2p cloud. But without any of this/insecure things.

If you are happy with open app and manual connect when want to reach your home network,... others may not.

CCTVCam · Jul 10, 2023

OK SO where does the IP Cam IP Service play into all this?

Can I use this to overcome the issue or do I need to use OpenVPN instead and set my router to use a DNS serve to resolve the dynamic ip?

Mike A. · Jul 10, 2023

A problem that I have with WireGuard on the iPhone is that the on-demand function doesn't pick up that the BI app needs Internet access. So I have to hit the browser or do something else to kick it on before accessing the app. Some workarounds for that using shortcuts. I go back and forth between OpenVPN and WireGuard. I run everything back through my VPN for ad and site blocking anyway so always on isn't a big deal in my case. I've not noticed any significant battery drain either way.

CCTVCam · Jul 10, 2023

Yes I have to start Wireguard first before starting the BI App.

duplo · Jul 10, 2023

CCTVCam said:
Can I use this to overcome the issue or do I need to use OpenVPN instead and set my router to use a DNS serve to resolve the dynamic ip?

if the dynamic ip is the problem, yes. you can simply check that by going to a site which shows your public ip, then reconnect and check if its changed.
if you have a fixed ip, its another problem.

dyndns / dynamic ip / openvpn works like charm, no problem like with wireguard.
but openvpn has other problems, like battery drain and network speed.

test it, maybe you are happy with it.

CCTVCam · Jul 12, 2023

Yeah my Ip is dynamic.

What is the IP Cam IP DNS server for? Is this for this purpose? Should I point my Wireguard to that?

duplo · Jul 12, 2023

Accept the fact that you have to disable/enable wireguard on any device if you get a new ip on your home.

Or use openvpn if you cant.

Easy and simple.

Search

Wireguard VPN Issues

CCTVCam

Known around here

SpacemanSpiff

Known around here

CCTVCam

Known around here

duplo

Getting comfortable

cyberwolf_uk

Getting comfortable

duplo

Getting comfortable

The Automation Guy

Known around here

duplo

Getting comfortable

biggen

Known around here

duplo

Getting comfortable

How to automatically re-resolve DNS in Wireguard on Linux - TechOverflow

The Automation Guy

Known around here

duplo

Getting comfortable

CCTVCam

Known around here

Mike A.

Known around here

CCTVCam

Known around here

duplo

Getting comfortable

CCTVCam

Known around here

duplo

Getting comfortable