Question

Dear all, 

I came across an issue that might also happen to you. My LTE procider is only giving me a 10.0.0.0/8 private IP address with int mobile network. That means I can not reach my router throughout the internet. IPv6 is also not given. 

That is why I do need a VPN Solution. I played around a lot with wireguard and established a connection between my home Server and my router. 

Unfortunatly my provider changes my IP address once a day. That said, it leads to an issue on my VPN. Cause the dynDNS entry to my home server is updated. But even having the persistance flag set the Wireguard on the RUT keeps the connection to the old IP up and running and I lose the connection. 

To overcome that issue I wrote a simple script that checks the IP of my dyndns entry with the IP configured within the wireguard configuration. 

When a change is detected the config is written into a tmp file, the IP adress is replaced and a config sync triggered. 

That leads to a time of almost 20 minutes of no connection, but for my private use that is tottaly acceptable. 

---

#!/bin/ash
# GET INTERFACE INFORMATION
INT_NAME="otto"
VPN_SRV="homeserver3345.dyndns.org"
# initial waiting timer
sleep 180 
# loop 
while true
do
# GET VPN SERVER IP ADDRESS
EXT_IP=$(nslookup  $VPN_SRV | grep "Address 1:" | awk '{ print $3 }')
# GET CONFIGURED ENDPOINT ADDRESS
ENDPOINT=$(wg showconf $INT_NAME | grep Endpoint | awk '{ print substr($3, 1, length($3)-6)  }')
LISTENPORT=$(wg showconf $INT_NAME | grep Endpoint | awk  -F":" '{ print $2}')

# COMPARE AND DECIDE WHAT TO DO
# 1. IPs differ - write the config on /tmp alter the endpoint to the new on and sync
# 2. do nothing
if [ $EXT_IP != $ENDPOINT ]; then
    # write config to tempfile
    wg showconf $INT_NAME > /tmp/$INT_NAME.cfg
    # replace endpoint with IP with new IP
    sed -i  "s/Endpoint =.*/Endpoint = $EXT_IP:$LISTENPORT/g" /tmp/$INT_NAME.cfg
    # sync config and restart tunnel
    wg syncconf $INT_NAME /tmp/$INT_NAME.cfg
    # delete config file
    rm /tmp/$INT_NAME.cfg
fi
sleep 300
done

---

Feel free if you have a better suggestion on the configuration to keep a tunnel persistant with both sides on dynamic IPs.

Greetings, 

Phi

Answer 1

Hello,

Thank you for the configuration example, I'm sure it'll be useful for someone. As an alternative it could be possible to purchase a virtual private server (VPS) service with a public external IP address, install some lightweight OS (any Linux distribution) and use it for VPN by creating a full tunnel between the router and the VPS. The VPS, in theory, would act like a gateway through which all (or part) of the traffic would be routed through like so:

End device [accessing internet] --> Router --> [VPN tunnel to VPS] --> VPS --> Internet

This way the only concern would be the amount of allowed traffic/data regulated by the VPS service provider. This is partially covered in one of our wiki configuration examples here: https://wiki.teltonika-networks.com/view/Providing_connectivity_for_Helium_miners_using_the_RUT240#Scenario_.233:_Private_WAN_IP_solution

Please note that in this case only a port forward is configured but it is also possible to route all of the traffic through the tunnel by configuring 0.0.0.0/0 or 0.0.0.0/1 + 128.0.0.0/1 as the allowed peer IPs in the tunnel. 

Best regards,

Tomas.

Answer 2

There's already a watchdog script installed on the router (at least my RUTX09 has it) as a part of WireGuard: /usr/bin/wireguard_watchdog. The script has instructions how to use it in the beginning of the file:

# This watchdog script tries to re-resolve hostnames for inactive WireGuard peers.
# Use it for peers with a frequently changing dynamic IP.
# persistent_keepalive must be set, recommended value is 25 seconds.
#
# Run this script from cron every minute:
# echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root

If you lower the TTL on your DDNS entry to 60 seconds - this is what dyn.com uses by default - the non-connection time should be significantly lower than the 20 minutes you're experiencing now.