[WireGuard] WireGuard link detection

Jason A. Donenfeld Jason at zx2c4.com
Fri Jul 15 13:48:04 CEST 2016

Hey Codl,

CCing the mailing list on this.

On Fri, Jul 15, 2016 at 9:46 AM, codl <codl at codl.fr> wrote:
> Hi Jason,
> On Fri, 2016-07-15 at 03:01 +0200, Jason A. Donenfeld wrote:
>> What do you mean exactly by the tunnel going up and down? Like "ip
>> link set wg0 up"? Or something else?
> I suppose a better way to put it would be the health of the tunnel: is
> it functional, are packets going through?
> My use case is a tunnel initiated from a laptop that's roaming between
> different networks. Some of those networks may have strict firewalls
> that block UDP entirely. In those cases I'd like to automatically
> change some routes and route some things over the public internet
> instead.
> I do realise that WireGuard's protocol is very light and that as a
> result there aren't a lot of ways it can tell if a tunnel is healthy,
> but perhaps if a number of handshake attempts have failed a tunnel
> could be considered unhealthy (and wg could run a user-defined
> command), and healthy again on the first successful handshake after
> that (again, running a user-defined command)
> --
> codl

In fact, WireGuard internally monitors the handshake, but by default
goes silent when no packets are being sent. However, if the
persistent-keepalive option is used, a session is kept alive always,
with WireGuard aware when it's having difficulty establishing one.

However, as you mentioned, this information isn't communicated to
userspace. Maybe communication of this information is something that
could be exported over NF_LOG? But most likely, it's not really
correct to export it like that.

Traditionally pathological network people invent new protocols to
handle failover like this, such a VRRP. I really doubt you want that
kind of complexity though.

Two things you could do in bash instead is either:
    - Ping every X seconds, and adjust your routing if a ping changes.
    - Use 'ip monitor route' to learn when routes go up and down, and
do a ping at that point.

It's likely you'll need something like the latter, anyway, for
roaming, if you're forwarding all your traffic. I use a script like
this -- https://gist.github.com/zx2c4/1ad796372619ad76cf9526cbf9938973
. Adding ping capabilities to it would be an okay place to start.

Hope this helps,

More information about the WireGuard mailing list