2024-10-27 WireGuard Endpoint Watchdog

Task Scheduler

Periodically redo the name resolution of the server address.

Once started a ⎇WireGuard client will never recheck whether the IP behind its endpoint hostname has changes. Unlike IPSec or OpenVPN there is no concept of a session that could timeout either. If the server has an IP change, the client can no longer participate until it gets restarted.

To mitigate this for Windows clients I wrote a PowerShell script that, with the help of the Task Scheduler, does check the endpoint hostname regularly. If the IP differs from what the current running tunnel is using a restart of the service is triggered. (If the tunnel is not active, the script will do nothing.)


Download: WireGuard_Endpoint_Watchdog.ps1 Version 1.0 (2024-10-27)


WireGuard_Endpoint_Watchdog.ps1 parameter:

-TunnelName (mandatory) The name of the Tunnel you want to check.

-WireGuardInstallPath (optional) Only needed if, for whatever reason, the installation path couldn't be determined automatically.

-EndpointHostname (optional) The hostname is read from the configuration file. If the file is protected/encrypted (when it ends with .dpapi) the script needs to run with SYSTEM privileges in order to be able to read it. If you don't like that, you will have to set this parameter! (Than what ever has the rights to restart the WireGuard service is enough.)

-DNSServer (optional) If a specific DNS-Server should be used.

-LogFile (optional) Path to a text log file. Useful for debugging.

-InstallTask (optional) Installs a task in the Windows Task Scheduler. The default is to rerun every 5 minutes. If you want different times you have to make the edit in the Task Scheduler directly.
Important: Copy the ps1 file to C:\Program Files (or whatever) first and run it from there. InstallTask will link to the file. So you proably don't want to run it from your downloads folder.

-UninstallTask (optional) Removes a task from the Windows Task Scheduler.


Examples:

./WireGuard_Endpoint_Watchdog.ps1 -InstallTask -TunnelName Office

./WireGuard_Endpoint_Watchdog.ps1 -InstallTask -TunnelName Business -EndpointHostname dyndns.example.com -DNSServer 9.9.9.9 -LogFile C:\foo\bar.txt

./WireGuard_Endpoint_Watchdog.ps1 -UninstallTask -TunnelName Office


Return codes:

100 Couldn't find the WireGuard installation via the Windows registry. Please provide the path via the -WireGuardPath argument.

101 Couldn't find C:\Program Files\WireGuard\wg.exe at WireGuardPath C:\Program Files\WireGuard

102 The User XYZ has insufficient rights to check the WireGuard-Tunnel FooBar.

103 The WireGuard-Tunnel FooBar has no Endpoint-Information. Not a client configuration.

104 There are two possible configuration files. C:\Program Files\WireGuard\Data\Configurations\FooBar.conf and C:\Program Files\WireGuard\Data\Configurations\FooBar.conf.dpapi. Unclear which is the correct one. Please remove one.

105 Unable to read the configuration file C:\Program Files\WireGuard\Data\Configurations\FooBar.conf. Please check that XYZ has access rights.

106 Unable to read the protected configuration file C:\Program Files\WireGuard\Data\Configurations\FooBar.conf.dpapi. (As user: XYZ) Usually only SYSTEM has the necessary access.

107 The configuration file is empty. Unable to determine an endpoint.

108 The configured endpoint 198.51.100.1 is not a hostname but an IP.

109 No endpoint found. Not a client configuration.

110 DNS-Resolve-Error: dyndns.example.com : Timeout

111 Unknown DNS-Resolve-Error. dyndns.example.com wasn't resolved.

200 No running WireGuard-Tunnel with the name FooBar found. Noting to do.

1 The IP behind dyndns.example.com has changed to 198.51.100.2. Restarting WireGuard tunnel FooBar.

0 Uncanged IP 198.51.100.2. Nothing to do.
Exit Code 0 will only be logged with a singel dot (withouth a line break) to the LogFile.


FAQ:

Q: If I open PowerShell and enter ./WireGuard_Endpoint_Watchdog.ps1 I get:
Cannot be loaded because the execution of scripts is disabled on this system.
A: powershell -ExecutionPolicy Bypass -File ./WireGuard_Endpoint_Watchdog.ps1

Q: Doesn't the WireGuard homepage talk about ⎇"there is full IP roaming on both ends"?
A: Yes it says that. But in my experience it doesn't work. Even with short Keepalive settings on both ends. My WireGuard servers were all behind a port-forwarding router. So it doesn't know its public IP. Maybe that it a factor too. And thinking from the clients perspective, why should its firewall let a packet from a "random" IP through?


Linux alternative:
⎇https://blog.netways.de/blog/2022/01/06/wireguard-mit-dynamischen-dns-namen/

⍈Homepage

#