[arm-allstar] Solution to a VPN startup problem

Thu Mar 12 19:12:22 EDT 2020

Hello list,

I thought I should pass along a tip regarding problems I had starting a 
VPN client on one of the Allstar hamvoip RaspPi-3's used at the ends of 
a split-site repeater link.  Each reboot would fail to automatically 
bring up the VPN client.

I had successfully installed the WireGuard VPN software in hamvoip, but 
one end of the link kept failing to start the client because it couldn't 
resolve my ISP's dynamic IP address for the FQDN of a ddns aliased 
domain.  The network on the Pi-3 just didn't settle quickly enough to 
resolve a DNS query.  I use 1.1.1.1 as the DNS resolver and  DYN's ddns 
service for aliasing.

I guess I could have figured out a different dependency in the systemd 
recipe for the WireGuard unit file, but being a shell scripter I decided 
to do it the easy way (for me) ... keep pinging the FQDN until it 
resolves correctly, then proceed with starting the WireGuard client.

Here is the Bash script that does the job.  A small modification of the 
WireGuard systemd recipe is also required, as shown in the comments 
below.  For anyone not familiar with shell scripting details, note that 
"#!/bin/bash" MUST be the very first line in the script, otherwise it 
will fail under systemd.  This script will stop after 10 failed 
attempts, 1 second apart.

I hope this might ease someone else's pain when trying to bring up a 
remote Allstar node's WireGuard VPN client connection.

----------------------------------

#!/bin/bash

##   /usr/local/bin/StartWireGuard.sh     2020-03-12  Chuck  VA7UL

# Script to test-ping the IP address of the WireGuard VPN server until 
success,
# then start the WireGuard client.
# This gives a DNS lookup of an aliased FQDN time to work after system boot.
# Could use the IP address if applicable.
# Set permissions to 755 owned by root.

# Modify the [Service] section of the  wg-quick at xxx.service systemd unit 
file
# in  /lib/systemd/system/  to exec this shell script .....
#
#   [Service]
#   Type=oneshot
#   RemainAfterExit=yes
#   ExecStart=/usr/local/bin/StartWireGuard.sh %i
#   ExecStop=/usr/bin/wg-quick down %i
#   Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
#

ConfigFile=${1:-/etc/wireguard/wg0.conf}   # Default 
'/etc/wireguard/wg0.conf' if not provided.
Count=0
MaxTries=10
Returncode=2

# This FQDN or IP value MUST match that in the wg conf file!!
WireGuardServer="your VPN server FQDN or IP Address"       # Use the quotes.

# Ping the FQDN or IP address until it returns a zero success:
while true
do
     ping -c 1 ${WireGuardServer} >/dev/null 2>&1
     Returncode=$?
     if [ ${Returncode} -eq 0 ]
     then
         break
     fi
     let Count+=1
     if [ ${Count} -ge ${MaxTries} ]
     then
         echo "Failed pinging the VPN server after ${MaxTries} tries.  
Quitting VPN setup."
         exit 1
     fi
     sleep 1
done

# Found the VPN serever, start the local client service:
echo "Ping of ${WireGuardServer} successful.  Starting VPN client."
/usr/bin/wg-quick up ${ConfigFile}

----------------------------------