April 26Apr 26 WireGuard WatchdogSmall plugin that keeps your WireGuard tunnel healthy. It pings a peer through the tunnel on a schedule, and if the peer goes quiet it bounces the tunnel with wg-quick down/up. Plays nice with Unraid's built-in WireGuard support, since it never touches the interface directly, only goes through wg-quick.WhyWireGuard fails silently. A peer reboots, a NAT mapping expires, an upstream blip happens, and the tunnel still looks "up" from your end. wg show reports nothing wrong, but no traffic actually flows. The fix is always the same: bounce the tunnel. This plugin does that for you, but only after a real liveness check, not just a "is the daemon running" check.FeaturesConfigurable interface, peer IP, and check interval (down to 20s)Verbose mode logs ping latency, packet loss, handshake age, and transfer countsTest Now / View Log / Clear Log buttons in the UIflock-protected so overlapping cron runs can't step on each otherCron sticks around across reboots via update_cronDisabled by default on first install. You opt in.InstallPlugins tab, Install Plugin, paste in the .plg URL.Then go to Tools, User Utilities, WireGuard Watchdog, set Enabled to yes, and hit Apply.RequirementsUnraid 6.12+ (tested on 7.2.x)A configured WireGuard tunnel under Settings, VPN ManagerA peer IP that's reachable through the tunnel when things are workingSourceGitHub: https://github.com/pacnpal/wireguard-watchdog License: MITFeedback welcome.
April 28Apr 28 This redirects any docker containers with Host networking through wg0, at least it did for me. Uninstalled.
April 29Apr 29 Author 3 hours ago, adammerkley said:This redirects any docker containers with Host networking through wg0, at least it did for me. Uninstalled.Thank you for the bug report, it's now fixed in the latest version. I admittedly don't use host networking with my Docker containers, so that was an unfortunate oversight on my behalf.What was happening: when wg-quick brings up a tunnel with AllowedIPs = 0.0.0.0/0 and no Table = off, it installs an ip rule that routes everything not marked with fwmark 51820 through wg0. If your tunnel was originally started some other way (custom script, manual wg setconf, container-managed) and that rule wasn't already there, the watchdog's wg-quick up would suddenly install it. Every --network host Docker container then started hairpinning through wg0. That's your symptom.The fix: bounces now use wg syncconf, which resets peer crypto state without touching ip rules, routes, or iptables. The hard wg-quick down/up is a last-resort fallback, and even then, if your conf is in the redirect-prone shape and the fwmark isn't already on the live interface, the watchdog refuses the bounce and logs why. The exact failure you hit is structurally unreachable now.Reproduced it end-to-end on a real Unraid box with the old code, confirmed zero routing diff with the new code. Edited April 29Apr 29 by pacnpal
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.