The following patch fix the issue for me:

New Kernel Pipelines are at https://github.com/vyos/vyos-build-kernel

Any reason extcommunity-list and community-list doesnt support the same naming scheme?

Hi trae32566

I can confirm the issue. Actually it boils down to two individual ones.

We have had ticket ID 481: How to restart OSPF?

It is an upstream issue so I agree totally in closing as wonˋt fix

Shall I close it as won't fix, given the fact that it is an upstream issue. Anything build around it, is in my opinion just a kludge, unless we would go with a separate daemon which can check and re-establish connections if they fail. The danger is that vyos becomes then more a server than a router. As workaround, a cronjob could do that as well, either setting an option via cli (wg-heartbeat or so since keepalive is a wg option already), which drops a cronjob onto the box and checks the wg endpoint periodically, if it fails it just calls diable/enable and checks again for X times, before it sleeps for let's say 24hs or so. @kroy would something like acronjob help you? Could be also set as a @reboot job and once the traffic flows it kicks itself out. Just wanna throw out ideas here.

https://github.com/vyos/vyos-1x/commit/cf499f958423919264884e9f1c5c1b593fd9de0e next rolling will have it fixed.

They have been committed at the same time, while I was using the current version if ifconfig.py and new one was published.
https://github.com/vyos/vyos-1x/commit/c24eb48c54b562fe7f78cdda82f2e245e9ab8506

Reason for the break is a different commit:

FYI: https://git.zx2c4.com/wg-dynamic/about/docs/idea.md

The Linux kernel has embedded name resolution, maybe this can be added to WireGuard itself. Its better then we design a patch for it.

reverted the commit. I'm not sure if a daemon would be a good idea. Another option is to allow only IP's entered via cli or checking the name whenever wg is executed, resolve the name and send it to hostd to get it written to /etc/host. That would solve at least the issue at reboot and in most cases the correct IP should be in /etc/hosts.

@kroy just to be clear, i'm not against using dns as endpoint for wireguard.. i'm for it, because i have the same issue as you do, but what i'm against is the way to getting there. As the wireguard protocol does not support dns in it self using this method is a loosing game.. what i'm not against is writing a daemon that does the name resolution for you when it comes available.. and available could mean after 1sec, 1m, 1h or even longer after the system is booted.. this daemon also could do re-resolving when the peer is down and the dns has changed...

This is going to become more and more of a problem as wireguard adoption continues. Most major Wireguard VPN services provide a FQDN as their endpoint, not IP:

As for openvpn i dont know, but if the app itself does dns queries on connect it will work quite fint (as i think it does)

As i tried to say, this fix will only work in some scenarios, and this comes down to the implementation of the app were configuring. And to be clear, wireguard does NOT support dns, but the wg config utillity does. On execution time it reads the dns name and tries to resolve it once, and only once. When it fails things would not work.. this is the same with eg. Nhrp that works exactly the same.. using this has raise conditions with getting ip up and running and not only on the host file. We do not wait for dhcp to delegate an address or dns servers.. these could come many ms/sec after wireguard is configured.. this is even true in the case when you change the priority.. and the length of the config/execution time also comes in as an parameter in this raise condition.. so, if you ask me, revert the priority and instead create a dns daemon thing that could read the config and populate the entry when it has failed.

Shouldn‘t OpenVPN have a similar problem?

This should be reverted, as the change is breaking. After more testing, I found some problems due to things like static routing being applied before wireguard now. So the wireguard tunnel works, but in some cases any routing that shouldbe going over the tunnel does not work.

http://dev.packages.vyos.net/repositories/current/vyos/pool/main/v/vyos-1x/vyos-1x_1.3.0-16_all.deb or next rolling release should fix the issue.

Yep. Changing the priority fixes the issue completely

@kroy You can quickly test it via setting Priority to 999 in /opt/vyatta/share/vyatta-cfg/templates/interfaces/wireguard/node.def. It's currently 459. Let me know your results, please.

@runar This isn't a routing issue though.

https://github.com/vyos/vyatta-cfg-op-pppoe/commit/195a478b7d826ec7ff1652b99abc75d49161a882

Pull request created: https://github.com/vyos/vyos-1x/pull/143

Changing the priority will only change a portion of this. It.. could fix the situation there the user have static ip and a default route, but will not give effect when the user has dhcp or uses bgp el.. so my wote goes to not changing priorities on this. This is a loosing race as long as we dont have a daemon el. That manages the connections..

Could we raise WireGuard Priority to 999? So it is launched very late?

There is not really an up or down, there is only a verified handshake and the transferred bytes. If you haven't sent and received anything, the interface is in 'unknown' state in terms of wireguard, even if it's 'up' if you look via iproute2. All can could do it checking if the endpoint resolves and if it does, send a packet and see if the handshake completes.

Changing when the tunnel comes up isn’t an option? For whatever reason the tunnel comes up before DNS resolution works. Using a hostname when the system is running works perfectly

Can you please clarify. What is Vif mode dialing and what has a vlan id to do with multiple physical lines? Does that mean your problem is solved?

Tested, if using Vif requires more physical lines, and switches can use Vif mode PPPoE dialing, using macvlan does not require additional equipment