I have a WireGuard VPN server running. How do I set a timeout so that connected clients will get disconnected if they are idle for the given time (or maybe even disconnection irrespective of being idle or not)? Where do I specify this parameter, I see no mention of it in the Wire Guard Documentation.
Set VPN Connection Timeout in WireGuard
timeoutvpnwireguard
Related Solutions
I know this is an old question, but I'm posting in case anyone else is looking for a better/different answer. I've been having a similar problem, but when installing upgrades. Ours takes a long time to start as it is part of a Galera cluster and needs to copy over what it missed while it was down.
To start run:
MYSQLD_STARTUP_TIMEOUT=900 /etc/init.d/mysql start
or on a system with service
, like Ubuntu:
sudo MYSQLD_STARTUP_TIMEOUT=900 service mysql start
And in my case, for upgrades call:
sudo MYSQLD_STARTUP_TIMEOUT=900 apt-get dist-upgrade
After experimenting with different options, I decided to stop using NetworkManager and instead use wg-quick directly. On Fedora Server, this was pretty easy and I only had to remove the NetworkManager connection using nmcli con del wg0
and enable the wg-quick service using systemctl enable --now wg-quick@wg0
(which reads the config from /etc/wireguard/wg0.conf
). Switching to wg-quick has the following advantages:
- I can specify custom
PostUp
commands to configure a more complex routing setup - The number of the Wireguard routing table seems to be constant at
51820
, even though I could not find any documentation about this. This makes it easier to set up custom ip rules.
I then used the PostUp
command in wg0.conf
to set up additional ip rules that would make sure that any Wireguard traffic would also respond through Wireguard. There are two options to achieve this:
Option 1: source IP matching
The ip rules match the Wireguard packages based on their source IP addresses (which is automatically set to the IP address on which the request originally came in):
[Interface]
Address = 10.139.192.4/24
Address = fd52:30a4:f9e7:647a::4/64
PostUp = ip -4 rule add from 10.139.192.4 lookup 51820
PreDown = ip -4 rule del from 10.139.192.4 lookup 51820
PostUp = ip -6 rule add from fd52:30a4:f9e7:647a::4 lookup 51820
PreDown = ip -6 rule del from fd52:30a4:f9e7:647a::4 lookup 51820
Option 2: fwmark
Some iptables rules are configured to set a mark
on packages coming in through wg0
:
iptables -t mangle -A INPUT -j CONNMARK -i wg0 --set-mark 1
ip6tables -t mangle -A INPUT -j CONNMARK -i wg0 --set-mark 1
iptables -t mangle -A OUTPUT -j CONNMARK -m connmark --mark 1 --restore-mark
ip6tables -t mangle -A OUTPUT -j CONNMARK -m connmark --mark 1 --restore-mark
Then this mark
is matched by the IP rule:
PostUp = ip -4 rule add fwmark 1 lookup 51820
PreDown = ip -4 rule del fwmark 1 lookup 51820
PostUp = ip -6 rule add fwmark 1 lookup 51820
PreDown = ip -6 rule del fwmark 1 lookup 51820
More details about this solution can be found here.
Best Answer
There is no such parameter in WireGuard as, clients can go quiet at any time and expect to be able to talk to the server again at any time later.
Specifically, the protocol requires a client to handshake with the server to begin a session. To maintain the session a client must handshake at least once every 180 seconds. In practice, the handshake happens some time between 120 and 180 seconds.
If a client stops talking and at a later time wants to start talking again, providing the server is active then,if the time since last talking is:
The server and client maintain timers so that they always know what to do and when to do it.
Thus, WireGuard is a connectionless protocol and there is no need to worry about timeouts. A client is either talking (and handshaking as required) or silent.