|
|
|
|
@@ -191,10 +191,21 @@ start_vpn() {
|
|
|
|
|
> /etc/resolv.conf
|
|
|
|
|
for dns in $(echo "$VPN_DNS" | tr ',' ' '); do
|
|
|
|
|
echo "nameserver $dns" >> /etc/resolv.conf
|
|
|
|
|
# Add explicit route to DNS server through wg0 so it's found in main table
|
|
|
|
|
# (suppress_prefixlength 0 ignores default routes but allows host routes)
|
|
|
|
|
ip -4 route add "$dns" dev "$INTERFACE" 2>/dev/null || true
|
|
|
|
|
done
|
|
|
|
|
echo "[vpn] DNS set to: ${VPN_DNS}"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# Add explicit host route for the health-check target so it is picked up by
|
|
|
|
|
# the 'lookup main suppress_prefixlength 0' rule (same as DNS servers above).
|
|
|
|
|
# Without this, CHECK_HOST falls through to the VPN table default route whose
|
|
|
|
|
# source-address selection can be defeated by the priority-100 'from ETH0_IP'
|
|
|
|
|
# policy rule, causing pings to bypass wg0 and be dropped by the kill switch.
|
|
|
|
|
ip -4 route add "${CHECK_HOST}" dev "$INTERFACE" 2>/dev/null || true
|
|
|
|
|
echo "[vpn] Health-check route: ${CHECK_HOST} → ${INTERFACE}"
|
|
|
|
|
|
|
|
|
|
echo "[vpn] WireGuard interface ${INTERFACE} is up."
|
|
|
|
|
echo "[vpn] Main routes:"
|
|
|
|
|
ip route show | sed 's/^/[vpn] /'
|
|
|
|
|
@@ -246,9 +257,21 @@ health_loop() {
|
|
|
|
|
echo "[health] VPN recovered."
|
|
|
|
|
failures=0
|
|
|
|
|
fi
|
|
|
|
|
# Secondary DNS check
|
|
|
|
|
if ping -c 1 -W 5 "google.com" > /dev/null 2>&1; then
|
|
|
|
|
: # DNS OK — silent
|
|
|
|
|
else
|
|
|
|
|
echo "[health] WARN google.com unreachable — possible DNS issue"
|
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
failures=$((failures + 1))
|
|
|
|
|
echo "[health] Check failed ($failures/$max_failures) — ping ${CHECK_HOST} failed"
|
|
|
|
|
# Secondary check: distinguish IP failure from DNS failure
|
|
|
|
|
if ping -c 1 -W 5 "google.com" > /dev/null 2>&1; then
|
|
|
|
|
echo "[health] INFO google.com reachable — DNS works, ${CHECK_HOST} may be filtered"
|
|
|
|
|
else
|
|
|
|
|
echo "[health] INFO google.com also unreachable — DNS or general routing failure"
|
|
|
|
|
fi
|
|
|
|
|
# Dump WireGuard stats to show if handshake is stale and how much data flows
|
|
|
|
|
echo "[health] wg stats:"
|
|
|
|
|
wg show "$INTERFACE" 2>/dev/null | grep -E 'latest handshake|transfer|endpoint' | sed 's/^/[health] /' || echo "[health] wg0 not found"
|
|
|
|
|
@@ -349,6 +372,8 @@ check_vpn_connectivity() {
|
|
|
|
|
echo "[check] FAIL DNS resolution failed"
|
|
|
|
|
echo "[check] resolv.conf: $(tr '\n' ' ' < /etc/resolv.conf)"
|
|
|
|
|
echo "[check] Check that DNS servers are reachable through wg0"
|
|
|
|
|
echo "[check] ── End of checks ──"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
echo "[check] ── End of checks ──"
|
|
|
|
|
|
