Hello,
I’m trying to netwatch a client that connects through Wireguard but it has Windows 11 firewall that blocks pings etc.
Is there any method to get notifications when the WireGuard connection is active?
Thank you!
GB
The whole point of using a VPN like Wireguard is to travel through firewall if needed.
So what’s the problem ?
Netwatch to peer IP address.
@holvoetn, I believe what OP is saying is that the “peer IP address” itself is not responding to ping due to default windows software firewall.
And what’s kinda implied between the lines is that they don’t control the client and can’t monitor/change it, but want to be aware when the client was active.
@OP - and if I understood you right, a hacky way to do this would be to use the “last-handshake” value available on each Wireguard peer definition.
So for your “send notifications” request, basically you can have a scheduled script running e.g. every minute.
Checks the current last-handshake value - if it is < 5 min connection is recently active, if it is > 5 min it’s down.
Keep the status from previous check in a global variable, and you can notice when status changes from up-to-down or down-to-up and trigger a log/email/whatever as you like.
Would that direction make sense to pursue, or did I misunderstand you?
@wrkq you read my mind 
The peer is my wife’s laptop, I prefer to have the firewall always on as she travels and she can’t always turn it on or off or may forget to re enable it.
I’ll give a try to the under 5 minutes idea, not very strong in MT scripting but I’ll study! An email sent from the MT functionality will be enough!
But… If you have a ready proof of concept script it would be very useful!
You could add a custom rule to the Windows firewall allowing reply to ping only if the ping comes from a given IP address, some examples here:
https://www.wintips.org/how-to-allow-ping-in-windows-firewall/
https://superuser.com/questions/1696779/enable-ping-in-windows-server-for-specific-ip-addresses-only
Windows 11 should be not different from 10.
That’s not how it works in my head.
Once wireguard tunnel is up, you pass firewall. Period.
Firewall doesn’t know nor care what goes through that tunnel.
If peer settings have a dedicated ip, you can always contact that address IF wireguard is active.
That’s the whole point of a VPN.
@holvoetn - Wireguard software client on a Windows PC show up as “just another network card”, next to wifi and wired ethernet.
Windows Firewall (and really, any other FW software you could have installed) can apply to all network interfaces on the PC similarly, and by default it does.
It looks at packets before they enter the interface and get encrypted by Wireguard, the same way firewall on your MT router looks at the packets as they exit from the wireguard interface on that end.
Yes, it is possible to mark the Wireguard interface as “trusted home network” or such, it is possible to make specific rules for it.
But out of the box it will be marked as “public internet” and block basically anything inbound - even ping.
And tbh it’s not much different on linux, where your “wg0” would show up right next to “wifi0” or “eth0”, and on “easy” home-user-oriented distributions with automated firewall tools every new interface would end up default-deny to be safe.
EDIT: @gbtest85 and well, try this.
Admittedly, does feel a bit… erm, overcontrolling once I know the context.
# unfortunately working with global variables requires all of "read + write + test + policy" permissions
# this will be "nil" initially - that's why the tests below check if it was set to true or anything-else-than-true
:global MonitoredVPNWasOnlineRecently;
# this will be "nil" if never connected since last reboot - that's why testing for typeof
# it will also stop script with error if the where-filter doesn't return a result
:local MonitoredVPNHandshakeValue [/interface/wireguard/peers/get [find where comment="PEER LABEL HERE"] last-handshake];
:if ( ([:typeof $MonitoredVPNHandshakeValue] = "time") and ($MonitoredVPNHandshakeValue < [:totime "00:05:00"]) ) do={
:if ($MonitoredVPNWasOnlineRecently != true) do={
:log info "MonitoredVPN: state transition down->up";
# /tool/e-mail/send ...
}
:set MonitoredVPNWasOnlineRecently true;
} else={
:if ($MonitoredVPNWasOnlineRecently = true) do={
:log info "MonitoredVPN: state transition up->down";
# /tool/e-mail/send ...
}
:set MonitoredVPNWasOnlineRecently false;
}
@wrkq I’ll setup a WG client on another Win10 I have and make some tries.
I don’t remember if WG creates a new interface ethernet virtual card.
On my wife’s laptop I’m pretty sure the WiFi used to get Internet connection is marked as public thous strict firewall rules apply, no smb folder sharing, not discoverable etc, she’s away now I can’t check anything.
Got the moment thank you for the possible solutions, I’ll give you a feedback!
Yes, Wireguard does create a separate interface in Windows.
It is however dynamic - when you enable the VPN, the interface appears, when you disable, it disappears.
Most other VPN clients (Fortinet, Cisco…) create one “permanent” virtual interface that just goes “cable unplugged” when VPN is off.
On the other hand Wireguard’s style is much more helpful if you have multiple “not full-world tunnel” VPNs active at the same time.
You can work around this by creating windows firewall rules with
Scope => These local Ip addresses: (laptop side IP of the wireguard tunnel)
Profiles => both Private and Public (and domain if you’re domain joined)
to allow stuff like ping (and SMB, and…) to arrive over the tunnel, but not over the internet.
Otherwise, guess check the draft script I posted above…
@wrkq ahaha just read your edit! It’s not overcontrolling HER it’s just to know who is connected in order to reduce the network usage as my uplink is not so fast!
I use WG also for my parents and if everyone is connected and watching videos etc the bandwidth may not be sufficient!
Offtopic, I don’t receive notifications on your replies but “Notify me when a reply is posted” is checked…