1 files changed, 48 insertions, 0 deletions
diff --git a/src/services/vyos-domain-resolver b/src/services/vyos-domain-resolver
index bc74a05d1..6eab7e7e5 100755
--- a/src/services/vyos-domain-resolver
+++ b/src/services/vyos-domain-resolver
@@ -27,12 +27,14 @@ from vyos.utils.dict import dict_search_args
 from vyos.utils.process import cmd
 from vyos.utils.process import run
 from vyos.xml_ref import get_defaults
+from vyos.template import is_ip
 
 base = ['firewall']
 timeout = 300
 cache = False
 base_firewall = ['firewall']
 base_nat = ['nat']
+base_interfaces = ['interfaces']
 
 domain_state = {}
 
@@ -171,6 +173,50 @@ def update_fqdn(config, node):
 
     logger.info(f'Updated {count} sets in {node} - result: {code}')
 
+def update_interfaces(config, node):
+    if node == 'interfaces':
+        wireguard_interfaces = dict_search_args(config, 'wireguard')
+
+        # WireGuard redo handshake usually every 180 seconds, but not documented officially.
+        # If peer with domain name in its endpoint didn't get handshake for over 300 seconds,
+        # we do re-resolv and reset its endpoint from config tree.
+        handshake_threshold = 300
+
+        from vyos.ifconfig import WireGuardIf
+
+        check_wireguard_peer_public_keys = {}
+        # for each wireguard interfaces
+        for interface, wireguard in wireguard_interfaces.items():
+            check_wireguard_peer_public_keys[interface] = []
+            for peer, peer_config in wireguard['peer'].items():
+                # check peer if peer host-name or address is set
+                if 'host-name' in peer_config or 'address' in peer_config:
+                    # check latest handshake
+                    check_wireguard_peer_public_keys[interface].append(
+                        peer_config['public_key']
+                    )
+
+        now_time = time.time()
+        for (
+            interface,
+            check_peer_public_keys
+        ) in check_wireguard_peer_public_keys.items():
+            if len(check_peer_public_keys) == 0:
+                continue
+
+            intf = WireGuardIf(interface, create=False, debug=False)
+            handshakes = intf.operational.get_latest_handshakes()
+
+            for public_key, handshake_time in handshakes.items():
+                if public_key in check_peer_public_keys and (
+                    handshake_time == 0
+                    or now_time - handshake_time > handshake_threshold
+                ):
+                    intf.operational.reset_peer(public_key=public_key)
+
+                    print(f'Wireguard: reset {interface} peer {public_key}')
+
+
 if __name__ == '__main__':
     logger.info(f'VyOS domain resolver')
 
@@ -184,10 +230,12 @@ if __name__ == '__main__':
     conf = ConfigTreeQuery()
     firewall = get_config(conf, base_firewall)
     nat = get_config(conf, base_nat)
+    interfaces = get_config(conf, base_interfaces)
 
     logger.info(f'interval: {timeout}s - cache: {cache}')
 
     while True:
         update_fqdn(firewall, 'firewall')
         update_fqdn(nat, 'nat')
+        update_interfaces(interfaces, 'interfaces')
         time.sleep(timeout)