Gateway reconfigures wireguard interface on device deletion or key changes - causes peers disconnections #1671
Description
Hi! I'm evaluating defguard as a system to manage my wireguard network and noticed a problem with defguard gateway - deleting or changing a device's public key - can cause defguard to reconfigure interface wg which has few issues:
- Causes disconnections of many wireguard peers (almost all), until next handshake
- resets peers statistics which makes it impossible to keep track of traffic
This is happening in both versions 1.4.1 and 1.5.1 gateways.
Logs of the problem:
Oct 28 13:29:12 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:29:12Z ERROR defguard_gateway::gateway] Stats thread terminated with error: status: Internal, message: "Device with public key 5P2pj1ki/GB+oG64wR3uXljYvLL+OSZWAdCA+BFFe2o= not found", details: [], metadata: MetadataMap { headers: {"content-type": "application/grpc", "date": "Tue, 28 Oct 2025 13:29:12 GMT", "content-length": "0"} }
Oct 28 13:29:12 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:29:12Z ERROR defguard_gateway::gateway] Stats stream aborted; reconnecting
Oct 28 13:29:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:29:13Z WARN netlink_packet_route::link::buffer_tool] Specified IFLA_INET6_ICMP6STATS NLA attribute holds more(most likely new kernel) data which is unknown to netlink-packet-route crate, expecting 48, got 56
Oct 28 13:29:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:29:13Z WARN netlink_packet_route::link::buffer_tool] Specified IFLA_INET6_ICMP6STATS NLA attribute holds more(most likely new kernel) data which is unknown to netlink-packet-route crate, expecting 48, got 56
Oct 28 13:29:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:29:13Z INFO defguard_wireguard_rs::wgapi_linux] Interface wg0 has been successfully configured. It has been assigned the following addresses: [IpAddrMask { ip: 10.11.0.0, cidr: 24 }]
Oct 28 13:29:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:29:13Z INFO defguard_gateway::gateway] Reconfigured WireGuard interface wg (addresses: ["10.11.0.0/24"])
Oct 28 13:29:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:29:13Z INFO defguard_gateway::gateway] Connected to Defguard gRPC endpoint: http://defguard-grpc.defguard.svc.cluster.local:50055
Oct 28 13:29:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:29:13Z INFO defguard_gateway] Command /usr/sbin/ip executed successfully. Stdout:
Oct 28 13:40:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:40:13Z ERROR defguard_gateway::gateway] Stats thread terminated with error: status: Internal, message: "Device with public key E1l+Dq7jCWwo/C52TnlWhyX84L+s2iuH8AtDpiS5qAU= not found", details: [], metadata: MetadataMap { headers: {"content-type": "application/grpc", "date": "Tue, 28 Oct 2025 13:40:13 GMT", "content-length": "0"} }
Oct 28 13:40:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:40:13Z ERROR defguard_gateway::gateway] Stats stream aborted; reconnecting
Oct 28 13:40:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:40:13Z WARN netlink_packet_route::link::buffer_tool] Specified IFLA_INET6_ICMP6STATS NLA attribute holds more(most likely new kernel) data which is unknown to netlink-packet-route crate, expecting 48, got 56
Oct 28 13:40:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:40:13Z WARN netlink_packet_route::link::buffer_tool] Specified IFLA_INET6_ICMP6STATS NLA attribute holds more(most likely new kernel) data which is unknown to netlink-packet-route crate, expecting 48, got 56
Oct 28 13:40:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:40:13Z INFO defguard_wireguard_rs::wgapi_linux] Interface wg0 has been successfully configured. It has been assigned the following addresses: [IpAddrMask { ip: 10.11.0.0, cidr: 24 }]
Oct 28 13:40:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:40:13Z INFO defguard_gateway::gateway] Reconfigured WireGuard interface wg (addresses: ["10.11.0.0/24"])
Oct 28 13:40:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:40:13Z INFO defguard_gateway::gateway] Connected to Defguard gRPC endpoint: http://defguard-grpc.defguard.svc.cluster.local:50055
Oct 28 13:40:13 test-ubuntu-24-x86-k3s defguard-gateway[73698]: [2025-10-28T13:40:13Z INFO defguard_gateway] Command /usr/sbin/ip executed successfully. Stdout:
Metadata
Metadata
Assignees
Labels
Type
Projects
Status