The rc.d script for wireguard currently only supports stop and start. This means that when we deploy a new configuration for our wireguard server from Ansible, the interface is brought down and recreated, causing a small interruption in traffic for all clients.
'wg syncconf' provides an interface to apply only the needed changes, and should be called on reload. However, it does not allow an Address= line under the [Interface] section. The rc.d script must be changed to set the address itself, after wg-quick creates the interface.
I have a fix for this working on our server but it's not mergeable as-is as it depends on bash. It would be great to see a solution for this upstream.
Created attachment 212491 [details]
Proposed patch to add reload functionality to wireguard rc.d script
Adding a patch to address this. This is tested working in our setup.
This will use the 'wg syncconf' functionality to reload all peer and key settings, but will skip the interface address configuration and other wg-quick specific stuff. So changing the interface address will still require a restart.
Committed in r529909. Thanks!
A commit references this bug:
Date: Mon Mar 30 19:18:04 UTC 2020
New revision: 529909
net/wireguard: Implement reload command in rc.d script to reload all peer
and key settings without restarting the daemon to avoid interface up/down
and loosing traffic. This does not work if you change the Address= line in
the [Interface] section which needs a real restart.
Submitted by: email@example.com