Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - evildevil

Pages1
#1
24.1, 24.4 Legacy Series / Peer generator: WireGuard Instance not saved / QR-Code Config not working
April 04, 2024, 11:30:06 PM
Hello all,

I'm not sure if this is a specific issue from my environment, but I updated to 24.1.5 today and wanted to try the Wireguard Peer generator.
I ran into two issues:
1. The "Instance" selected in the Peer generator is not saved after clicking on the "Store and generate next" Button.
If you switch back to the "Peers", the Instance of the newly created Peer is empty.
2. I scanned the QR-Code on my Android Phone using "Wireguard for Android 1.0.20231018". Importing the config is working, but I can not establish the connection. Error message on the Phone is "Fehler beim Starten des Tunnels: at least on address must be specified"
I have to edit the configuration on the Phone and enter an IP-Address at the "Interface -> Adressen" Field that is in the Instance's IP range to make it work.

Is anybody else having these issues?

Best regards,
Patrick
#2
High availability / Poor Mans HA with CARP on internal Interfaces only
January 24, 2023, 10:17:47 AM
Hello,

due to the Shortage of WAN IP-Addresses (I am already using all the available IP-Addresses in
my IPv4 /29 Public Network) I wanted to implement a stripped down HA Solution.
Currently I am using two Sophos UTM SG Appliances to accomplish that (they don't use CARP and can failover without the need of additional IP-Addresses).
My Idea was to only configure the internal Interfaces using CARP and do an Active-Passive Failover on the WAN Interface.
Both OPNsense Boxes are running 22.7.10_2
Active Unit: WAN is up and configured with the main static IPv4 Address and the additional IPv4 Addresses
Passive Unit: WAN is down and configured with the main static IPv4 Address and the additional IPv4 Addresses

So, if the internal Interfaces fail and CARP is triggered, the Passive Unit's WAN Interface should be brought up by Script. I looked at the Scripts in https://github.com/opnsense/core/tree/master/src/etc/rc.syshook.d/carp and https://gist.github.com/jprenken/18ca7bf14ddae547ae0fdf6f56d72573#file-10-wireguard-L1
but my PHP Skills are not that sophisticated. I tried to walk trough the Source-Codes and Include-Files, but I don't get how/where the WAN interface can be simply brought up.
And should I enable/disable the physical Interface (igc2) or the logical IPv4 Interfaces? My Gut suggest the physical interface.

Based on the Wireguard Script:
Code Select

if ($type === "MASTER") {
    log_error("Enabling WAN due to CARP event '$type'");
    # Checking `isset` avoids a race condition during startup when the
    # WireGuard config stanza seems like it's not yet loaded. Without it, this
    # can create an extra, empty, invalid stanza that breaks WireGuard.
# is the isset necessary?
    if (isset($config['OPNsense']['igc2']['general']['enabled'])) {
      $config['OPNsense']['igc2']['general']['enabled'] = '1';
    }
#    configd_run('wireguard start');   # WAN is not a service, or is it?
    write_config("Enable WAN due to CARP event '$type'", false);
} else {
    log_error("Disabling WAN due to CARP event '$type'");
#    configd_run('wireguard stop');
    if (isset($config['OPNsense']['igc2']['general']['enabled'])) {
        $config['OPNsense']['igc2']['general']['enabled'] = '0';
    }
    write_config("Disable WAN due to CARP event '$type'", false);
}


Any Hints and Pointers in the right Direction are appreciated.

Best Regards,
Patrick
Pages1