WireGuard Issue's while setting up

[mircsicz]

Hi all,

just wanted to migrate from IPsec to WG using his guide, but the issue's won't let me...

A FW rule is in place


Checking the config it seems fine:




Except that it doesn't show Config nor handshake



On the dashboard I can see that the service isn't started:


When I check the *.conf using SSH it seems fine:

Code: [Select]

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = LOCALPRIVKEY
Address = 172.160.x.2/24
ListenPort = xx822

[Peer]
PublicKey = PEERSPUBKEY
Endpoint = 185.x.x.x:21822
AllowedIPs = 10.160.x.x/24,172.160.x.x/24
PersistentKeepalive = 60

And when I try to start the WG Service from the Dashboard this show's up in system.log:

Code: [Select]

Jul 24 16:56:33 router kernel: tun0: link state changed to UP
Jul 24 16:56:33 router kernel: tun0: changing name to 'wg0'
Jul 24 16:56:33 router kernel: wg0: link state changed to DOWN
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: entering configure using defaults
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: IPv4 default gateway set to opt2
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: setting IPv4 default route to 185.x.x.x
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: keeping current default gateway '185.x.x.x
Jul 24 16:56:34 router opnsense[58788]: plugins_configure monitor (1)
Jul 24 16:56:34 router opnsense[58788]: plugins_configure monitor (execute task : dpinger_configure_do(1))
Jul 24 16:56:34 router opnsense[58788]: /usr/local/etc/rc.routing_configure: The WAN_PROVIDER_PPPOE monitor address is empty, skipping.
Jul 24 16:56:34 router opnsense[58788]: /usr/local/etc/rc.routing_configure: The WAN_PROVIDER_DHCP_DHCP monitor address is empty, skipping.
Jul 24 16:56:35 router kernel: pflog0: promiscuous mode disabled
Jul 24 16:56:35 router kernel: pflog0: promiscuous mode enabled

And I've already restored the config: downloaded the xml removed all WireGuard Contents from the file and restored it as a backup...

Hope one of you has a hint!

BTW: all this is on 21.1.8_1

[bubbagump]

Change the firewall rule from "To This Firewall" to "WAN address".

[mircsicz]

Thank you, that's what I do usually too...

But I'm afraid that won't solve my prob, as I can't even see a config.

[bubbagump]

Were keys generated? And did you associate endpoints with the Local? Much of the WG config I can’t see in your screenshots.

[KHE]

Hi,

did you enable WireGuard under the General Tab and pressed Apply?
If I disable it, my config disappears...

KH

[mircsicz]

I sure did... ;-)

But thx for asking anyways! :-)

For all the following readers I'll add a screenshot and a note to the initial posting

[bubbagump]

Can you screen shot the entire WG configs inside Local and EndPoint? (Redact keys of course). It's just really hard to understanding what's going on when you have so many parts missing.

All that said, the fact the service isn't starting at all is very bizarre and leads me to believe that is where the issue is. Is there any other logging in syslog that is a hint? In your original log snippet it appears the service starts then immediately crashes.

Code: [Select]

Jul 24 16:56:33 router kernel: tun0: link state changed to UP
Jul 24 16:56:33 router kernel: tun0: changing name to 'wg0'
Jul 24 16:56:33 router kernel: wg0: link state changed to DOWN

[mircsicz]

@bubbagump: THX for challenge me to check once more ;-)

Arggghhh, been going over those config's triple times...

But as it goes with quick saturday Couch tasks I fucked up triple!...

Rechecked the exchanged pubkeys and got the first tunnel up!!!

But there's a 2nd tunnel/target giving me a hard time:



Looking via SSH I can see the config seems to be fine:

Code: [Select]

[Interface]
PrivateKey = PRIVKEY
Address = 172.10.xx.x/24
ListenPort = xx822

[Peer]
PublicKey = PEERPUBKEY
Endpoint = 172.10.xx.x:xx822
AllowedIPs = 172.10.xx.0/24,10.10.xx.x/24
PersistentKeepalive = 60
There's no other config inside the wireguard config dir:

Code: [Select]

$ sudo ls -l /usr/local/etc/wireguard/
total 8
-rw-------  1 root  wheel  305 Jul 25 18:51 wg0.conf
But the Interface is really crooked:

Code: [Select]

--help: flags=8002<BROADCAST,MULTICAST> metric 0 mtu 1420
options=80000<LINKSTATE>
groups: tun
nd6 options=103<PERFORMNUD,ACCEPT_RTADV,NO_DAD>
Opened by PID 44943
This is a machine on which I already took the XML removed all Wireguard mentions and restored it as a backup

On my router, which already has one working tunnel to another target, I can see that there's no contact to the other side:

Code: [Select]

interface: wg1
  public key: PUBKEY
  private key: (hidden)
  listening port: xx822

peer: PEERPUBKEY
  endpoint: 185.35.xx.xx:xx822
  allowed ips: 10.10.xx.xx/24, 10.x.x.0/24, 10.x.x.0/24
  transfer: 0 B received, 31.80 KiB sent
  persistent keepalive: every 1 minute
Handshake is empty:

Code: [Select]

wg1 PEERPUBKEY 0
So as there is that interface with this highly uncommon name:

Code: [Select]

# sudo ifconfig -g tun
ovpns1
--help
how do I delete that interface?

After a reboot it's gone... So lets reconfigure this target.

[mircsicz]

Reply to myself:

Can't get it to print a config on the WebIF, but the console give's me some more feedback:

Code: [Select]

$ sudo wg show
$ sudo wg-quick up /usr/local/etc/wireguard/wg0.conf
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 172.xx.xx.1/24 alias
[#] ifconfig wg0 mtu 1340
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.xx.xxx.0/24 -interface wg0
[#] rm -f /var/run/wireguard/wg0.sock
$ sudo ifconfig -g tun
ovpns1
$ sudo ifconfig wg create name wg0
ifconfig: SIOCIFCREATE2: Invalid argument

so this is what "/usr/local/etc/rc.d/wireguard" uses to start the service

Code: [Select]

$ sudo /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 172.xx.xx.1/24 alias
[#] ifconfig wg0 mtu 1340
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.xx.xxx.0/24 -interface wg0
[#] rm -f /var/run/wireguard/wg0.sock

Tried another target/tunnel but have the same issue then with the one above, no Config nor handshake is printed...

It's driving me crazy!

[mircsicz]

So what's it that deny's the (additional) tunnel to be activated?

Code: [Select]

$ sudo /usr/local/etc/rc.d/wireguard stop
wg-quick: `wg0' is not a WireGuard interface
I can run the start/restart but only get default feedback

Code: [Select]

$ sudo /usr/local/etc/rc.d/wireguard start
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 172.10.xx.x/24 alias
[#] ifconfig wg0 mtu 1340
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.xx.xx.x/24 -interface wg0
[#] rm -f /var/run/wireguard/wg0.sock
But "wg show" remains empty

Code: [Select]

$ sudo wg show
So this behaviour show now on two different machines. I've on both recreated config like 3-4 times. And I also have it on my main FW but only for the third tunnel...

Code: [Select]

$ cat /etc/rc.conf.d/wireguard
wireguard_var_script="/usr/local/opnsense/scripts/OPNsense/Wireguard/setup.sh"
wireguard_enable="YES"
wireguard_interfaces="wg0"
start_postcmd=opnsense_postcmd
opnsense_postcmd()
{
for interface in ${wireguard_interfaces}; do
ifconfig ${interface} group wireguard
done
}

For me it's definitly activated, so where else could I look for the problem?!?

[Greelan]

Curious as to your choice of the 172.10.x.x/24 subnet. That’s not a RFC1918 subnet

[mircsicz]

Been using it for a while (as VPN Tunnel-Net) and never got issue's

[Greelan]

OK. I did notice the initial posts had 172.160.x.x/24. Just a typo?

[mircsicz]

That's correct, it's just different Tunnels:

[mircsicz]

So I've found a reason for my instance's not activating the tunnel:

As soon as I add an additional "allowed ips" entry the tunnel goes down:

Code: [Select]

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = REMOTEPUBKEY
Address = 172.xx.xx.x/32
ListenPort = 21823

brings up the tunnel without an endpoint:

Code: [Select]

$ sudo wg
interface: wg0
  public key: REMOTEPUBKEY
  private key: (hidden)
  listening port: 21823

As soon as I add

Code: [Select]

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = REMOTEPUBKEY
Address = 172.xx.xx.x/32
ListenPort = 21823

[Peer]
PublicKey = LOCALPUBKEY
Endpoint = my.ddns.me:21823
AllowedIPs = 172.xx.xx.x/24,10.xx.xxx.0/24
PersistentKeepalive = 60
the tunnel does down:

Code: [Select]

$ sudo wg
So I thought it might be an issue with the keys, recreated them like a dozen times! Then I tried stripping the "allowed ips" from ',10.xx.xxx.0/24' Parameter and tada the tunnel come's up:

Code: [Select]

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = REMOTEPUBKEY
Address = 172.xx.xx.x/32
ListenPort = 21823

[Peer]
PublicKey = LOCALPUBKEY
Endpoint = my.ddns.me:21823
AllowedIPs = 172.xx.xx.0/24
PersistentKeepalive = 60
the tunnel come's up:

Code: [Select]

$ sudo wg
interface: wg0
  public key: REMOTEPUBKEY
  private key: (hidden)
  listening port: 21823

peer: LOCALPUBKEY
  endpoint: 185.144.YY.YY:21823
  allowed ips: 172.xx.xx.0/24
  transfer: 0 B received, 6.94 KiB sent
  persistent keepalive: every 1 minute
Problem is the stripped IP-range is my "Main OPNSense" Subnet... And there's no handshake!

@franco you got a hint why this is happening?

BTW: Just reproduced it on a second remoteside:

Code: [Select]

$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = REMOTEPUBKEY2
Address = 172.xx.27.x/32
ListenPort = 21822

[Peer]
PublicKey = LOCALPUBKEY
Endpoint = my.ddns.me:21822
AllowedIPs = 172.x.x27.x/24
PersistentKeepalive = 60

missing ',10.xx.xxx.0/24' in AllowedIPs the tunnel come's up too:

Code: [Select]

$ sudo wg
interface: wg0
  public key: REMOTEPUBKEY2
  private key: (hidden)
  listening port: 21822

peer: LOCALPUBKEY
  endpoint: 185.xxx.xx.xx:21822
  allowed ips: 172.xx.27.0/24
  transfer: 0 B received, 5.06 KiB sent
  persistent keepalive: every 1 minute

I don't f..ing get it.