OPNsense Forum

English Forums => 23.7 Legacy Series => Topic started by: malac on September 04, 2023, 06:36:29 pm

Title: wireguard at start up
Post by: malac on September 04, 2023, 06:36:29 pm

after reboot of my opnsense 23.7.3, wireguard does not come up, it shows green in dashboard but is not working

log shows following entry:
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/usr/bin/wg setconf 'wg0' '/usr/local/etc/wireguard/wg0.conf'' returned exit code '1', the output was 'Name does not resolve: `xxxyyy.com:53956' Configuration parsing error'

manually restarting wireguard helps and wireguard is running again.
I assume it is a timeing problem, because wireguard starts and at this point i do not have an official IP adress on WAN interface, because DHCP takes some time.

how can i solve this issue?

Title: Re: wireguard at start up
Post by: Patrick M. Hausen on September 04, 2023, 06:38:08 pm

Use an IP address instead of a DNS name for your peer.

Title: Re: wireguard at start up
Post by: malac on September 04, 2023, 06:47:31 pm

but peer has an dynamic ipadress

Title: Re: wireguard at start up
Post by: Patrick M. Hausen on September 04, 2023, 06:50:15 pm

If one end has a fixed IP address let the other one initiate the connection. You can leave the peer IP address field empty or set to 0.0.0.0 - don't exactly remember which. If both ends have dynamic addresses, bad luck. I don't work with anything but fixed for site 2 site VPNs.

The problem is that WG starts before your uplink and DNS is ready ...

Title: Re: wireguard at start up
Post by: chemlud on September 04, 2023, 06:59:40 pm

If the DNS is not ready at startup you can have Cron job checking for stale WG tunnels and restarting DNS resolution

https://forum.opnsense.org/index.php?topic=35732.msg173763#msg173763

...maybe your exisiting Cron job needs a work-over after renaming the job...

Title: Re: wireguard at start up
Post by: malac on September 04, 2023, 07:08:28 pm

Quote from: Patrick M. Hausen on September 04, 2023, 06:50:15 pm

If one end has a fixed IP address let the other one initiate the connection. You can leave the peer IP address field empty or set to 0.0.0.0 - don't exactly remember which. If both ends have dynamic addresses, bad luck. I don't work with anything but fixed for site 2 site VPNs.

The problem is that WG starts before your uplink and DNS is ready ...

ok, i'll try this. The central Opnsense has an fixed address, the S2S peers are "FritzBox" i'll put a persistant keepalive to conf

Let's see if this works

Title: Re: wireguard at start up
Post by: malac on September 04, 2023, 07:09:16 pm

ok, good idea to restart, maybe i can use monit as well

Title: Re: wireguard at start up
Post by: malac on September 04, 2023, 07:26:32 pm

thanks a lot for your input.

Looking good for now, that the remote site initiates the vpn connection!!

thx

Title: Re: wireguard at start up
Post by: franco on September 05, 2023, 08:46:23 am

For reference: https://github.com/opnsense/plugins/issues/3565


Cheers,
Franco