Hi All,
I just upgraded my firewall from 20.1.9 to 20.7, the upgrade went smooth. The only issue I am seeing is with the wireguard vpn. After the upgrade the wireguard vpn service was showing down, but when I tried to start the service it's not starting. So I went through the logs and I found below.
root@firewall:~ # cat /var/log/system.log | grep wg
Aug 2 20:52:13 firewall kernel: tun0: changing name to 'wg0'
Aug 2 20:52:13 firewall kernel: wg0: deletion failed: 3
Aug 2 20:52:13 firewall kernel: wg0: link state changed to DOWN
Aug 2 20:56:30 firewall kernel: tun0: changing name to 'wg0'
Aug 2 20:56:30 firewall kernel: wg0: deletion failed: 3
Aug 2 20:56:30 firewall kernel: wg0: link state changed to DOWN
Aug 2 20:58:07 firewall kernel: tun0: changing name to 'wg0'
Aug 2 20:58:08 firewall kernel: wg0: deletion failed: 3
Aug 2 20:58:08 firewall kernel: wg0: link state changed to DOWN
Aug 2 21:12:08 firewall kernel: tun0: changing name to 'wg0'
Aug 2 21:12:09 firewall kernel: wg0: deletion failed: 3
Aug 2 21:12:09 firewall kernel: wg0: link state changed to DOWN
Aug 2 21:13:46 firewall kernel: tun0: changing name to 'wg0'
Aug 2 21:13:46 firewall kernel: wg0: deletion failed: 3
Aug 2 21:13:46 firewall kernel: wg0: link state changed to DOWN
Aug 2 20:01:26 firewall kernel: ifa_maintain_loopback_route: deletion failed for interface wg0: 3
Aug 2 20:01:26 firewall kernel: wg0: link state changed to DOWN
Is this some kind of bug? It seems to me like the system is unable to rename the tunnel interface.
Any help is appreciated.
Thank you,
Regards,
Bobby Thomas
/usr/local/etc/rc.d/wireguard restart
Via console
Hi Michael,
I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?
Regards,
Bobby Thomas
Hi,
had a similar issue right after upgrading to version 20.7
A manual reboot fixed it for me.
I have the same issue. I had 11 endpoints, with local 10.0.0.x addresses and access to my local 10.10.10.x network, all working fine prior to upgrading.
After upgrade, the wireguard service shows as stopped in the dashboard. Additionally, none of the configurations or keys show in the "List Configurations" tab.
Logging into the console and running wireguard restart gives me this output:
root@OPNsense:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
- wireguard-go wg0
INFO: (wg0) 2020/08/02 17:43:04 Starting wireguard-go version 0.0.20200320
- wg setconf wg0 /tmp/tmp.00CkDeZV/sh-np.us6fIr
- ifconfig wg0 inet 10.0.0.1/24 10.0.0.1 alias
- ifconfig wg0 mtu 1420
- ifconfig wg0 up
- route -q -n add -inet 10.0.0.5/32 -interface wg0
- route -q -n add -inet 10.0.0.4/32 -interface wg0
- route -q -n add -inet 10.0.0.3/32 -interface wg0
- route -q -n add -inet 10.0.0.25/32 -interface wg0
- route -q -n add -inet 10.0.0.24/32 -interface wg0
- route -q -n add -inet 10.0.0.2/32 -interface wg0
- route -q -n add -inet 10.0.0.13/32 -interface wg0
- route -q -n add -inet 10.0.0.12/32 -interface wg0
- route -q -n add -inet 10.0.0.11/32 -interface wg0
- route -q -n add -inet 10.0.0.10/32 -interface wg0
- route -q -n add -inet 10.10.10.0/24 -interface wg0
- rm -f /var/run/wireguard/wg0.sock
I have re-installed the previous version of wireguard and restored my backup and all works as expected. If I upgrade, then it breaks.
Someone pointed out in another post that if the endpoints have two different networks shown in the allowed IP's field, then Wireguard will not start. Removing access to the local network WILL allow the configuration to display, but defeats the purpose of the VPN.
Deleting the 192.161.1.0/24 from the list, leaving only the Wireguard-IP/32 in all endpoints allows it to start
Also I can still ssh to a LAN machine at 192.168.1.100 so there seems to be no need to have that local setting in the endpoint config.
The web ui is also accessible with this setting.
Quote from: bobbythomas on August 02, 2020, 08:16:50 PM
Hi Michael,
I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?
Regards,
Bobby Thomas
/usr/local/etc/rc.d/wireguard restart
Via console
I need this output
Quote from: witenoize on August 02, 2020, 11:59:45 PM
Someone pointed out in another post that if the endpoints have two different networks shown in the allowed IP's field, then Wireguard will not start. Removing access to the local network WILL allow the configuration to display, but defeats the purpose of the VPN.
Please open a new thread with more details and screenshots as it may not be related to this one
Quote from: hsw on August 03, 2020, 09:19:51 AM
Deleting the 192.161.1.0/24 from the list, leaving only the Wireguard-IP/32 in all endpoints allows it to start
Also I can still ssh to a LAN machine at 192.168.1.100 so there seems to be no need to have that local setting in the endpoint config.
The web ui is also accessible with this setting.
Correct, it seems there is a guide out there which states that on endpoint config you have to put in your local LAN which is nonsense .. and it was working with 20.1 but will break in 20.7 (because it is still nonsense).
Quote from: mimugmail on August 03, 2020, 09:59:48 AM
Quote from: bobbythomas on August 02, 2020, 08:16:50 PM
Hi Michael,
I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?
Regards,
Bobby Thomas
/usr/local/etc/rc.d/wireguard restart
Via console
I need this output
Sorry I thought you wanted to know the status of the service after entering that command. Below is the output of the command.
Quote
root@firewall:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
- wireguard-go wg0
INFO: (wg0) 2020/08/03 14:56:06 Starting wireguard-go version 0.0.20200320
- wg setconf wg0 /tmp/tmp.UtpkrEW8/sh-np.dztf3d
- ifconfig wg0 inet 10.1.1.1/32 10.1.1.1 alias
- ifconfig wg0 mtu 1420
- ifconfig wg0 up
- route -q -n add -inet 10.1.1.3/32 -interface wg0
- route -q -n add -inet 10.1.1.2/32 -interface wg0
- route -q -n add -inet 10.1.1.1/32 -interface wg0
- route -q -n add -inet 192.168.2.0/24 -interface wg0
- rm -f /var/run/wireguard/wg0.sock
root@firewall:~ #
By the by, I tried a manual restart and the issue still persist.
Thank you,
Regards,
Bobby Thomas
route -q -n add -inet 192.168.2.0/24 -interface wg0
Is this your LAN?
Quote from: mimugmail on August 03, 2020, 12:35:44 PM
route -q -n add -inet 192.168.2.0/24 -interface wg0
Is this your LAN?
No that's my Zerotier Network. I wanted to access devices in the Zerotier Network when I'm connected to the vpn.
But it points to wireguard interface .. can you remove it?
Quote from: mimugmail on August 03, 2020, 12:43:19 PM
But it points to wireguard interface .. can you remove it?
Yeah, I'll remove that, not sure why it's not working now, it was working previously with the same config in 20.1. I will remove that and try.
Thanks and regards,
Bobby Thomas
Quote from: bobbythomas on August 03, 2020, 12:57:04 PM
Quote from: mimugmail on August 03, 2020, 12:43:19 PM
But it points to wireguard interface .. can you remove it?
Yeah, I'll remove that, not sure why it's not working now, it was working previously with the same config in 20.1. I will remove that and try.
Thanks and regards,
Bobby Thomas
I removed it, still the service is down.
Quote
root@firewall:~ # service wireguard restart
wg-quick: `wg0' is not a WireGuard interface
- wireguard-go wg0
INFO: (wg0) 2020/08/03 16:29:35 Starting wireguard-go version 0.0.20200320
- wg setconf wg0 /tmp/tmp.HQjWBJgx/sh-np.rUTYLg
- ifconfig wg0 inet 10.1.1.1/32 10.1.1.1 alias
- ifconfig wg0 mtu 1420
- ifconfig wg0 up
- route -q -n add -inet 10.1.1.3/32 -interface wg0
- route -q -n add -inet 10.1.1.2/32 -interface wg0
- route -q -n add -inet 10.1.1.1/32 -interface wg0
- route -q -n add -inet 192.168.1.0/24 -interface wg0
- rm -f /var/run/wireguard/wg0.sock
root@firewall:~ #
Do I need to remove LAN (192.168.1.0/24).
Thank you,
Regards,
Bobby Thomas
route -q -n add -inet 192.168.1.0/24 -interface wg0
The line above indicates that this should be a network on the other side of the VPN tunnel.
If one of your local interfaces has this network, wireguard will break. In 20.1 it seems FreeBSD just ignored this.
Quote from: mimugmail on August 03, 2020, 01:07:15 PM
route -q -n add -inet 192.168.1.0/24 -interface wg0
The line above indicates that this should be a network on the other side of the VPN tunnel.
If one of your local interfaces has this network, wireguard will break. In 20.1 it seems FreeBSD just ignored this.
Got it, After removing LAN and restarting the service Wireguard service came back online. Is this how it should be configured?
Thanks and regards,
Bobby Thomas
WHERE did you set this 192.168.1.0/24? in local instance or endpoint?
Quote from: mimugmail on August 03, 2020, 01:19:55 PM
WHERE did you set this 192.168.1.0/24? in local instance or endpoint?
Local instance (on the firewall).
This is confusing, are you sure you did not do some mistakes between? First you were talking about 192.168.2.0 and now it's 192.168.1.0.
I really have no idea why wireguard should set a route for local addresses ...
I checked all available good documentations and also the official ones:
https://www.routerperformance.net/opnsense/opnsense-and-wireguard/
I have no idea why you set your local networks in local instance.
This is nowhere documented.
Maybe this would was dismissed with FreeBSD 11.2 and now throws an error in FreeBSD 12.1
Quote from: mimugmail on August 03, 2020, 01:57:06 PM
I checked all available good documentations and also the official ones:
https://www.routerperformance.net/opnsense/opnsense-and-wireguard/
I have no idea why you set your local networks in local instance.
This is nowhere documented.
Maybe this would was dismissed with FreeBSD 11.2 and now throws an error in FreeBSD 12.1
Ok, I may have overlooked this during while configuring the local instance. I think I added my LAN as well as Zerotier to Wireguard config thinking it's similar to ipsec config. Anyways I removed it now and everything looks good. I will keep this in mind when configuring WG in future.
Thank you Michael. Appreciate your assistance.
Regards,
Bobby Thomas
Glad it works .. more happy to see that it's not 100% related to FreeBSD 12.1 8)