Hallo zusammen,
ich bin neu im Forum und kenne mich leider noch nicht ganz mit allen Funktionen aus. Entschuldigt bitte, sollte ich den Post falsch oder einen doppelten erstellen.
Wenn ich die Opnsense neu starte, wird der Wireguard Service nicht gestartet. Es scheint daran zu liegen, dass ich eine Site2Site Verbindung mit einem FQDN eingerichtet habe? Könnt Ihr den Fehler bestätigen bzw. wie kann ich diesen korrigieren?
Grüße
-----------------------------------------------------------------------------------------------------------------------------
Hello all,
I'm new to the forum and unfortunately I'm not quite familiar with all the features yet. Apologies if I create the post wrong or a duplicate.
When I restart the opnsense, the wireguard service does not start. It seems to be because I have a Site2Site connection set up with an FQDN? Can you confirm the error or how can I correct it?
Greetings
Use an IP address for your peer instead of a hostname.
Wow, that was fast.
Is it not possible to work with a FQDN? For example: vpn.opensense.de?
The other side has a dynamic IP address. Unfortunately I have to work with a No-IP account.
It depends on where you define your hostnames... If you use an external DNS server in your internal network which OPNsense is supposed to query always it works a lot better than trying to start a VPN during a boot sequence that may or may not have access to root servers yet.
It depends on the employed routing and DNS behaviour A LOT.
Cheers,
Franco
Hello Franco,
I have the hostname for the endpoint under: Wireguard -> Endpoint -> Endpoint Address defined. I used the Opnsense as DNS server in the internal network. Furthermore I configured DNS over TLS via the Cloudfare servers.
Greetings
The trouble starts with e.g. DHCP not coming up early enough during boot to provide you with DNS. I suppose you do not have a static WAN setup...
Cheers,
Franco
No, I do not have a static IP connection. My internet connection is via PPPOE. I.e.: that the start of Wireguard is faster than the DNS system and therefore the service can not start properly, because it can not resolve the FQDN of a VPN tunnel?
Greetings
That's likely. PPPoE can be especially slow in this regard.
Additionally, the WireGuard plugin appears to not register a facility to restart on IP address changes which is needed for this to work in the first place. That maybe the easier part to solve.
Cheers,
Franco
Hello Franco,
What would be your recommendation to solve the problem? Do you happen to know if this issue will be fixed in an update?
Regards
It would be best to raise a ticket over at https://github.com/opnsense/plugins/issues/new?assignees=&labels=&template=feature_request.md&title= and reference this topic.
Cheers,
Franco
Thanks very much! I opened an issue:
https://github.com/opnsense/plugins/issues/3186
thank you :)
Hello,
the described behavior of Wireguard is unfortunately normal at the moment. I have also talked to colleagues again. The problem also exists in the same form with Mikrotik or under Linux directly. So for the moment I will continue to stay with Openvpn. I use some VPN Site2Site connections with dynamic IP. Under Openvpn this works without problems.
Greetings
Did you try to set up the Cron job for restarting stale WG tunnels (provided in the GUI) and it didn't help?
https://forum.opnsense.org/index.php?topic=21659.msg149147#msg149147
Here It works just fine for me...
Hi,
no, I have not tested that. Thanks!
Honestly, I must confess, I find it a great pity that Wireguard does not simply try to connect again.
Greetings
Same here, but I think the code for WG itself should be as short as possible and as the solution with the Cron scritp (provided by Donenfeld?) works fine I have stopped thinking about... ;-)
That's a good philosophy for life lol
And, yes, the script is adapted from one of the tools on the Donenfeld repo
I will have a look at the script. Thanks for your support.