Since upgrading to 23.1.1_2(I jumped straight there from 22.7), wireguard will periodically hang. Previously, I could go days without having to disconnect, and that included jumping from in network to outside of my network.
Now I have to turn wireguard off and then on again daily. Unfortunately, it seems to always happen when I'm unable to check the logs to see what might be going on.
Any suggestions for what might be causing this?
The same thing happens to me, too. I cant seem to find the cause of it, tho.
The wireguard app on my mobile phone shows that i am connected but i am not able to do anything like f.e. visit a website or receive messages from any kind of messenger. When i disconnect the vpn everything works again. Sometimes i am not able to directly connect to the wireguard server after i disconnected (i am not receiving any packages). I then have to wait for some time until it works again.
Quote from: cardinal on March 06, 2023, 02:52:52 PM
The same thing happens to me, too. I cant seem to find the cause of it, tho.
The wireguard app on my mobile phone shows that i am connected but i am not able to do anything like f.e. visit a website or receive messages from any kind of messenger. When i disconnect the vpn everything works again. Sometimes i am not able to directly connect to the wireguard server after i disconnected (i am not receiving any packages). I then have to wait for some time until it works again.
Interesting. Connecting and immediately reconnecting works for me every time. The mobile app will also not show any data being transmitted during the hung time.
Originally I just thought it was more of my ISP issues as they still haven't figured out their problem on their side. But it's been a consistent issue ever since the upgrade.
Apparently I spoke too soon. Now not even disconnecting and reconnecting is fixing the problem.
Additionally, it seems like I can access some things but not others. For example, Google, Bing, and Reddit all work, but not DDG.
EDIT: Restarting the WG service seems to have fixed the issue for the time being.
Also had issues: https://forum.opnsense.org/index.php?topic=32110.msg155672#msg155672
Might be related to what another user posted in the thread:
Quote
It seems that after some indeterminate period of time, wireguard-kmod forgets what interface it should be replying on and ignores the NAT Reflection rules. If I disconnect the Android client and reconnect, everything goes back to normal and it no longer tries to send traffic out the wrong interface.
My solution was to move back to 22.7 for now. I also installed wg-easy on a machine on my home network, but here I also have strange issues with my box dropping the connection. I'll keep wg-easy for now, it offers some other advantages like QR code generation I can use to create the required settings on my phone by scanning it. Much easier than the manual copy&paste multi step process on opnsense.
[edit] Just saw the thread here: https://forum.opnsense.org/index.php?topic=32347.60
Looks like IPV4 dropped the route on DHCP refresh of the WAN interface. This might be the reason for wg also dropping the connection. Fix is out in latest opnsense version, so i would try that one first.
Now I need to decide if I want Wireguard or vnstat to work as the latest version breaks that. :D
Thanks for the heads up.
Sadly, v23.1.3 did not fix the issue for me. I still lose the connection after some unknown period of time :/
I am seeing the same behavior with Android phones.
In my case I have never needed to do anything on the OPNsense end. Resetting/restarting the phone brings the connection up again.
It seems to be more of a problem when the phone is more mobile. I have all my phones set to use cellular data for the connection (no WiFi at any time). They are also set to have the VPN always on and to route all traffic via the tunnel.
It was fixed in 23.1.2 but I waited to upgrade until 23.1.3 due to the vnstat bug.
Quote from: cardinal on March 10, 2023, 09:26:23 AM
Sadly, v23.1.3 did not fix the issue for me. I still lose the connection after some unknown period of time :/
Somehow I missed this post. I'm seeing the same thing. I just had it hang and I'm on 23.1.3.
I've added keepalive 25 on both sides as a temporary fix.
Quote from: CJRoss on March 10, 2023, 02:54:38 PM
I've added keepalive 25 on both sides as a temporary fix.
Thanks, I also added a keepalive! I will test it and hope for the best
My solution in the end was to set up wg-easy on a NAS and use it as server instead of opnsense. Also had some issues, with the one causeing the most problems was to try to route all the traffic through traefik proxy first. I experienced timeouts and packet loss even while being at home. After moving the wg docker to it's own virtual network, everything is stable now. No data loss and ping is in the low single digit milliseconds all the time instead of having spikes up to 600ms.
I also moved the ddns service to the NAS, so it looks like I am ready for an upgrade to 23.1
Keepalive works as a bandaid until the overall issue gets fixed.
ddclient works, it just doesn't realize it works. The fix will be in the next release of ddclient.
Any update on this?
I have a installation with DHCP on WAN interface and got regulary hangs in wireguard connection, ending in client reconnecting.
Quote from: tfohrer on June 19, 2023, 12:08:15 PM
Any update on this?
I have a installation with DHCP on WAN interface and got regulary hangs in wireguard connection, ending in client reconnecting.
Did you add the keepalive? Or are you talking about in general?
I haven't gone back and tested to see if it works without the keepalive.
Oh sorry,
i haven't any DHCP on WAN interface anymore (DHCPv6/IPV6 disabled now), and yes i have keepalive on both side of tunnel (linux fedora <-> opnsense).
best regards
Quote from: tfohrer on June 21, 2023, 08:29:08 AM
Oh sorry,
i haven't any DHCP on WAN interface anymore (DHCPv6/IPV6 disabled now), and yes i have keepalive on both side of tunnel (linux fedora <-> opnsense).
best regards
What do you have your keepalive set to? Is this your only client?
In regards to your WAN, are you trying to say that you have a static IPv4 address and IPv6 disabled? Or that you have a DHCP IPv4 address and IPv6 disabled.
Hi,
Semi Static IPV4 (via DHCPv4) on Router WAN
Static IPV4 on OPNSense
DHCPv6 on Router WAN / Delegation OPNSense (disabled!)
Keepalive 5 on Serverside, 1s on Client
best regards
Quote from: tfohrer on June 22, 2023, 09:31:20 AM
Hi,
Semi Static IPV4 (via DHCPv4) on Router WAN
Static IPV4 on OPNSense
DHCPv6 on Router WAN / Delegation OPNSense (disabled!)
Keepalive 5 on Serverside, 1s on Client
best regards
Are those the initial keepalive values or have you tried others? I'm using 25s on both ends for mine without any problems.
I'm still a bit unclear about your IPv6 situation. Do you have it completely disabled or are you getting an address on the WAN side and using only IPv4 for your LAN?
Is this your only client? Have you tried any other devices and/or OS?
How do you have your firewall rule set?
IPV6 on WAN side, but now delegation is disabled.
Other clients yes, i configured another fresh client today and same problem.
I'm working over wireguard/ssh, every "hang" got on my nerves, every 60-90s ...terminal got stuck
Quote from: tfohrer on June 22, 2023, 04:06:48 PM
IPV6 on WAN side, but now delegation is disabled.
What happens if you completely disable IPv6?
Quote from: tfohrer on June 22, 2023, 04:06:48 PM
Other clients yes, i configured another fresh client today and same problem.
Is this client the same OS, etc as the original? Can you try one that's not? Is it using the same config or did you create a new pairing?
Quote from: tfohrer on June 22, 2023, 04:06:48 PM
I'm working over wireguard/ssh, every "hang" got on my nerves, every 60-90s ...terminal got stuck
Have you tried changing your keepalive to 25?
Multiple linux with different kernel / wireguards version, all have same problem.
At moment i use keepalive of 1s to "recover/reopen" quickly the connection , but it's simply annoying.
Only real different is that each "client vpn" hangs on different times.
I've a few opnsense boxes connected via wireguard tunnels to a 3rd party router.
Thru those tunnels, I monitor the opnsense boxes via icmp/snmp and experience no hiccups/slowdows on the connection.
keepalive is set at 5 second interval.
HTH