OPNsense Forum

Hi guys,

i'm having the same situation as its mentioned here: https://forum.opnsense.org/index.php?topic=18956.0

If i restart my OPNsense my WAN Interface gets only in a couple of Minutes its IP Address, this can be 1 Minute 10 Minutes . Thats a problem, because WG is not able to connect these tunnels. After the WAN Interface gets it's IP Address, the WG Interfaces are still down, until i restart WG.

Is it still not possible to do a restart after the WAN Interface gets its IP Adress?
For the Reboot thing it could be possible to do a simple crontab with an:

@reboot sleep 600 && /usr/local/etc/rc.d/wireguard restart

How do you handle this?

sash

I found this thread when searching for a solution for the exact same issue.

Based on the newwanip hint in the thread you linked, I cowboyed this solution together by adding the following 2 functions to /usr/local/etc/inc/plugins.inc.d/wireguard.inc.

It seems to work.

function wireguard_configure()
{
    return [
        'newwanip' => ['wireguard_configure_do'],
    ];
}

function wireguard_configure_do()
{
    mwexec("/usr/local/sbin/configctl -dq wireguard restart");
}


On WAN interface DHCP renew -

Quote2023-08-28T14:11:22   Notice   kernel   <6>wg2: link state changed to UP   
2023-08-28T14:11:19   Notice   kernel   <6>wg1: link state changed to UP   
2023-08-28T14:11:19   Notice   kernel   <6>wg0: changing name to 'wg1'   
2023-08-28T14:11:19   Notice   kernel   <6>wg2: link state changed to DOWN   
2023-08-28T14:11:19   Notice   kernel   <6>wg1: link state changed to DOWN   
2023-08-28T14:11:19   Notice   opnsense   /usr/local/etc/rc.newwanip: plugins_configure newwanip (execute task : wireguard_configure_do())

Thanks for helping me find the original thread! I hope this helps you.

The 'vpn' hook would be more appropriate. I still have this on my list.


Cheers,
Franco

/usr/local/sbin/configctl -dq wireguard stop

does not stop my wireguard service

/usr/local/sbin/configctl -dq wireguard restart

does not restart

also do not get an error message?

i monitore wireguard now via monit, works fine for me

waiting for "vpn hook" ;-)

thx

That fix is going to be on 23.7.4.


Cheers,
Franco

Quote from: malac on September 09, 2023, 01:46:07 PM
i monitore wireguard now via monit, works fine for me

Would you mind posting your Monit settings? I'm struggling setting it up correctly. Thanks in advance.

For FQDN based endpoints there will be another fix for 23.7.8. WireGuard is plug and play like that :D


Cheers,
Franco

Quote from: franco on November 06, 2023, 03:17:01 PM
For FQDN based endpoints there will be another fix for 23.7.8. WireGuard is plug and play like that :D

Nice! What about the business edition? I have the feeling that I didn't have this issue before switching to the business edition but currently don't have a quick way to verify.

I downgraded from OPNsense 23.10_2 (business) to 23.7.7_3 (community). Now the WireGuard tunnels come up automatically again on reboot.

If I can help with finding the underlying issue, let me know how.

There exists a cron job that notices when a WG connection goes stale and restarts it - this can also happen when the other side changes its IP, for example. It should also take care of restarting the connection when WAN gets ready again.

The cron job isn't sufficient for this. setconf fails if the config file contains an FQDN and that in turn prevents adding even the pub/priv keys to the instance. Fixing the endpoint with the refresh doesn't configure it. Only a syncconf will fix it without disrupting peers of other instances already connected.

We will have to issue a new business edition stable release for this (23.10.1) but we are not there yet.


Cheers,
Franco