I was getting reporting data with Wireguard-Go before the upgrade but not now.
The WG interface is selected in the Zenarmor Settings > Config, but the the Dashboard traffic graph just shows flatline.
Reports shows all other interfaces but not Wireguard.
Live Sessions - Can filter wg0 interface but reports nothing.
Log Message:
Engine configuration error
Cannot validate interface: netmap@wg0 line: 2, 1, netmap@wg0, netmap@wg0^, 0, 3, 4345 ,lan;netmap;routedmode
Anybody else experiencing the same and is there a fix?
OPNsense 23.7.1_3
Zenarmor 1.14.2
Are you definitely still using wireguard go? It's possible it has reverted to k-mod as part of the OPNSense upgrade?
When I go to System > Firmware > Plugins it shows os-wireguard-go (installed) and os-wireguard is not installed.
Should I try uninstalling and reinstalling Wireguard? Will all of my tunnels and keys be preserved?
Thanks
I can confirm Wireguard-Go is installed and the Wireguard interface/fFW rules are setup similar to my other two interfaces. However, those work just fine on Zenarmor.
No idea why Zenarmor sees the Wireguard interface but doesn't filteror report.
Any advice would be appreciated.
Uninstall wireguard-go (to be deprecated/removed in the future and to the best of my knowledge with no development prospects) and use kmod-wireguard instead.
Quote from: newsense on August 21, 2023, 04:38:09 AM
Uninstall wireguard-go (to be deprecated/removed in the future and to the best of my knowledge with no development prospects) and use kmod-wireguard instead.
The reason the OP is using go is because currently k-mod is not supported by filtering by Zenarmor, whereas Go was. The issue here is that it appears to have stopped working.
Whilst generally good advice to switch, it won't fix the OPs actual problem/complaint here - in fact it will guarantee Zenarmor won't filter it (until supported). As far as I know, that isn't the case yet?
Sent from my SM-S918B using Tapatalk
Update:
After the recent update to OPNsense 23.7.2 and Zenarmor 1.14.4, the traffic graph in the Zenarmor Dashboard shows active Wireguard traffic but selecting the wg0 interface in Live Sessions or Reports shows nothing.
Thank you to the Devs thus far.
Same issue at my OPNsense.
I can see the traffic load on the dashboard, but no connection details in the live view.
The rules don't applied to the Wireguard traffic. :(
Is there maybe a kernel patch missing for tun that we discarded in the Netmap project? https://github.com/opnsense/src/commit/88f60d158d3b7
Because it wasn't added to 23.7 when we rewrote the branch from releng/13.2
Cheers,
Franco
Uhm, is this a question to us users? I hope not ;D
Can we test it or provide logs to check this?
Who should I talk to instead? 8)
I can add a test kernel on Monday. But ideally I'd like Zenarmor to report these issues and help test. The last we spoke of this together (when we did the Netmap improvement project) we decided to discontinue the TUN patching so that's what I did adhere to.
Cheers,
Franco
Hey @franco,
Thanks for the heads-up. Yes, it the tun patch is not in 23.7, that must be the reason.
Looking forward to the test kernel; team will go ahead and test it.
WRT wireguad-kmod netmap support, we're working on it to see whether it would be feasible to develop/maintain. We'll reach out to the team once we have some meaningful progress.
Quote from: franco on August 26, 2023, 08:47:02 PM
Who should I talk to instead? 8)
I guessed it was a question for another dev. Because I understood your presumption, but I don't know how to check if the missing patch is the reason for the issue.
Anyway, thank you guys for taking care of it.
Any news regarding this issue? I also have the same here, no wireguard traffic in Zenarmour, engine stops with same alert "Cannot validate interface:..." so I always have to restart...
Opnsense 23.7.3
os-wireguard 2.0_2
os-sensei 1.14.5
Thanks a lot!
I'll publish a test kernel tomorrow.
Cheers,
Franco
Thanks a lot for your work, much appreciated! :)
Quote from: wirefall on August 31, 2023, 04:07:38 PM
Any news regarding this issue? I also have the same here, no wireguard traffic in Zenarmour, engine stops with same alert "Cannot validate interface:..." so I always have to restart...
Opnsense 23.7.3
os-wireguard 2.0_2
os-sensei 1.14.5
Thanks a lot!
If you want to use Zenarmor with WG, you've to install Wireguard Go instead of Wireguard (remove os-wireguard, install os-wireguard-go (System: Firmware -> Packages))
Zenarmor is currently not able to detect the WG Kernel Module interfaces. I guess this will resolve your "Cannot validate interface" issue.
The issue that we have is, that Zenarmor is able to detect the WG interfaces, but it can't inspect the traffic due to the missing TUN patch.
# opnsense-update -zkr 23.7.2-tun
# opnsense-shell reboot
Cheers,
Franco
Thanks a lot Franco, the results:
1. Alerts ("Cannot validate interface:...") are not showing up anymore so far, also no engine stop
2. Dashboard Traffic still only shows dead flat lines for wg interface, and in Live Sessions there is no wg data
So I guess the engine stop is fixed with your tun patch :)
Now waiting for wireguard-kmod netmap support. Thanks in advance to Zenarmour team addressing this important feature! :)
YAY! It's working again! :)
WG traffic is inspected and blocked as before the OPNsense update. Thanks a lot for your support!
Quote from: mb on August 26, 2023, 09:09:31 PM
Hey @franco,
Thanks for the heads-up. Yes, it the tun patch is not in 23.7, that must be the reason.
Looking forward to the test kernel; team will go ahead and test it.
WRT wireguad-kmod netmap support, we're working on it to see whether it would be feasible to develop/maintain. We'll reach out to the team once we have some meaningful progress.
Any news regarding wireguad-kmod netmap support? Thanks a lot :)
Hi all,
Thank you for your inquiry. I am pleased to inform you that we plan to support it before the release of OPNsense 24.1 version. If you have any further questions or concerns, please do not hesitate to contact to Zenarmor team.
Best regards,
this is really great news, thank you very much indeed! :)