Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: ne0_2k on October 09, 2023, 09:20:06 AM

Title: WireGuard client cannot communicate anywhere after some amount of time
Post by: ne0_2k on October 09, 2023, 09:20:06 AM
Hello all,

I've configured Wireguard on my OpnSense following the Road Warrior Guide (https://docs.opnsense.org/manual/how-tos/wireguard-client.html (https://docs.opnsense.org/manual/how-tos/wireguard-client.html)). I'm able to connect and everything works but after a while (doesn't seem like a consistent period of time) I'm unable to communicate with any address (both tunnel addresses or any other address). This can be usually be resolved by disconnecting and reconnecting to the tunnel.
I've seen some posts discussing adding a KEEPALIVE to the configuration and I haven't tried that yet but to my understanding that should be used when you need to keep traffic coming in to your client which is behind a NAT and the mapping is removed from the firewall. I don't understand why that would prevent outgoing traffic from my client.

Any tips from more experienced folks would be much appreciated.

Title: Re: WireGuard client cannot communicate anywhere after some amount of time
Post by: Monviech (Cedrik) on October 09, 2023, 09:34:09 AM
Wireguard uses UDP. UDP has a default session timeout of 30 Seconds in most routers.

The Keepalive should be configured in the client, like 25 seconds or so, to keep the session open. Otherwise the outbound port of the NATed Client might change and then the Wireguard Server on the OPNsense keeps sending to the wrong old port and it stops working.
Title: Re: WireGuard client cannot communicate anywhere after some amount of time
Post by: CJ on October 10, 2023, 04:37:29 PM
Quote from: Monviech on October 09, 2023, 09:34:09 AM
Wireguard uses UDP. UDP has a default session timeout of 30 Seconds in most routers.

The Keepalive should be configured in the client, like 25 seconds or so, to keep the session open. Otherwise the outbound port of the NATed Client might change and then the Wireguard Server on the OPNsense keeps sending to the wrong old port and it stops working.

I just want to note that WG did not previously require keepalive.  It would automatically create and resume tunnels as needed.  But somewhere around 21-22 something got changed that caused WG to be unable to resume and required you to completely turn it off and then back on.  Keepalive 25 was added in order to prevent needing to resume as a bandaid until the root cause gets fixed.

That all said, I'm not sure if anyone has actually worked on troubleshooting the root cause of WG being unable to resume and whether it's limited to OPNSense or not.
Title: Re: WireGuard client cannot communicate anywhere after some amount of time
Post by: ne0_2k on October 10, 2023, 08:45:35 PM
Thanks both for the feedback. I will try to add and see how it effects the connection.
Text only | Text with Images