Heya, I am on 23.7.6 and just installed WireGuard plugin. It was installed quite some time ago, but now I wanted a fresh, clean start. Thing is: After installation there are only the tabs "General", "Instances" and "Peers" available, so no "local" tab to get things started. I also have this error message in my diagnostics:
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '172.1.0.4/24' -interface 'wg1'' returned exit code '1', the output was ''
So, thing is: there ain't no interface "wg1" under assignemnets, nor under interfaces. I then checked to forum for similar issues und stumbled over this one:
https://forum.opnsense.org/index.php?topic=35841.0
But the solution is not changing anything (I have tried "Disable Host Route" under System >> Gateways). As I have no instances available the rest of the solution seems not to fit my issue, so right now I am lost... Pls help?
I literally just followed an extremely long, complicated guide to do exactly this, "WireGuard Selective Routing" so I can connect to my WindScribe VPN and make local hosts of my choosing go through this tunnel.
And just like you - encountered the same annoyance - all of the OPNsense documentation is out of date and refers to things like "local" and "endpoints" tabs which are clearly 100% gone
Docs need an update, badly
local is Instances IIRC and Peers is Endpoints I think is what I concluded
> Docs need an update, badly
Let's tone it down a bit, please.
https://github.com/opnsense/docs/issues/504
What I would like to know is why it was called "Instances" and not "Interface" to resemble the wireguard configuration 1:1.
It's [Interface] and [Peer] in the wireguard.conf files.
Because the code base has an "Interface" (assigned) section which is not to be confused with a WireGuard interface (unassigned). This is problematic for historic reasons. Internally we've had the issue of having a long list of "interface" use when actually the network device was meant and not the (assigned) interface. And now "Instances" for WireGuard brings it more in line with OpenVPN (instances) also.
It's the best compromise we can make when trying to avoid "My WireGuard interface is broken" ambiguity in bug reports.
Cheers,
Franco
Thank you for the explanation. That makes a lot of sense and was a good choice then.
Hey @franco,
I'm currently trying to use my OPNSense firewall as a client to a wireguard server instance that I'm running on a remote DigitalOcean server. With these options missing, I'm completely confused how to set it up. It all seems to be in place to setup a wireguard server on opnsense rather than a client.
Like, if I'm creating a peer, it doesn't even have a field for private key. If I'm creating an instance (interface), I should not need to setup a listen port if I'm trying to setup a client, but it asks for it.
Could you please help me with this?
There is no client/server in WireGuard, only peers. So you need a listen port on both ends of the connection.