I have just updated to OPNsense 24.7.5-amd64
FreeBSD 14.1-RELEASE-p5
OpenSSL 3.0.15
Now WireGuard does not work/does not get an ipv4 address, only showing ipv6 when https://www.whatismyip.com/
Others having this issue also? Is there a Quick fix?
Both of my ip4 tunnels are working fine
Two different "providers"
Are you using only ipv4 or ipv4 and ipv6 also?
Ip4 only
Easiest way forward is to roll back core package and reassess:
# opnsense-revert -r 24.7.4 opnsense
(assuming the previous was 24.7.4)
In the general case the update isn't the problem anymore. It's mostly the reboot that "changes" behaviour.
Cheers,
Franco
Runs without problems here, IPv4 only though with a S2S-connection.
@Franco: I did a restore of my latest working config of 4 days ago and reboot, no difference.
Now I went to the console and run your command:
# opnsense-revert -r 24.7.4
#
but it did nothing? is the command missing something?
Sorry, I should take more care when proposing such commands.
# opnsense-revert -r 24.7.4 opnsense
opnsense-revert needs a list of packages to revert. We want to revert the core package to test the update theory.
Cheers,
Franco
@Franco thanks for the follow up. Just did the opnsense-revert -r 24.7.4 opnsense
rebooted opnsense. after that I had to do -interfaces WG -Enable Interface - disabled, and hit safe. and than Enable interface -> enable again and safe. Resulting Wireguard is back up and running getting ipv4 and ipv6 on https://www.whatismyip.com/
What could have caused 24.7.5 to break wireguard getting ipv4? How can I help to localize it?
p.s. the "trick" -interfaces WG -Enable Interface -> disabled, safe. and than enable again and safe, did not work on 24.7.5 as with 24.7.4_1
> rebooted opnsense. after that I had to do -interfaces WG -Enable Interface - disabled, and hit safe. and than Enable interface -> enable again and safe. Resulting Wireguard is back up and running getting ipv4 and ipv6 on
That's a strange way of saying it works on 24.7.4. We may be looking at the same issue but with different timings. Can we agree your WireGuard isn't up on boot? Can we assume that is because you use FQDNs for the remote end?
That being said I'd much rather try to find the issue in 24.7.5 than trying to figure out why 24.7.4 worked "better".
Cheers,
Franco
Agree, wild guess: maybe it has to do with my connection being PPPoE? A couple of versions back I had to do thie interface off and on trick with the WAN interface for getting ipv4 and ipv6, although connection being upp. This has been fixed a while back with further updates of opnsense.
Wireguard, road warrior where I have all connected devices traffic going through while away, uses an ipv4 ip as endpoint.
on 24.7.4_1 After a reboot Wireguard is running, and the device connected, but going to https://www.whatismyip.com/ only shows an ipv6 ip. This resulting in some websites to work and some don't. After interface wg off and on, this is corrected and https://www.whatismyip.com/ shows IPv4 and IPv6 and all is working again.
Being on 24.7.5 on reboot, wireguard is showing running, but only IPv6 shows on https://www.whatismyip.com/ whatever I try with interface off and on, or wireguard stopping and starting again.
I hope that helps explaining the setup
If it's PPPoE it might be https://github.com/opnsense/core/commit/a40bc6ff9 but we did do an extensive call for testing on all of this ;)
# opnsense-patch a40bc6ff9
Not knowing if it reverts or forwards depending on you being on 24.7.4 or 24.7.5. Watch the command line output to see. If it applied correctly at the end it says "Have a nice day".
Cheers,
Franco
@Franco: I did the upgrade to core 24.7.5, than applied the opnsense-patch a40bc6ff9 ... have a nice day
- rebooted opnsense box
-> wireguard same problem.
-> I than did the opnsense-revert -r 24.7.4 opnsense back and rebooted opnsense box, wireguard with the off and on interface trick working as before. I do not know if the applied patch is still part of my system now.
So it must be something else I think.
FWIW I have a PPPoE connection, and am using IPv4 Wireguard connections fine post upgrade.
One 'out', and also one back into the router from my mobile devices. All fine.
You haven't been tripped up by an earlier change, have you? What did you update from? I remember at some point if you were using FQDN as endpoints in your tunnels you had to change them to the IP, as they could no longer be resolved. Have you skipped a few upgrades and are perhaps affected by something like that?
I also don't have any issues on 24.7.5 with with PPPoE, Wireguard and IPv4/6.
@RamSense Have you tried your trick also on 24.7.5?
@Taunt9930, no fqdn, just ip4 ip as endpoint. And I update opnsense almost always the same day the updates arrive
@iam: yes, the interface off and on trick does not work on 24.7.5
My Wireguard has been the stable foundation for ever and kept on working with every update.....until it did not with 24.7.5...
I went through every step of the WG installation again, even configured a new one with different tunnel address and client ip's. 10.0.0.2 instead of 10.10.10.2 and fd00:2 instead of GLA ipv6, but no difference.
maybe it is dns related? what do you use for client dns setting: mine is the ipv4 and ipv6 tunnel address in the client config under "DNS Servers"
But than again, doing opnsense-revert -r 24.7.4 opnsense and reboot, wg only ipv6 showing on whatismyip, -> interface wg off save and on, save, and WG is running like it has been doing for ever with ipv4 and ipv6 showing on whatsmyip.com ...
N.B. Looking at the WG logs I see this on 24.7.5 what is not showing on 24.7.4:
Notice wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (execute task : dpinger_configure_do(,[]))
Notice wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (,[]) |
Maybe that's an indication of what is wrong??
Or virtual ip related?
Ok, I am almost sure it has to do with my virtual ip's.
But I do not know how to add Gateway in virtual ip. When I type the name "WAN_FTTH_PPOE" it is not accepted. When I add the current ip of the gateway it can be that after a reboot the ip of the gateway has changed from xxx.232 to xxx.233
How do I set this gateway setting?
see attachments
under interfaces
click on your wireguard interface and leave everything default. other than clicking enable
last click is at the very bottom : Dynamic gateway policy. check that.
then go back to system > gateway > configuration > edit your tunnel interface: for the IP address and monitor IP>. put the default gatewayy of you wireguard tunnel.
once saved. it should fix the weird bug of it showing the wrong tunnel as "Active". and should all come back online even after a reboot
@Franco sorry for the noise, it was not related to opnsense 24.7.5
@DEC670airp414user, thanks for that. 90% solved! As soon as I created it, wireguard came up with ipv4 and ipv6. This solved it for 90%. Somehow after a reboot WG still does not get ipv4, I have to go to system-setrtings-gateway and hit the [Apply] button, while no config change has been made there, and wireguard ipv4 and ipv6 are up as soon as i hit the apply button.
So somehow it is not done correctly on boot and "has to been done again after booting up" ?
Now running opnsense 24.7.5 and the same as above. any ideas on how to solve this little last part?
out of curiosity what is your upstream gateway set too. or the one that says active after the reboot.
mine is wan
if you are using gateway monitoring, and using the tunnel gateway to monitor.. do they show up after the reboot after the probe interval set to say 10 seconds has lapsed?
what you are posting is something I've found the be the case for a long time. but I've never had a tunnel not come backup
see attachment, that the info from system-gateway-configuration, [WAN_FTTH_PPPOE (active)] is my ipv4 gateway
upstream gateway needs to be checked on it then
Done, it shows on the gateway page: 254 (upstream)
still, after reboot, i have to go to gateways, hit apply for wg to have both ipv4 and ipv6
change the priority to one.
that's all I got ramsense. :)
changed it to 1 (upstream), reboot. But no difference. still have to hit apply at the gateway page for WG ipv4 and ipv6. But you helped me enormously already with the WG gateway setup and being able to update to 24.7.5.
I hope someone knows how to get this last step done (otherwise I have to remember to hit apply everytime a reboot is done)
Maybe show some more screenshots of your Gateways and your WireGuard Config. Also why do you have to use a VIP, what does it do?
Here is the current gateway settings and VIP's. I have the subnet for the mailserver and webserver and on top the wanipv4 and wanipv6 for opnsense box. I noticed in the far past that opnsense uses the above 2 for "its default ip".
Wireguard config is as the roardwarrior setup guide, with the difference that I use [Keepalive interval = 25] in the peer config for the mobile devices being able to have vpn always on. And a different wireguard port.
DNS is going through Adguard Home (plugin on opnsense).
I still don't get what all the VIPs do. Who is your ISP? Do you have more than one public IPv4-Address? Is it dynamic or static IPv4?
On your WG-Gateway you have a public IP, that is most probably wrong. Is this a Privacy-VPN? Please show the original config from that Privacy-VPN-Provider.
That IP is the default gateway ip I see in opnsense gateway-page from the ISP connection. I typed that one in the WG gateway. When I leave that out, and I select "Disable Gateway Monitoring", and reboot. The result is the same as with this ip put in. I have to hit apply at the gateway section for it to work.
And indeed more ipv4 public ip addresses - all static
Quote from: RamSense on September 28, 2024, 03:16:35 PM
And indeed more ipv4 public ip addresses - all static
Okay.
Still, what is this WG-Gateway good for?
That was added from the help above from DEC670airp414user, and it solved the problem of WG not showing ipv4 and only ipv6 on whatismyip.com
But what is it good for, who is connecting to whom? And what side is using whatismyip.com? What is the tunnel config look like.
It is a roadwarrior setup. All mobile devices and laptop etc while being away from home(wifi) use wireguard vpn. All data is going through the internet connection at home. This way Adguard home does it work being away from home also, and me being able to connect to local services that are not connected to the internet
whatismyip.com is being done from iphone 5g with wireguard vpn on.
Ok, so I don't see any use for a gateway on that WG-tunnel, remove it. I think you still should show the whole WG-config on OPNsense, for the instance and the peer.
Well it fixed the ipv4 problem with wireguard on 24.7.5 and on 24.7.4 for me no longer having to do an "WG-interface off, safe and on, safe" trick to get it working.
instance and peer config attached
That looks good. So I wonder, with all your public IPv4-addresses, maybe the problem is in Outbound-NAT.
Actually, I had/have a problem there too. I fixed it by creating an OutboundNAT rule myself. The problem only occurs after rebooting OPNsense. So our problems might be related. :D
But mine was already there before the latest release.
Edit: Create an OutboundNAT rule on WAN with your tunnel-network as source. Just do it and thank me later. :P
here is the outbound nat. one for ipv4 and one for ipv6
Quote from: RamSense on September 28, 2024, 04:08:55 PM
Well it fixed the ipv4 problem with wireguard on 24.7.5 and on 24.7.4 for me no longer having to do an "WG-interface off, safe and on, safe" trick to get it working.
instance and peer config attached
1. MTU seems awful high. mine is 1300 and I get full speeds. almost 500Mb for my wan fiber line
2. I have disable routes checked for all of my tunnels
Again, I was to late.
Quote from: Bob.Dig on September 28, 2024, 04:11:54 PM
Edit: Create an OutboundNAT rule on WAN with your tunnel-network as source. Just do it and thank me later. :P
see also the post above, but here again(?) outbound nat
Again, just do it manually but only on your WAN.
Mine looks like this.
I do not follow? I have a outbound nat rule on wan with WG Net as source.
Or is it that instead of selecting WG net you put in the tunnel address 10.10.10.0/24?
Quote from: RamSense on September 28, 2024, 04:29:00 PM
I do not follow? I have a outbound nat rule on wan with WG Net as source
Then do follow and do as I say, make a rule manually like I did. It is a bug after all.
I added the attached outbound rule, after reboot I still had to hit "apply" on the gateway page for iphone with wireguard to get both ipv4 and ipv6 on whatsmyip.com
To bad. I think it was worth the try. But again, no need for a gateway on your phone over WireGuard in OPNsense. But I resign from this thread now. Good luck!
ok, thanks for your help Bob.Dig
Quote from: DEC670airp414user on September 28, 2024, 04:19:16 PM
1. MTU seems awful high. mine is 1300 and I get full speeds. almost 500Mb for my wan fiber line
2. I have disable routes checked for all of my tunnels
Last one, try 1280 as MTU and also try disabling routes, it shouldn't be needed in this case.
Also don't use keep alive on the OPNsense, only do that on your Phone.
Tried this also, same resulting, have to hit apply on the gateway page to get it to work. Thanks for the help so far!
System - settings - general.
Very bottom what is allow gateway switching set too? Mine is unchecked
Firewall - settings - advanced - skip rules is unchecked for me
Hi again, just checked. gateway switching unchecked also, and skip rules unchecked too.
N.B. I noticed also that when I make a change in the opnsense wireguard instances or peer config and hit apply, I need to go to gateway-configuration and hit apply there for ipv4 and ipv6 to be back up. So my old situation (on opnsense 24.7.4) trick of interface, off safe, and on safe - looks to be merged to the trick of going to -gateway-configuration and hit apply. But I believe there are related to the underlying issue I see/have.
just to confirm here.
mine does similar. but after the probe interval time has passed, it normally does come back online
yours never ever comes back until you click resave?
my probe interval is set to 15 seconds
correct, I have to hit apply on gateways for it to come back