Howdy, folks.
So I'm having a LOT of problems getting multiple WG VPN tunnels set up to Mullvad and then doing selective routing over them. Some of it, I would say, is due to lack of observability as to the state of the tunnels. In short, I miss the old Status tab which would at least let me know I had configured the tunnel correctly before I start playing with selectively routing of traffic over them.
What advice do folks here have as to troubleshooting WG VPN (and maybe related pf configurations) from the CLI?
For reference, I have tons of experiencing doing pretty complicated gateway setup on Linux going all the way back to ipchains days. Not so much with *BSD and pf. So, I can learn is what I'm saying. :D
I have menu items, status + Log File with version: 24.4.3-amd64
2024-10-10T10:47:54 Notice wireguard wireguard instance WG_XXXXX (wg1) started
2024-10-10T10:47:54 Notice wireguard /usr/local/opnsense/scripts/Wireguard/wg-service
2024-10-10T10:47:54 Notice wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (,WG_XXX)
2024-10-10T10:47:54 Notice wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: keeping inet default route to
So what I've noticed is that even in DEBUG the Wireguard Log can sometimes report that the tunnel is up but it doesn't seem to be functioning for me and I don't see routes for it at the CLI either. Entirely possible that I am able to auth to the remote VPN endpoint and then something about routing or forwarding is still goofed up.
On that theory, I've been opening 2 browsers when configuring new tunnels and comparing them step-by-step to known-good configs for working tunnels. Hasn't produced working tunnels in most cases.
my go to commands would be
wg
ifconfig
netstat -rn
Wireguard doesnt log much since its not stateful. If you want logs use IPsec.
I've been trying to set some of the Outbound NAT and other firewall rules for logging but I'm not seeing much in the console. Perhaps I'm not looking in the correct place or perhaps there's a way to get at that info from the command line?
Another approach I'm planning to take is set up an internal log aggregator. I've been meaning to this for some time anyway.
the best tool to troubleshoot wireguard would be the good old tcpdump.
tcpdump -i wg0
1. If there are no incoming udp packets, check firewall rules, ports, etc
2. If there are pakets but no answers, check if public key matches between the peers
3. If there are request and response pakets, something should work.
Quote from: Monviech on October 10, 2024, 06:32:52 PM
the best tool to troubleshoot wireguard would be the good old tcpdump.
tcpdump -i wg0
Well, that is a tool I've definitely spent time getting to know. Thanks for the advice.
Quote from: granute on October 10, 2024, 10:00:53 PM
Quote from: Monviech on October 10, 2024, 06:32:52 PM
the best tool to troubleshoot wireguard would be the good old tcpdump.
tcpdump -i wg0
Well, that is a tool I've definitely spent time getting to know. Thanks for the advice.
If you want a deep dive, this book cannot be recommended highly enough:
https://en.wikipedia.org/wiki/TCP/IP_Illustrated
Rich Stevens uses tcpdump to show how the protocols work in action. Absolutely brilliant.
Quote
Rich Stevens uses tcpdump to show how the protocols work in action. Absolutely brilliant.
I'm pretty comfortable with IP/UDP/TCP itself. Is there a similarly great book you're recommend on advanced networking topics with FreeBSD?