OPNsense Forum

English Forums => General Discussion => Topic started by: EASC Support on December 19, 2024, 03:57:52 AM

Title: Wireguard
Post by: EASC Support on December 19, 2024, 03:57:52 AM
Hello everyone. I hope someone has an answer for me. I have set up wireguard and it is working flowlessly. Almost. I am trying to find a way to deactivate the tunnel when a user logs off or shuts down their computer. I need it to be a concious decision wheher or not to connect and right now if user A logs off and does not deactivate it User B has an open tunnel as soon as they log in. Not ideal for my scenario.

Thank
Title: Re: Wireguard
Post by: Seimus on December 19, 2024, 11:54:18 AM
What exactly do you see its not deactivated? Provide a picture.

If this is RA, each peer has its "own tunnel" if the Device using this tunnel is not active it goes down.
The only thing that stays UP constantly is the WG interface on the OPNsense side, which should stay UP otherwise you will not be able to establish tunnels.

Regards,
S.
Title: Re: Wireguard
Post by: EASC Support on December 20, 2024, 09:14:36 PM
So if I activate the connection every thing is great
If I log off or shut down when I go back on it is still activated (Connected)

That is not a desirable behavior. I want the user to have to consciously activate (Connect) to the vpn when they log on. There are times when they will need to be on the vpn and times they should not be on the vpn. That is why when the need to be on I want them to have to connect every time.
Title: Re: Wireguard
Post by: cookiemonster on December 21, 2024, 12:44:39 AM
I don't think you can achieve this with WireGuard. It is designed to be "always on" with the peer simply needing a new handshake to initiate/continue transmitting data. You could have a look at the whitepaper and technical details for the proper explanations link (https://www.wireguard.com/papers/wireguard.pdf)
Title: Re: Wireguard
Post by: Seimus on December 21, 2024, 04:34:54 AM
If you want to have proactive login into the VPN rather then reactive, this is on users to do. The users should not set the WG client on their device to startup with OS boot.

Regards,
S.