Hi,
I am running OPNsense v 25.7.6 in 2 locations with 2 different Internet service providers. I have a Wireguard VPN setup for each (using different VPN server on each).
It's has been working fine for months. Simultaneously this morning, the Wireguard VPN stopped letting traffic out of the OPNsense box in each location.
I have verified that my VPN provider is working. I have changed the server, public key, etc... OPNsense shows a successful handshake.
There was a key mismatch for my VPN server, but OPNsense was reporting a successful handshake. Is it possible to change the way OPNsense reports the Wireguard status? Instead of reporting on the Layer 2/3 connection attempt (the VPN tunnel), can OPNsense report on the Layer 7 data flow (internet traffic)?
You can assign the wg interfaces and configure gateway monitoring.
Or use Monit if you want email notifications.
Cheers
Maurice
The problem is that OPNsense was showing the Wireguard connection as fine. Monitoring the gateway did not help because the gateway was alive and active.
The WireGuard status in OPNsense is reporting on the Layer 2/3 connection attempt (the VPN tunnel) and not necessarily the Layer 7 data flow (internet traffic).
When OPNsense initiates the connection, it sends a handshake packet to the VPN server's endpoint IP. The handshake is built using the local private key.
The VPN server receives this handshake packet and, if the network path is clear, it sends a reply back to OPNsense.
This reply packet from the server is misinterpreted by the OPNsense WireGuard service as a successful completion of the handshake process, even though the server immediately discards the session due to a key mismatch.
In my instance, I had accidentally deleted the VPN instance with the Private Key I was using, so the VPN server, upon receiving the handshake packet, looked up my Key in its database and said I don't recognize this public key anymore. The VPN server did not process the session and did not pass any packets, but doesn't send a clean error message back to OPNsense that the key is invalid. The OPNsense client just sees that the connection was established to the port, and a handshake occurred, leading to the confusing "successful handshake" status with zero or stalled traffic volume. The OPNsense Latest Handshake status primarily indicates the last time the client and server spoke to each other, even if that conversation was a one-sided failure due to the invalid key. The true indicator of failure is the lack of inbound and outbound traffic bytes after the initial handshake.
Because the link was showing as UP with no traffic, I spent hours trying to diagnose the Firewall rules thinking that a rule or something went wrong on my side with the OPNsense configuration.
I'm not talking about the WAN gateway or the WireGuard status. You can set up an additional gateway monitor (System: Gateways: Configuration) for the WireGuard tunnel. Dpinger then pings a monitor IP of your choice through the WireGuard tunnel. If the tunnel stops passing packets, the ping fails.
Quote from: Maurice on Today at 01:41:48 AMI'm not talking about the WAN gateway or the WireGuard status. You can set up an additional gateway monitor (System: Gateways: Configuration) for the WireGuard tunnel. Dpinger then pings a monitor IP of your choice through the WireGuard tunnel. If the tunnel stops passing packets, the ping fails.
If that ping fails, how do I know it's a key mismatch on the VPN server as opposed to a rule on OPNsense preventing data from going out?
I have 8.8.8.8 as the Monitor IP in the Wireguard interface. It showed the Wireguard interface as green
Quote from: mlenje on Today at 01:46:58 AMIf that ping fails, how do I know it's a key mismatch on the VPN server as opposed to a rule on OPNsense preventing data from going out?
Since this is traffic originating from OPNsense itself, you would have to accidentally create a firewall rule which blocks outbound traffic. And then you would see blocks in the firewall log.
Quote from: mlenje on Today at 01:57:52 AMI have 8.8.8.8 as the Monitor IP in the Wireguard interface. It showed the Wireguard interface as green
The interface was "green" or the gateway? Gateway monitoring creates a static route for the monitor IP to prevent the pings from taking other routes, so it should definitely show the gateway as down.
Quote from: Maurice on Today at 02:27:24 AMThe interface was "green" or the gateway? Gateway monitoring creates a static route for the monitor IP to prevent the pings from taking other routes, so it should definitely show the gateway as down.
Up is Green correct? Attached is a picture of what was displayed in the Dashboard.
I guess the simple answer is NO, OPNsense cannot detect a key mismatch when connecting to a VPN Server?
Then gateway monitoring is probably misconfigured. Check the routing table for 8.8.8.8. Make sure it isn't configured as a DNS server in System / Settings / General.
WireGuard is stateless. If the keys don't match, no traffic passes the tunnel. But there is no "login" or "connection" which could fail. That's by design.
Quote from: Maurice on Today at 04:26:40 AMThen gateway monitoring is probably misconfigured. Check the routing table for 8.8.8.8. Make sure it isn't configured as a DNS server in System / Settings / General.
WireGuard is stateless. If the keys don't match, no traffic passes the tunnel. But there is no "login" or "connection" which could fail. That's by design.
There are no entries for DNS Servers in System / Settgings / General ... I use DNSCrypt for DNS Servers.
Under VPN / Wireguard / Status, what does a green check and a handshake age in seconds mean for a given Wireguard Peer?
"Then gateway monitoring is probably misconfigured. Check the routing table for 8.8.8.8." Meeans, use a IP-Adresse on the other Side of your Wiregurad-Tunnel.
"There was a key mismatch for my VPN server, but OPNsense was reporting a successful handshake. Is it possible to change the way OPNsense reports the Wireguard status?" Yes, ther is, create a report at: https://github.com/opnsense/core/issues