I have a WireGuard server running on my OPNsense firewall. After the last update (25.7.9) none of the WG clients could connect to the server. I checked the log and this is what it said:
/usr/local/opnsense/scripts/wireguard/wg-service-control.php: The command </usr/bin/wg syncconf 'wg1' '/usr/local/etc/wireguard/wg1.conf'> returned exit code 1 and the output was "Name does not resolve: `DNS_NAME:PORT' Configuration parsing error"
(https://i.imgur.com/MPP0B4U.png)
I censored the DNS names. I have 2 errors because I have 2 configurations/2 DNS.
Disabling and re-enabling WireGuard from the GUI fixed the problem.
To temporarily fix the issue I had to do the following:
1. Log into the firewall through ssh.
2. Create the script file:
nano /usr/local/etc/rc.syshook.d/start/99-wireguard-restart
3. Input this text in the file:
#!/bin/sh
# Wait for WAN + DNS (AdGuard/Unbound) to be ready
sleep 10
# Fully restart all WireGuard instances (same effect as GUI Enable/Apply)
/usr/local/bin/php /usr/local/opnsense/scripts/wireguard/wg-service-control.php -a restart
exit 0
4. Add execution rights to the file:
chmod +x /usr/local/etc/rc.syshook.d/start/99-wireguard-restart
I suppose this issue is caused by an improper order in the execution of certain services.
The problem is / was probably present before. If you use DNS names for wireguard peers, then the daemon will only resolve them once on start and never recognizes if the peer's IP changes. There is a cron job "Renew DNS for Wireguard on stale connections" which will restart Wireguard. You can run that job every 5 minutes and it will probably fix the DNS resolution problem during startup, too (at least after 5 minutes).
This has been reported over an over (https://forum.opnsense.org/index.php?topic=39819.0), so now I appended it as point 30 here: https://forum.opnsense.org/index.php?topic=42985.0
Quote from: meyergru on Today at 01:47:04 PMThe problem is / was probably present before.
Well, that's very strange. I've been using this firewall with Wireguard for a very long time without any issues after rebooting. But since the last update, every single time I rebooted, wg clients could no longer connect.
The "Renew DNS for Wireguard..." cron job didn't fix it for me (maybe I did something wrong). The script I posted works fine and it acts right after finishing the reboot process.