OPNsense Forum
Archive => 19.7 Legacy Series => Topic started by: bobbythomas on October 31, 2019, 11:31:13 pm
-
Hi All,
I have been using Wireguard dev for a while and recently mived to the stable build but after moving to the stable build wireguard has become unstable. Most of the times it won't establish the connection with the server only in one occasion it was able to establish the connection there were no changes in the config and I have even tried uninstalling and doing a fresh install, still thar didn't work. How can view the Wireguard logs? It's seems really hard to troubleshoot Wireguard connectivity issues.
Thanks in advance.
Regards,
Bobby Thomas
-
What means one occasion? There didnt change much. Sadly WireGuard is so lightweight that it doesnt throw logs :(
-
Thank you Michael for the quick response. It was not really an occassion, but I was trying to connect to it from my mobile and laptop with same profile (same peer config with only IP address change) and I was only able to connect it from my laptop. Earlier it used to connect from both and if I use only one device to connect to VPN then there will be no issues, but there will be handshake issues if both of them connect at the same time and because of that I used to see packet drops (because of same public key config). I was only able to connect to VPN once after the change to stable version and not from my mobile. I tried capturing data and vould see traffic coming from my mobile or laptop on udp 51820 port but there was no handshakes. I was only seeing handshake sent from peer end but nothing received. Any suggestions?
Thank you,
Regards,
Bobby Thomas
-
WireGuard has a history of forcing device bugs in FreeBSD and we know there are more crashes out in the wild although two prominent ones have already been fixed (in 19.7). As such, it can only get better and it helps to understand where the situation comes from, how new WireGuard still is and why we only reluctantly "unleash" new technologies. If it would have been different and there weren't any fixes yet we wouldn't have made WireGuard "stable" yet. But it's process, not binary decision and suddenly everything work so actually WireGuard needs the "stable" tag to be able to bring in more users which will trigger the hard to find bugs so they will be fixed eventually.
Cheers,
Franco
-
Screenshots of local instance and endpoints please
-
Screenshots of local instance and endpoints please
Please see attached.
Also see the below logs from the Wireguard client while trying to connect.
2019-11-01 05:36:06.221: [MGR] Update checker: Get https://download.wireguard.com/windows-client/latest.sig: dial tcp: lookup download.wireguard.com: no such host
2019-11-01 05:37:16.888: [TUN] [wireguard] Starting WireGuard/0.0.35 (Windows 6.3.9600; amd64)
2019-11-01 05:37:16.889: [TUN] [wireguard] Watching network interfaces
2019-11-01 05:37:16.917: [TUN] [wireguard] Resolving DNS names
2019-11-01 05:37:16.969: [TUN] [wireguard] Creating Wintun interface
2019-11-01 05:37:20.405: [TUN] [wireguard] Using Wintun/0.7 (NDIS 6.40)
2019-11-01 05:37:20.504: [TUN] [wireguard] Enabling firewall rules
2019-11-01 05:37:20.663: [TUN] [wireguard] Dropping privileges
2019-11-01 05:37:20.711: [TUN] [wireguard] Creating interface instance
2019-11-01 05:37:20.712: [TUN] [wireguard] Routine: event worker - started
2019-11-01 05:37:20.714: [TUN] [wireguard] Routine: encryption worker - started
2019-11-01 05:37:20.716: [TUN] [wireguard] Routine: decryption worker - started
2019-11-01 05:37:20.717: [TUN] [wireguard] Routine: handshake worker - started
2019-11-01 05:37:20.719: [TUN] [wireguard] Routine: encryption worker - started
2019-11-01 05:37:20.720: [TUN] [wireguard] Routine: decryption worker - started
2019-11-01 05:37:20.722: [TUN] [wireguard] Routine: handshake worker - started
2019-11-01 05:37:20.724: [TUN] [wireguard] Routine: encryption worker - started
2019-11-01 05:37:20.725: [TUN] [wireguard] Routine: encryption worker - started
2019-11-01 05:37:20.727: [TUN] [wireguard] Routine: decryption worker - started
2019-11-01 05:37:20.728: [TUN] [wireguard] Routine: handshake worker - started
2019-11-01 05:37:20.730: [TUN] [wireguard] Routine: handshake worker - started
2019-11-01 05:37:20.731: [TUN] [wireguard] Routine: decryption worker - started
2019-11-01 05:37:20.733: [TUN] [wireguard] Routine: TUN reader - started
2019-11-01 05:37:20.741: [TUN] [wireguard] Setting interface configuration
2019-11-01 05:37:20.744: [TUN] [wireguard] UAPI: Updating private key
2019-11-01 05:37:20.760: [TUN] [wireguard] UAPI: Updating listen port
2019-11-01 05:37:20.774: [TUN] [wireguard] UAPI: Removing all peers
2019-11-01 05:37:20.776: [TUN] [wireguard] UAPI: Transition to peer configuration
2019-11-01 05:37:20.791: [TUN] [wireguard] peer(TIZw…s6BE) - UAPI: Created
2019-11-01 05:37:20.792: [TUN] [wireguard] peer(TIZw…s6BE) - UAPI: Updating endpoint
2019-11-01 05:37:20.793: [TUN] [wireguard] peer(TIZw…s6BE) - UAPI: Updating persistent keepalive interval
2019-11-01 05:37:20.794: [TUN] [wireguard] peer(TIZw…s6BE) - UAPI: Removing all allowedips
2019-11-01 05:37:20.805: [TUN] [wireguard] peer(TIZw…s6BE) - UAPI: Adding allowedip
2019-11-01 05:37:20.806: [TUN] [wireguard] peer(TIZw…s6BE) - UAPI: Adding allowedip
2019-11-01 05:37:20.808: [TUN] [wireguard] peer(TIZw…s6BE) - UAPI: Adding allowedip
2019-11-01 05:37:20.808: [TUN] [wireguard] peer(TIZw…s6BE) - UAPI: Adding allowedip
2019-11-01 05:37:20.821: [TUN] [wireguard] peer(TIZw…s6BE) - UAPI: Adding allowedip
2019-11-01 05:37:20.822: [TUN] [wireguard] Bringing peers up
2019-11-01 05:37:20.824: [TUN] [wireguard] Routine: receive incoming IPv6 - started
2019-11-01 05:37:20.826: [TUN] [wireguard] Routine: receive incoming IPv4 - started
2019-11-01 05:37:20.828: [TUN] [wireguard] UDP bind has been updated
2019-11-01 05:37:20.840: [TUN] [wireguard] peer(TIZw…s6BE) - Starting...
2019-11-01 05:37:20.840: [TUN] [wireguard] peer(TIZw…s6BE) - Routine: sequential receiver - started
2019-11-01 05:37:20.842: [TUN] [wireguard] peer(TIZw…s6BE) - Routine: nonce worker - started
2019-11-01 05:37:20.844: [TUN] [wireguard] peer(TIZw…s6BE) - Routine: sequential sender - started
2019-11-01 05:37:20.847: [TUN] [wireguard] Monitoring default v4 routes
2019-11-01 05:37:21.125: [TUN] [wireguard] Binding v4 socket to interface 6 (blackhole=false)
2019-11-01 05:37:21.224: [TUN] [wireguard] Setting device v4 addresses
2019-11-01 05:37:21.712: [TUN] [wireguard] Monitoring default v6 routes
2019-11-01 05:37:21.712: [TUN] [wireguard] Binding v6 socket to interface 0 (blackhole=false)
2019-11-01 05:37:21.714: [TUN] [wireguard] Setting device v6 addresses
2019-11-01 05:37:21.944: [TUN] [wireguard] Listening for UAPI requests
2019-11-01 05:37:21.945: [TUN] [wireguard] Startup complete
2019-11-01 05:37:25.412: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:37:25.445: [TUN] [wireguard] peer(TIZw…s6BE) - Awaiting keypair
2019-11-01 05:37:30.512: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:37:35.675: [TUN] [wireguard] peer(TIZw…s6BE) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-11-01 05:37:35.675: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:37:40.759: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:37:45.942: [TUN] [wireguard] peer(TIZw…s6BE) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-11-01 05:37:45.942: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:37:51.195: [TUN] [wireguard] peer(TIZw…s6BE) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-11-01 05:37:51.196: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:37:56.523: [TUN] [wireguard] peer(TIZw…s6BE) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-11-01 05:37:56.524: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:38:01.608: [TUN] [wireguard] peer(TIZw…s6BE) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-11-01 05:38:01.621: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:38:06.927: [TUN] [wireguard] peer(TIZw…s6BE) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-11-01 05:38:06.928: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:38:12.014: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:38:17.158: [TUN] [wireguard] peer(TIZw…s6BE) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-11-01 05:38:17.158: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:38:22.451: [TUN] [wireguard] peer(TIZw…s6BE) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-11-01 05:38:22.454: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:38:27.663: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:38:32.742: [TUN] [wireguard] peer(TIZw…s6BE) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-11-01 05:38:32.742: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:38:37.639: [MGR] [wireguard] Tunnel service tracker finished
2019-11-01 05:38:37.869: [TUN] [wireguard] peer(TIZw…s6BE) - Handshake did not complete after 5 seconds, retrying (try 2)
2019-11-01 05:38:37.935: [TUN] [wireguard] peer(TIZw…s6BE) - Sending handshake initiation
2019-11-01 05:38:38.394: [TUN] [wireguard] Device closing
2019-11-01 05:38:38.441: [TUN] [wireguard] Routine: TUN reader - stopped
2019-11-01 05:38:41.230: [TUN] [wireguard] Routine: event worker - stopped
2019-11-01 05:38:41.237: [TUN] [wireguard] Routine: receive incoming IPv4 - stopped
2019-11-01 05:38:41.241: [TUN] [wireguard] Routine: receive incoming IPv6 - stopped
2019-11-01 05:38:41.242: [TUN] [wireguard] peer(TIZw…s6BE) - Stopping...
2019-11-01 05:38:41.243: [TUN] [wireguard] peer(TIZw…s6BE) - Routine: sequential receiver - stopped
2019-11-01 05:38:41.245: [TUN] [wireguard] peer(TIZw…s6BE) - Routine: nonce worker - stopped
2019-11-01 05:38:41.247: [TUN] [wireguard] Routine: decryption worker - stopped
2019-11-01 05:38:41.251: [TUN] [wireguard] Routine: handshake worker - stopped
2019-11-01 05:38:41.257: [TUN] [wireguard] Routine: handshake worker - stopped
2019-11-01 05:38:41.258: [TUN] [wireguard] Routine: decryption worker - stopped
2019-11-01 05:38:41.260: [TUN] [wireguard] Routine: encryption worker - stopped
2019-11-01 05:38:41.261: [TUN] [wireguard] Routine: encryption worker - stopped
2019-11-01 05:38:41.263: [TUN] [wireguard] Routine: handshake worker - stopped
2019-11-01 05:38:41.268: [TUN] [wireguard] Routine: decryption worker - stopped
2019-11-01 05:38:41.274: [TUN] [wireguard] Routine: handshake worker - stopped
2019-11-01 05:38:41.277: [TUN] [wireguard] Routine: decryption worker - stopped
2019-11-01 05:38:41.278: [TUN] [wireguard] Routine: encryption worker - stopped
2019-11-01 05:38:41.280: [TUN] [wireguard] Routine: encryption worker - stopped
2019-11-01 05:38:41.306: [TUN] [wireguard] peer(TIZw…s6BE) - Routine: sequential sender - stopped
2019-11-01 05:38:41.308: [TUN] [wireguard] Interface closed
2019-11-01 05:38:41.309: [TUN] [wireguard] Shutting down
-
Is it intended to have Disable Routes checked?
OPNsense endpoint config is missing
-
I was trying different settings and I just checked that to see if it would make any difference.
Please see the Endpoint config from OPNsense attached.
Thank you,
Regards,
Bobby Thomas
-
Allowed IPs in endpoint looks wrong. Can you reread central breakout guide in official docs?
-
Thank you Michael, I updated tunnel ip addresses in endpoint configs to /32. But it seems like my internet went down and I am now unable to connect to my OPNsense from remote. I will update the status once connectivity is back.
Thank you,
Regards,
Bobby Thomas
-
Ok I just tried now and it's still not connecting. I even restarted the Wireguard service but that didn't make any difference. Not sure what I need to fix this issue. I will also give it a try with a different port.
Thank you,
Regards,
Bobby Thomas
-
Maybe start a second instance from scratch and follow one by one:
https://docs.opnsense.org/manual/how-tos/wireguard-client.html