OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: bobbythomas on August 02, 2020, 06:04:01 pm

Title: [SOLVED] Wireguard not working after upgrade.
Post by: bobbythomas on August 02, 2020, 06:04:01 pm
Hi All,

I just upgraded my firewall from 20.1.9 to 20.7, the upgrade went smooth. The only issue I am seeing is with the wireguard vpn. After the upgrade the wireguard vpn service was showing down, but when I tried to start the service it's not starting. So I went through the logs and I found below.

Code: [Select]
root@firewall:~ # cat /var/log/system.log | grep wg
Aug  2 20:52:13 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:52:13 firewall kernel: wg0: deletion failed: 3
Aug  2 20:52:13 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:56:30 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:56:30 firewall kernel: wg0: deletion failed: 3
Aug  2 20:56:30 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:58:07 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:58:08 firewall kernel: wg0: deletion failed: 3
Aug  2 20:58:08 firewall kernel: wg0: link state changed to DOWN
Aug  2 21:12:08 firewall kernel: tun0: changing name to 'wg0'
Aug  2 21:12:09 firewall kernel: wg0: deletion failed: 3
Aug  2 21:12:09 firewall kernel: wg0: link state changed to DOWN
Aug  2 21:13:46 firewall kernel: tun0: changing name to 'wg0'
Aug  2 21:13:46 firewall kernel: wg0: deletion failed: 3
Aug  2 21:13:46 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:01:26 firewall kernel: ifa_maintain_loopback_route: deletion failed for interface wg0: 3
Aug  2 20:01:26 firewall kernel: wg0: link state changed to DOWN

Is this some kind of bug? It seems to me like the system is unable to rename the tunnel interface.

Any help is appreciated.

Thank you,
Regards,
Bobby Thomas
Title: Re: Wireguard not working after upgrade.
Post by: mimugmail on August 02, 2020, 07:36:41 pm
/usr/local/etc/rc.d/wireguard restart

Via console
Title: Re: Wireguard not working after upgrade.
Post by: bobbythomas on August 02, 2020, 08:16:50 pm
Hi Michael,

I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?

Regards,
Bobby Thomas
Title: Re: Wireguard not working after upgrade.
Post by: alexharvard on August 02, 2020, 11:01:31 pm
Hi,
had a similar issue right after upgrading to version 20.7
A manual reboot fixed it for me.
Title: Re: Wireguard not working after upgrade.
Post by: witenoize on August 02, 2020, 11:59:45 pm
I have the same issue.  I had 11 endpoints, with local 10.0.0.x addresses and access to my local 10.10.10.x network, all working fine prior to upgrading.

After upgrade, the wireguard service shows as stopped in the dashboard.  Additionally, none of the configurations or keys show in the "List Configurations" tab.

Logging into the console and running wireguard restart gives me this output:

root@OPNsense:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface

INFO: (wg0) 2020/08/02 17:43:04 Starting wireguard-go version 0.0.20200320


I have re-installed the previous version of wireguard and restored my backup and all works as expected.  If I upgrade, then it breaks.

Someone pointed out in another post that if the endpoints have two different networks shown in the allowed IP's field, then Wireguard will not start.  Removing access to the local network WILL allow the configuration to display, but defeats the purpose of the VPN.
Title: Re: Wireguard not working after upgrade.
Post by: hsw on August 03, 2020, 09:19:51 am
Deleting the 192.161.1.0/24 from the list, leaving only the Wireguard-IP/32 in all endpoints allows it to start

Also I can still ssh to a LAN machine at 192.168.1.100 so there seems to be no need to have that local setting in the endpoint config.

The web ui is also accessible with this setting.
Title: Re: Wireguard not working after upgrade.
Post by: mimugmail on August 03, 2020, 09:59:48 am
Hi Michael,

I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?

Regards,
Bobby Thomas

/usr/local/etc/rc.d/wireguard restart

Via console

I need this output
Title: Re: Wireguard not working after upgrade.
Post by: mimugmail on August 03, 2020, 10:01:04 am

Someone pointed out in another post that if the endpoints have two different networks shown in the allowed IP's field, then Wireguard will not start.  Removing access to the local network WILL allow the configuration to display, but defeats the purpose of the VPN.

Please open a new thread with more details and screenshots as it may not be related to this one
Title: Re: Wireguard not working after upgrade.
Post by: mimugmail on August 03, 2020, 10:02:13 am
Deleting the 192.161.1.0/24 from the list, leaving only the Wireguard-IP/32 in all endpoints allows it to start

Also I can still ssh to a LAN machine at 192.168.1.100 so there seems to be no need to have that local setting in the endpoint config.

The web ui is also accessible with this setting.

Correct, it seems there is a guide out there which states that on endpoint config you have to put in your local LAN which is nonsense .. and it was working with 20.1 but will break in 20.7 (because it is still nonsense).
Title: Re: Wireguard not working after upgrade.
Post by: bobbythomas on August 03, 2020, 11:30:30 am
Hi Michael,

I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?

Regards,
Bobby Thomas

/usr/local/etc/rc.d/wireguard restart

Via console

I need this output

Sorry I thought you wanted to know the status of the service after entering that command. Below is the output of the command.

Quote
root@firewall:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
  • wireguard-go wg0

INFO: (wg0) 2020/08/03 14:56:06 Starting wireguard-go version 0.0.20200320
  • wg setconf wg0 /tmp/tmp.UtpkrEW8/sh-np.dztf3d
  • ifconfig wg0 inet 10.1.1.1/32 10.1.1.1 alias
  • ifconfig wg0 mtu 1420
  • ifconfig wg0 up
  • route -q -n add -inet 10.1.1.3/32 -interface wg0
  • route -q -n add -inet 10.1.1.2/32 -interface wg0
  • route -q -n add -inet 10.1.1.1/32 -interface wg0
  • route -q -n add -inet 192.168.2.0/24 -interface wg0
  • rm -f /var/run/wireguard/wg0.sock

root@firewall:~ #

By the by, I tried a manual restart and the issue still persist.

Thank you,
Regards,
Bobby Thomas
Title: Re: Wireguard not working after upgrade.
Post by: mimugmail on August 03, 2020, 12:35:44 pm
route -q -n add -inet 192.168.2.0/24 -interface wg0

Is this your LAN?
Title: Re: Wireguard not working after upgrade.
Post by: bobbythomas on August 03, 2020, 12:42:25 pm
route -q -n add -inet 192.168.2.0/24 -interface wg0

Is this your LAN?

No that's my Zerotier Network. I wanted to access devices in the Zerotier Network when I'm connected to the vpn.
Title: Re: Wireguard not working after upgrade.
Post by: mimugmail on August 03, 2020, 12:43:19 pm
But it points to wireguard interface .. can you remove it?
Title: Re: Wireguard not working after upgrade.
Post by: bobbythomas on August 03, 2020, 12:57:04 pm
But it points to wireguard interface .. can you remove it?

Yeah, I'll remove that, not sure why it's not working now, it was working previously with the same config in 20.1. I will remove that and try.

Thanks and regards,
Bobby Thomas
Title: Re: Wireguard not working after upgrade.
Post by: bobbythomas on August 03, 2020, 01:01:40 pm
But it points to wireguard interface .. can you remove it?

Yeah, I'll remove that, not sure why it's not working now, it was working previously with the same config in 20.1. I will remove that and try.

Thanks and regards,
Bobby Thomas

I removed it, still the service is down.

Quote
root@firewall:~ # service wireguard restart
wg-quick: `wg0' is not a WireGuard interface
  • wireguard-go wg0

INFO: (wg0) 2020/08/03 16:29:35 Starting wireguard-go version 0.0.20200320
  • wg setconf wg0 /tmp/tmp.HQjWBJgx/sh-np.rUTYLg
  • ifconfig wg0 inet 10.1.1.1/32 10.1.1.1 alias
  • ifconfig wg0 mtu 1420
  • ifconfig wg0 up
  • route -q -n add -inet 10.1.1.3/32 -interface wg0
  • route -q -n add -inet 10.1.1.2/32 -interface wg0
  • route -q -n add -inet 10.1.1.1/32 -interface wg0
  • route -q -n add -inet 192.168.1.0/24 -interface wg0
  • rm -f /var/run/wireguard/wg0.sock

root@firewall:~ #

Do I need to remove LAN (192.168.1.0/24).

Thank you,
Regards,
Bobby Thomas
Title: Re: Wireguard not working after upgrade.
Post by: mimugmail on August 03, 2020, 01:07:15 pm
route -q -n add -inet 192.168.1.0/24 -interface wg0

The line above indicates that this should be a network on the other side of the VPN tunnel.
If one of your local interfaces has this network, wireguard will break. In 20.1 it seems FreeBSD just ignored this.
Title: Re: Wireguard not working after upgrade.
Post by: bobbythomas on August 03, 2020, 01:19:19 pm
route -q -n add -inet 192.168.1.0/24 -interface wg0

The line above indicates that this should be a network on the other side of the VPN tunnel.
If one of your local interfaces has this network, wireguard will break. In 20.1 it seems FreeBSD just ignored this.

Got it, After removing LAN and restarting the service Wireguard service came back online. Is this how it should be configured?

Thanks and regards,
Bobby Thomas
Title: Re: Wireguard not working after upgrade.
Post by: mimugmail on August 03, 2020, 01:19:55 pm
WHERE did you set this 192.168.1.0/24? in local instance or endpoint?
Title: Re: Wireguard not working after upgrade.
Post by: bobbythomas on August 03, 2020, 01:31:47 pm
WHERE did you set this 192.168.1.0/24? in local instance or endpoint?

Local instance (on the firewall).
Title: Re: Wireguard not working after upgrade.
Post by: mimugmail on August 03, 2020, 01:39:11 pm
This is confusing, are you sure you did not do some mistakes between? First you were talking about 192.168.2.0 and now it's 192.168.1.0.

I really have no idea why wireguard should set a route for local addresses ...
Title: Re: Wireguard not working after upgrade.
Post by: mimugmail on August 03, 2020, 01:57:06 pm
I checked all available good documentations and also the official ones:
https://www.routerperformance.net/opnsense/opnsense-and-wireguard/

I have no idea why you set your local networks in local instance.

This is nowhere documented.

Maybe this would was dismissed with FreeBSD 11.2 and now throws an error in FreeBSD 12.1
Title: Re: Wireguard not working after upgrade.
Post by: bobbythomas on August 03, 2020, 02:01:43 pm
I checked all available good documentations and also the official ones:
https://www.routerperformance.net/opnsense/opnsense-and-wireguard/

I have no idea why you set your local networks in local instance.

This is nowhere documented.

Maybe this would was dismissed with FreeBSD 11.2 and now throws an error in FreeBSD 12.1

Ok, I may have overlooked this during while configuring the local instance. I think I added my LAN as well as Zerotier to Wireguard config thinking it's similar to ipsec config. Anyways I removed it now and everything looks good. I will keep this in mind when configuring WG in future.

Thank you Michael. Appreciate your assistance.

Regards,
Bobby Thomas
Title: Re: [SOLVED] Wireguard not working after upgrade.
Post by: mimugmail on August 03, 2020, 02:04:52 pm
Glad it works .. more happy to see that it's not 100% related to FreeBSD 12.1  8)