OPNsense Forum
English Forums => Virtual private networks => Topic started by: yhq_34 on February 22, 2021, 02:05:20 am
-
Hi,
Is there any way to keep updating WAN IP if the ip was changed? I have found my site to site VPN was disconnected when one side WAN IP was changed.
-
You can have the client on the side with changing IPs. Otherwise a script could check your tunnel and restart WG if necessary...
-
OK, is there a setting exist in the opnsense to complete this action?
-
I have a peer to peer Wireguard VPN set up and both networks use dynamic DNS to point to their respective public IPs. When I set up the endpoints, I used their hostnames instead of IP addresses and it seemed to work. I don't know how often they are checked and neither IP has changed since I set up the tunnel but I'm hoping it will work seamlessly.
-
Wireguard will work with host names as well, but will hang after a reboot of the system. You have to start the service after a reboot manually.
-
Wireguard will work with host names as well, but will hang after a reboot of the system. You have to start the service after a reboot manually.
Any idea how often the hostnames are resolved or is it a continuous thing?
-
ONCE, when the tunnel is started. Never afterwards, even if the DynDNS get's updated and therefore the tunnel fails...
-
I am running wg site 2 site with opnsense at links with dynamic IPs. So the IPs change mininimum every month while updating opnsense.
ONCE, when the tunnel is started. Never afterwards, even if the DynDNS get's updated and therefore the tunnel fails...
Is this still the case?
Is there a workaround/script/something like that to solve this problem?
-
I can confirm: DNS resolution is only done once at the initialization of the connection.
On client side you can run something like this as bash script via cron as root:
WGNAME=wg0; SRVDNS=$(sed '/^Endpoint */!d;s/^.*= *//g;s/:.*$//g' /etc/wireguard/$WGNAME.conf); CONIP=$(wg show $WGNAME | sed '/endpoint:/!d;s/ *endpoint: //g;s/:.*$//g'); DNSIP=$(dig +noall +answer $SRVDNS | sed '/\tA\t/!d;s/^.*\tA\t//g'); if [ "$CONIP" != "$DNSIP" ]; then ifdown $WGNAME: sleep 1; ifup $WGNAME; fi
-
Thank you. Will test this script.
I also opened a feature request here: https://github.com/opnsense/plugins/issues/2927
If you are interested in this, please support it on github.
-
IMHO this is a classical job for monit, nothing that needs to be fixed upstream.
-
You will probably have to change the IP addresses in your client profiles, yes. To solve this automatically, get a cheap domain and setup dynamic dns with that, or use a free dynamic dns service. And then setup Wireguard to work with your new domain or dyndns name.
techzpod (https://techzpod.com/) download mobdro (https://get-mobdrovip.com)
-
You will probably have to change the IP addresses in your client profiles, yes. To solve this automatically, get a cheap domain and setup dynamic dns with that, or use a free dynamic dns service. And then setup Wireguard to work with your new domain or dyndns name.
That is pretty much easiest option.
To make wireguard (or any service which is dependent on public IP), you need to have either static IP or own domain which DNS A record can be updated using dynamic DNS service.
For VPN more complicated way would be using IPv6 address (those don't change if I'm not mistaken), but setting that to work, is less painfull than sticking a fork in your eye.
-
Unfortunately this issue has never been resolved for opnsense, while in the GUI of pfsense you can choose a time interval for "Endpoint Hostname Resolve Interval" under VPN -> WG -> Settings.
I don't want to mess around with script/cron stuff for basic tunnel functionality. Any solution in sight?
-
I assume you are aware that the WG script for this (same as what pfSense uses) has been added to OPNsense: https://github.com/opnsense/plugins/pull/2956
The only thing missing is a convenient button in the UI to configure the running interval for the script. But not that much more work to set up the cron job
-
A cron job might be in reach for me, coding GUI not... :-(
Thanks for the info anyways...
PS: Ok, I had a look in System -> Settings -> Cron, is this the "Renew DNS for Wireguard on stale connections" entry in the drop-down?
Does it really check for stale connections? Or should I simply run it every 3 min or so?
Many thanks in advance!
-
PPS: My local networking nerd evaluated that the underlying script of this cron job mentioned above checks for handshakes and if too long ago it restarts the wg instance. Hope I got it correct...
-
Correct. The script checks if the last handshake was longer than 135 seconds ago and if so, restarts the connection, resulting in a new DNS lookup if name-based endpoints are used.
-
Thanks for confirming! 8)