OPNsense Forum

English Forums => Virtual private networks => Topic started by: DL-KK on June 24, 2022, 11:43:29 am

Title: wireguard tunnel don't come up after restart
Post by: DL-KK on June 24, 2022, 11:43:29 am

Hi Guys

we have a test setup of 2 x opnsense 22.1.9 firewalls
the first one is public available unit , and the other is behind a NAT firewall (but I dont think the problem is related to this)
the problem is that we can set up Wireguard vpn, and we have a fine stable connection, but when we reboot the firewall, the plugin says that it start handshake, and add it as a peer interface, but we dont see any traffic
going through the tunnel.

the tunnel running great until we reboot the unit. after the reboot the tunnel cant get online but if we try to run
/usr/local/etc/rc.d/wireguard stop
then wait some seconds and then run
/usr/local/etc/rc.d/wireguard start
then it seems to bring up the tunnel (in 1 out for 20 times, just keep rerun the same commands)

the output below is from after a reboot of the unit, but before it is working

did anyone have a idea what is happining here ? and any ideas to a solution ??

system info (both ends):
OPNsense 22.1.9-amd64 (it was same problem with 22.1.8)
plugin: os-wireguard 1.11 (also tried with 1.10)
packages: wireguard-kmod 0.0.20220615 (tried with and without this package)

behind NAT unit conf:
interface: wg0
  public key: 1oFHvZGtjWyaz+u/0CjxcCFLZvsDPdrxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 51113

peer: yD1Dq6WCu8w1lAvpE365pBq9h4Axxxxxxxxxxxxx
  endpoint: x.x.x.x:51113
  allowed ips: 10.4.113.0/24, 172.20.113.0/24
  latest handshake: 10 seconds ago
  transfer: 252 B received, 340 B sent
  persistent keepalive: every 2 seconds

public unit conf:
interface: wg0
  public key: yD1Dq6WCu8w1lAvpE365pBqxxxxxxxxxxxxx
  private key: (hidden)
  listening port: 51113

peer: 1oFHvZGtjWyaz+u/0Cjxcxxxxxxxxxxxxx
  endpoint: y.y.y.y:51113
  allowed ips: 172.20.113.0/24, 10.20.113.0/24
  latest handshake: 1 second ago
  transfer: 13.72 KiB received, 31.25 KiB sent
  persistent keepalive: every 2 seconds

Title: Re: wireguard tunnel don't come up after restart
Post by: alh on July 19, 2022, 08:46:31 am

I have the same problem with the latest Business Edition 22.4.2. After reboot only wg0 kind of comes up, meaning handshake is established but zero traffic through the tunnel. After manually restarting the service both the interfaces wg0 and wg1 come up and start working.

Title: Re: wireguard tunnel don't come up after restart
Post by: mallox on July 21, 2022, 02:14:51 pm

Had this exact same problem. Wg0 didn't come up but wg1 did. Had to drive over to reset the wireguard tunnel. Disappointing... Haven't had this issue previously

Title: Re: wireguard tunnel don't come up after restart
Post by: franco on July 21, 2022, 02:18:21 pm

Also have OpenVPN running?


Cheers,
Franco

Title: Re: wireguard tunnel don't come up after restart
Post by: alh on December 27, 2022, 09:44:54 pm

I still have this issue after the recent upgrade to OPNsense 22.10-amd64. Now wg0 did not come up but wg1 did. I thought I was clever by setting up a cronjob to restart WireGuard daily. But apparently this didn't help. So I had to manually restart the service in the dashboard to have wg0 up and running.

This is quite weird, because I do not have this issue on any community installation.

And to answer to Franco: no, no OpenVPN running.

Title: Re: wireguard tunnel don't come up after restart
Post by: newsense on December 31, 2022, 08:07:11 pm

Quote from: alh on December 27, 2022, 09:44:54 pm

manually restart the service in the dashboard to have wg0 up and running.

There's little to no justification to still use wireguard-go. The kmod-wireguard works perfectly fine with multiple WG instances alongside OpenVPN or without it.

Side note - once the kmod is installed the Dashboard is not usable anymore and it shows the service being down, which is technically accurate since it pertains to the Go implementation.

Code: [Select]

pkg install wireguard-kmod