Messages

I'm also getting the issue, even when I updated the latest 24.1.8.

Been working fine for years, but now has issues. I've tried giving the token more permissions and rotating the token too.

It was the SANs, I removed the common name from the SAN, and that fixed it. can now issue my certs again.

I'm also getting the issue, even when I updated the latest 24.1.8.

Been working fine for years, but now has issues. I've tried giving the token more permissions and rotating the token too.

I recently created some new firewall rules in various interfaces, and when I go in to "Firewall: Diagnostics: Sessions or States". The rule that's it's telling for for various sessions or states, is mapped to the wrong rule. I assume it's parsing old rule numbers, but they've all been shifted around by me adding new rules.

For example it shows rules from other interfaces, that are not part of the traffic flow at all. EG traffic from the LAN is showing rule name from the DMZ interface, then it's just going directly out the WAN.

Anyone else getting this?


OPNsense 23.7.10_1-amd64
Intel Core i3-7100U CPU

I've disabled reauth, and so far no rekey issues

I use the GIT backup plugin, I find it's a better method. Then you can backup to Gitlab, Github, or a selfhosted version of git.

Hi,
iin my case I use different Settings.
In Phase I use "default " as connection method instead "response only"
In Phase 2 I use Sha265 as hash algorithm, you use none.
My Azure Settings are attached. Hope that helps

I've changed from AESGCM to AES, to see if that's the problem.

Hi Guys,

I've configured a IPSec S2S tunnel to Azure and I'm having issues at rekey, I've double checked my settings and they all match what they should be set too. We have another IPSec tunnel with the same settings to another Firewall vendor and the settings work fine, so I know there's something not quite right on the OPNsense side.

I've noticed during the rekey I end up getting "integrity check failed" messages in the IPSec log of OPNsense.

I've got the tunnel setup using AES256-GCM for both phase1 and phase2. Luckily the tunnel restarts eventually and the tunnel comes backup for the lifetime of the SA's, then rekey happens fails and then restarts again after some "integrity check failed" messages. This courses about 2-3 minutes of no traffic to pass.

Has anyone get any experience using AES GCM with IPSec to Azure?

I shall attach my OPNsense settings, encase the issue is obvious to someone when they look at them.

Error messages are saying they can't connect to the web interface.

Have you changed its port?

Wow, thanks for the instantaneous reply and solution!

I had changed from https to http, and hadn't changed the line in PIAWireguard.json.

It's working now!
[/quote]

Glad to hear it's working 💪

Hmm...I've installed the latest version of the script, and it has stopped working for me.  I've done something stupid, I'm sure, but I don't know what.

Can anyone help?

Code Select Expand

root@OPNsense:~ # /conf/PIAWireguard.py debug
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 169, in _new_conn
    conn = connection.create_connection(
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 96, in create_connection
    raise err
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 86, in create_connection
    sock.connect(sa)
TimeoutError: [Errno 60] Operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 353, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 181, in _new_conn
    raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/conf/PIAWireguard.py", line 202, in <module>
    r = requests.get(f'{opnsenseURL}/api/wireguard/server/searchServer/', auth=(config['opnsenseKey'], config['opnsenseSecret']), verify=urlVerify)
  File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 76, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))
root@OPNsense:~ #


Error messages are saying they can't connect to the web interface.

Have you changed its port?

Yes, I just confirmed that the actions file has all 3 setups contained within it.
There are 3 distinct entries in Cron now as well.  So I guess that's good.

I have selected the uk_2 server for British streaming.

I think you might be onto something with the DNS holding me back.
Ideally I would like to capture the DNS and route appropriately for each tunnel, although it looks as though all tunnels utilise the same internal IP addresses for DNS.

I am attempting to make sense of https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks in order to route the DNS appropriately.  In fact I had started a separate thread about it a few days ago at https://forum.opnsense.org/index.php?topic=24416.0, but as yet don't have it working.

Sounds like your on the right tracks now. Just create the cron jobs to run each of those actions every 5 or 10 minutes.

DNS wise... what you need to do is set the PIA DNS on the clients via DHCP (or manually), to 10.0.0.243, then in the firewall rules, you allow traffic to 10.0.0.243 but using PIA gateway you need. That should then push the DNS traffic down the tunnel to the DNS server for that region :-)


Also this may be handy information.
https://www.privateinternetaccess.com/helpdesk/kb/articles/streaming-with-pia

You're really on the ball - thanks for monitoring this thread so closely!

A little more playing around and I currently have all gateways up and running again.

One of the issues had been that I was editing the PIAWireguard.py file on my desktop, and had forgotten to copy it back across to OPNsense.  Schoolboy error I'm afraid  :-[

I'm now showing 3 different public IP addresses.

Before going any further I'll see if I can get the Cron jobs set up, then I'll look a bit more closely at my firewall rules.  Still trying to get the hang of those, but so far the UK streaming sites are not working for me.

Streaming can be a tricky one, you may need to use PIA DNS servers, as PIA do some DNS tricky to get streaming services working. But if you look in the regions list you'll see uk_2 which is described as a streaming optimised region, so you may need to use that region id in your setup, failing that PIA DNS maybe required.

Cron Jobs should be pretty easy.

Make sure your action file contains actions for all 3 setups, then reload the configd. Then the 3 actions will appear in the cron section of the webui.

Now I seem to have messed it all up.
Had a brief server crash, and it obviously did some kind of reset (asked me to send a crash report).

I was still doing setup and hadn't done the cron thing.
I went back and added the original PIAWireguard.py file, with the relevant changes.

However when I run PIAWireguard.py debug, I keep getting
wireguardserver addKey request failed non 200 status code - Trying to add instance public key to server in exchnage for connection information

Not sure what that means, and I can't find other errors.  The other gateways (US & UK) came up fine when I ran the scripts and readded the gateways etc.

Any suggestions?

The part is failing on is sending PIA server your public key and PIA token in turn for the connection information.

https://github.com/FingerlessGlov3s/OPNsensePIAWireguard/blob/6f839bf952b0dfe5f967ba0edb4c2b3ce9c37abf/PIAWireguard.py#L399

I would assume an issue with opnsenseWGPubkey the script is retrieving from OPNsense. Does the script pick it up correctly? The script does print this information when in debug mode.


I can provide remote support if required.

I highly recommend you make sure you have the actions setup for both the new and old tunnels, and have the cron job setup.

Short term you may not find any issues, but long term you'll need the cron action for each tunnel.

Whats the action does it monitors the tunnel, if the tunnel goes down, for example the PIA server restarts for updates or maybe they retire that server, it'll then move the wireguard tunnel over to another PIA server in that region.  When PIA restarts their servers, all peers will be lost as the server runs in RAM, so a full login on PIA side is required again. The action also makes sure the gateway IP is set, to allow traffic to route over the tunnel.

Also if your disconnected from PIA server for extended period of time they will remove you as a peer, so full authentication is required again. Unsure on the timescale but I think its 15 minutes or so. Which could happen if your WAN goes down or your updating OPNsense. The cron action will then make sure you get back up and running again.

Hope this helps :-)

**Looks around slowly and raises hand sheepishly after several months of inactivity in thread...**

I used this script to set up a PIA WG tunnel . Worked  great  ;D

Now I am hoping to set up multiple WG tunnels.
How would I go about this?  The idea is a tunnel for US & UK in addition to my existing tunnel.

If I run the primary script again, will it break the existing connection?  Do I need to go right back and create a new API for example, or can I start further along in the process?

It very simple to do  :)

Make a copy of your current PIAWireguard.py, name it something like PIAWireguard_US.py then edit the below variables

Code Select Expand

opnsenseWGName  = 'PIAUS'
opnsenseWGPort = "51816"
piaRegionId = "us_silicon_valley"
Very important to change the WGName and WGPort!


Then you'll also need to add some new entries to the actions file, just need to add new actions for each region example below
"/usr/local/opnsense/service/conf/actions.d/actions_piawireguard.conf"

Code Select Expand

[piaWireGuardUS]
command:/conf/PIAWireguard_US.py
parameters: %s %s
type:script_output
message:Running PIA WireGuard US Script : /conf/PIAWireguard_US.py %s %s
description:PIA WireGuard US

Then reload the configd service

Code Select Expand

configd restart

Now you can run the script again and it'll create the next PIA WireGuard Interface, and follow the setup guide again, with the second PIA interface.

Code Select Expand

/conf/PIAWireguard_US.py debug

Making use of wider screens would be great!