"
You're right now that I look back on it. However, if you read the rest of my post I say I can't even get the service to start. It turns out the reason the service wouldn't start was because I had /32s as my address under Allowed IPs as alluded to in the documentation https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
Virtual private networks / Re: Site to Site wireguard - service will not start.
October 28, 2022, 02:21:39 AM #2
Virtual private networks / Re: Site to Site wireguard - service will not start.
October 28, 2022, 01:17:44 AM
Port is not required. If it isn't supplied, it defaults to the default wg port which is 51820.
Anyway, I got this working. I had a lot of trouble with it. Documentation is inconsistent, and it seems this randomly breaks after firmware updates. Here's an example https://forum.opnsense.org/index.php?topic=27092.msg131768#msg131768
Anyway my ultimate config that works.
The config files as located in /usr/local/etc/wireguard
SIDE A
SIDE B
Once I got all that working, on Side B, I found if I went to Firewall -> Rules I couldn't see "Wireguard (Group)" which I could see on Side A. I thought it was a caching issue, but it was not as the issue persisted when using incognito mode. A reboot of the opnSense fixed it.
That was a fairly painful experience. At first I used /32s in my "Address" field under the "Local" config, because the documentation implies you must do so. Maybe this documentation should be updated to make it a bit more clear exactly what is needed https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
Anyway, I got this working. I had a lot of trouble with it. Documentation is inconsistent, and it seems this randomly breaks after firmware updates. Here's an example https://forum.opnsense.org/index.php?topic=27092.msg131768#msg131768
Anyway my ultimate config that works.
The config files as located in /usr/local/etc/wireguard
SIDE A
Code Select
[Interface]
PrivateKey = < REDACTED >
Address = 10.64.12.1/24
ListenPort = 51820
[Peer]
PublicKey = < REDACTED >
Endpoint = < SIDE B WAN IP >:51820
AllowedIPs = < Enter CIDRs of the networks at remote side >
PersistentKeepalive = 60SIDE B
Code Select
[Interface]
PrivateKey = < REDACTED >
Address = 10.64.12.2/24
ListenPort = 51820
[Peer]
PublicKey = < REDACTED >
Endpoint = < SIDE A WAN IP >:51820
AllowedIPs = < Enter CIDRs of the networks at remote side >
PersistentKeepalive = 60Once I got all that working, on Side B, I found if I went to Firewall -> Rules I couldn't see "Wireguard (Group)" which I could see on Side A. I thought it was a caching issue, but it was not as the issue persisted when using incognito mode. A reboot of the opnSense fixed it.
That was a fairly painful experience. At first I used /32s in my "Address" field under the "Local" config, because the documentation implies you must do so. Maybe this documentation should be updated to make it a bit more clear exactly what is needed https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html
#3
Virtual private networks / Site to Site wireguard - service will not start.
October 27, 2022, 04:21:18 PM
Hi all
I have tried using this guide https://www.youtube.com/watch?v=RoXHe5dqCM0 and also read this https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html however I cannot get my site to site wireguard to even start.
Side A is running
OPNsense 22.1.10_4-amd64
os-wireguard 1.11
wireguard-go 0.0.20220316_2,1
wireguard-tools 1.0.20210914_1
Side B is running
OPNsense 22.7.6-amd64
os-wireguard 1.12
wireguard-go 0.0.20220316_6,1
wireguard-tools 1.0.20210914_1
LAN Network of Subnet behind Side A: 10.13.254.0/24
LAN Network of Subnet behind Side B: 10.12.254.0/24
Side A Settings - Local
Side A Settings - Endpoint
Side B Settings - Local
Side B Settings - Endpoint
If I do that, I can't get the wireguard tunnel to establish. When I check "List Configuration" on side B, I see no mention of this new local/endpoint. On Side B (where this WG config is the only one), I can see the service is not even starting. If I try to manually start wireguard:
Any ideas?
I have tried using this guide https://www.youtube.com/watch?v=RoXHe5dqCM0 and also read this https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html however I cannot get my site to site wireguard to even start.
Side A is running
OPNsense 22.1.10_4-amd64
os-wireguard 1.11
wireguard-go 0.0.20220316_2,1
wireguard-tools 1.0.20210914_1
Side B is running
OPNsense 22.7.6-amd64
os-wireguard 1.12
wireguard-go 0.0.20220316_6,1
wireguard-tools 1.0.20210914_1
LAN Network of Subnet behind Side A: 10.13.254.0/24
LAN Network of Subnet behind Side B: 10.12.254.0/24
Side A Settings - Local
Code Select
Name: S2StoSideBLOCAL
Public Key: *REDACTED*
Private Key: *REDACTED*
Listen Port: 51825
Tunnel Address: 192.168.0.1/24
Peers: SideBSide A Settings - Endpoint
Code Select
Name: S2StoSideBEndPoint
Public Key: *REDACTED*
Shared Secret: Blank
Allowed IPs: 10.12.254.0/24 192.168.0.1/32
Endpoint Address: <IP address of side B>
Endpoint Port:
Keepalive: 60Side B Settings - Local
Code Select
Name: S2StoSideALOCAL
Public Key: *REDACTED*
Private Key: *REDACTED*
Listen Port: 51825
Tunnel Address: 192.168.0.2/24
Peers: SideBSide B Settings - Endpoint
Code Select
Name: S2StoSideAEndPoint
Public Key: *REDACTED*
Shared Secret: Blank
Allowed IPs: 10.13.254.0/24 192.168.0.2/32
Endpoint Address: <IP address of side B>
Endpoint Port:
Keepalive: 60If I do that, I can't get the wireguard tunnel to establish. When I check "List Configuration" on side B, I see no mention of this new local/endpoint. On Side B (where this WG config is the only one), I can see the service is not even starting. If I try to manually start wireguard:
Code Select
root@router:~ # service wireguard start
[#] ifconfig wg create name wg1
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2 (wg): Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg1
┌──────────────────────────────────────────────────────┐
│ │
│ Running wireguard-go is not required because this │
│ kernel has first class support for WireGuard. For │
│ information on installing the kernel module, │
│ please visit: │
│ https://www.wireguard.com/install/ │
│ │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg1 /dev/stdin
[#] ifconfig wg1 inet 192.168.0.1/24 alias
[#] ifconfig wg1 mtu 1420
[#] ifconfig wg1 up
[#] route -q -n add -inet 192.168.0.1/32 -interface wg1
[#] rm -f /var/run/wireguard/wg1.sockAny ideas?
#4
Virtual private networks / Re: Bug: IPSEC VPN - PRF_AES128_XCBC isn't working any more
June 08, 2022, 02:24:32 AM
Confirmed, fixed for me also.
#5
General Discussion / Re: How do I use AES-NI acceleration for IPSEC to pfSense?
June 08, 2022, 02:10:44 AM
@franco - I see, I have hit that very same bug. I obviously missed that thread and it didn't come up on the googles when I searched.
Anyway this command (along with a reboot for good measure) and I am now connected with AES_GCM_16 (128) PRF_AES128_XCBC MODP_2048
Anyway this command (along with a reboot for good measure) and I am now connected with AES_GCM_16 (128) PRF_AES128_XCBC MODP_2048
Code Select
pkg add -f https://pkg.opnsense.org/FreeBSD:13:amd64/snapshots/misc/strongswan-kdf.pkg
#6
General Discussion / Re: How do I use AES-NI acceleration for IPSEC to pfSense?
June 04, 2022, 07:01:04 AM
Also thought I'd add my "hardware - This OpnSense is running as a qemu VM on proxmox.
Also I did some testing for ipsec performance by copying a file from the remote side of the tunnel to my side (smb file transfer). The remote side has 500 mbps upload.
I found I couldn't get more than 4 MB/sec (~30 mbps). I tried adjusting the encryption to AES (128 bits) + SHA256 + DH Group 14 (for both P1 and P2) and found absolutely no change either - same sort of speed.
I've verified that aes-ni is available by checking dmesg as well.
I also did a speed test to internet - I have a 300 mbps down and 100 mbps up connection. That works perfectly, download comes out at 330 mbps, upload at 90 mbps.
Obviously something is wrong here. The Ubiquiti ERL (edge router lite) would do easily 100 mbps smb file transfer on ipsec until CPU bottlenecking.
Also I did some testing for ipsec performance by copying a file from the remote side of the tunnel to my side (smb file transfer). The remote side has 500 mbps upload.
I found I couldn't get more than 4 MB/sec (~30 mbps). I tried adjusting the encryption to AES (128 bits) + SHA256 + DH Group 14 (for both P1 and P2) and found absolutely no change either - same sort of speed.
I've verified that aes-ni is available by checking dmesg as well.
I also did a speed test to internet - I have a 300 mbps down and 100 mbps up connection. That works perfectly, download comes out at 330 mbps, upload at 90 mbps.
Obviously something is wrong here. The Ubiquiti ERL (edge router lite) would do easily 100 mbps smb file transfer on ipsec until CPU bottlenecking.
#7
General Discussion / How do I use AES-NI acceleration for IPSEC to pfSense?
June 04, 2022, 06:27:18 AM
Long time pfSense user, I have many pfsense systems I look after but I am looking to make a switch.
I now have OPNsense 22.1.8_1-amd64 running in my lab. I am trying to connect IPSEC to a pfSense running 2.6.0 (latest) by using AES-NI acceleration.
I tried setting the same settings on both sides:
OpnSense:
Phase 1
-> Encryption algorithm 128 bit AES-GCM with 128 bit icv
-> Hash algorithm AES-XCBC
-> DH Group: 14
pfSense:
Phase 1
-> Algorithm: AES128-GCM
-> Key Length: 128 bit
-> Hash: AES-XCBC
-> DH Group: 14
But if I apply this, the IPSEC phase 1 won't connect. pfSense side shows timeout, and OpnSense side shows "key derivation failed".
If I set the "Hash" to SHA i.e. SHA512 on both sides (P1 & P2) it will connect. Why won't it connect with AES-XCBC on both sides?
Some log output below. Any ideas?
I now have OPNsense 22.1.8_1-amd64 running in my lab. I am trying to connect IPSEC to a pfSense running 2.6.0 (latest) by using AES-NI acceleration.
I tried setting the same settings on both sides:
OpnSense:
Phase 1
-> Encryption algorithm 128 bit AES-GCM with 128 bit icv
-> Hash algorithm AES-XCBC
-> DH Group: 14
pfSense:
Phase 1
-> Algorithm: AES128-GCM
-> Key Length: 128 bit
-> Hash: AES-XCBC
-> DH Group: 14
But if I apply this, the IPSEC phase 1 won't connect. pfSense side shows timeout, and OpnSense side shows "key derivation failed".
If I set the "Hash" to SHA i.e. SHA512 on both sides (P1 & P2) it will connect. Why won't it connect with AES-XCBC on both sides?
Some log output below. Any ideas?
Code Select
2022-06-04T16:08:22 Informational charon 09[NET] <108> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)
2022-06-04T16:08:22 Informational charon 09[ENC] <108> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2022-06-04T16:08:22 Informational charon 09[IKE] <108> key derivation failed
2022-06-04T16:08:22 Informational charon 09[IKE] <108> KDF_PRF with PRF_UNDEFINED not supported
2022-06-04T16:08:22 Informational charon 09[CFG] <108> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
2022-06-04T16:08:22 Informational charon 09[IKE] <108> 126.33.25.61 is initiating an IKE_SA
2022-06-04T16:08:22 Informational charon 09[ENC] <108> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-04T16:08:22 Informational charon 09[NET] <108> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)
2022-06-04T16:08:18 Informational charon 09[CFG] ignoring acquire for reqid 1, connection attempt pending
2022-06-04T16:08:18 Informational charon 09[KNL] creating acquire job for policy 122.23.25.86/32 === 126.33.25.61/32 with reqid {1}
2022-06-04T16:08:18 Informational charon 09[NET] <107> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)
2022-06-04T16:08:18 Informational charon 09[ENC] <107> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2022-06-04T16:08:18 Informational charon 09[IKE] <107> key derivation failed
2022-06-04T16:08:18 Informational charon 09[IKE] <107> KDF_PRF with PRF_UNDEFINED not supported
2022-06-04T16:08:18 Informational charon 09[CFG] <107> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
2022-06-04T16:08:18 Informational charon 09[IKE] <107> 126.33.25.61 is initiating an IKE_SA
2022-06-04T16:08:18 Informational charon 09[ENC] <107> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-04T16:08:18 Informational charon 09[NET] <107> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)
2022-06-04T16:08:16 Informational charon 09[NET] <106> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)
2022-06-04T16:08:16 Informational charon 09[ENC] <106> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2022-06-04T16:08:16 Informational charon 09[IKE] <106> key derivation failed
2022-06-04T16:08:16 Informational charon 09[IKE] <106> KDF_PRF with PRF_UNDEFINED not supported
2022-06-04T16:08:16 Informational charon 09[CFG] <106> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
2022-06-04T16:08:16 Informational charon 09[IKE] <106> 126.33.25.61 is initiating an IKE_SA
2022-06-04T16:08:16 Informational charon 09[ENC] <106> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-04T16:08:16 Informational charon 09[NET] <106> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)
2022-06-04T16:08:15 Informational charon 13[CFG] ignoring acquire for reqid 1, connection attempt pending
2022-06-04T16:08:15 Informational charon 13[KNL] creating acquire job for policy 122.23.25.86/32 === 126.33.25.61/32 with reqid {1}
2022-06-04T16:08:14 Informational charon 13[NET] <105> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)
2022-06-04T16:08:14 Informational charon 13[ENC] <105> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2022-06-04T16:08:14 Informational charon 13[IKE] <105> key derivation failed
2022-06-04T16:08:14 Informational charon 13[IKE] <105> KDF_PRF with PRF_UNDEFINED not supported
2022-06-04T16:08:14 Informational charon 13[CFG] <105> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
2022-06-04T16:08:14 Informational charon 13[IKE] <105> 126.33.25.61 is initiating an IKE_SA
2022-06-04T16:08:14 Informational charon 13[ENC] <105> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-04T16:08:14 Informational charon 13[NET] <105> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)
2022-06-04T16:08:12 Informational charon 13[CFG] ignoring acquire for reqid 1, connection attempt pending
2022-06-04T16:08:12 Informational charon 13[KNL] creating acquire job for policy 122.23.25.86/32 === 126.33.25.61/32 with reqid {1}
2022-06-04T16:08:12 Informational charon 13[NET] <104> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)
2022-06-04T16:08:12 Informational charon 13[ENC] <104> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
2022-06-04T16:08:12 Informational charon 13[IKE] <104> key derivation failed
2022-06-04T16:08:12 Informational charon 13[IKE] <104> KDF_PRF with PRF_UNDEFINED not supported
2022-06-04T16:08:12 Informational charon 13[CFG] <104> selected proposal: IKE:AES_GCM_16_128/PRF_AES128_XCBC/MODP_2048
2022-06-04T16:08:12 Informational charon 13[IKE] <104> 126.33.25.61 is initiating an IKE_SA
2022-06-04T16:08:12 Informational charon 13[ENC] <104> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2022-06-04T16:08:12 Informational charon 13[NET] <104> received packet: from 126.33.25.61[500] to 122.23.25.86[500] (456 bytes)
2022-06-04T16:08:11 Informational charon 09[CFG] ignoring acquire for reqid 1, connection attempt pending
2022-06-04T16:08:11 Informational charon 09[KNL] creating acquire job for policy 122.23.25.86/32 === 126.33.25.61/32 with reqid {1}
2022-06-04T16:08:10 Informational charon 09[NET] <103> sending packet: from 122.23.25.86[500] to 126.33.25.61[500] (36 bytes)
2022-06-04T16:08:10 Informational charon 09[ENC] <103> generating IKE_SA_INIT response 0 [ N(NO_PROP) ] #8
Hardware and Performance / Re: OPNsense 20.1 on RaspberryPI 3
July 20, 2020, 03:21:38 AM
Hi @rene_
EDIT: It appears this was a layer 8 issue :D After taking a couple minutes to boot up, I got an IP after plugging in my laptop to the ethernet port of the Pi. Thanks @rene_ for all your work on this!
I have finally managed to get a Raspberry Pi 3B+ (lots of supply issue due to corona virus). But unfortunately I don't have much success.
Downloaded the image OPNsense-201911290406-OpenSSL-arm-aarch64-RPI3.img.gz, unzipped it and wrote it to the sdcard from my mac using this command
After doing this, I put the SDcard into my Pi3B+ but I get solid red light, no image on screen and no IP address if I plug my laptop into the network port. I have also tried Build 201911290406 (the latest one), with the same results. I've also tried several different SDCards too (Samsung Evo Plus 32GB).
Any ideas?
EDIT: It appears this was a layer 8 issue :D After taking a couple minutes to boot up, I got an IP after plugging in my laptop to the ethernet port of the Pi. Thanks @rene_ for all your work on this!
EDIT: It appears this was a layer 8 issue :D After taking a couple minutes to boot up, I got an IP after plugging in my laptop to the ethernet port of the Pi. Thanks @rene_ for all your work on this!
I have finally managed to get a Raspberry Pi 3B+ (lots of supply issue due to corona virus). But unfortunately I don't have much success.
Downloaded the image OPNsense-201911290406-OpenSSL-arm-aarch64-RPI3.img.gz, unzipped it and wrote it to the sdcard from my mac using this command
Code Select
dd if=OPNsense-201911250722-OpenSSL-arm-aarch64-RPI3.img of=/dev/disk2 bs=1m conv=syncAfter doing this, I put the SDcard into my Pi3B+ but I get solid red light, no image on screen and no IP address if I plug my laptop into the network port. I have also tried Build 201911290406 (the latest one), with the same results. I've also tried several different SDCards too (Samsung Evo Plus 32GB).
Any ideas?
EDIT: It appears this was a layer 8 issue :D After taking a couple minutes to boot up, I got an IP after plugging in my laptop to the ethernet port of the Pi. Thanks @rene_ for all your work on this!
#9
Hardware and Performance / Re: OPNsense 20.1 on RaspberryPI 3
March 21, 2020, 04:20:43 AM
Has anyone gotten this working with a Pi 4 w/ 2GB RAM?
I wrote rene's image
I wrote rene's image
Code Select
OPNsense-201911290406-OpenSSL-arm-aarch64-RPI3.img.gz to a SD card but my Pi 4 will not boot. Just shows a solid red light.
#10
Hardware and Performance / Re: [Working] OPNsense Ported into ARM Devices
March 17, 2020, 12:26:06 PMQuote from: franco on June 03, 2019, 04:03:20 PM
Long story short, the image for RPI-2 is here https://pkg.opnsense.org/FreeBSD:11:armv6/19.1/OPNsense-19.1-test-OpenSSL-arm-armv6-RPI2.img.bz2
Just tried writing this image to a sdcard and booting my raspberry pi 2 (Which I Just dusted off for this purpose) but I can't seem to get this thing to boot up.
I also tried a different SD card incase my first one was faulty. My Pi2 just shows a red light on boot and won't go any further. I know the pi works since I tried the debian image on it and that works.
Any ideas what that could cause that?
Also, I tried building my own by using the instructions shown here https://nekoprog.github.io/pieSense/ But obviously something went wrong and no image was produced unfortunately. I'm a bit lost as to where to go from here.
Pages1
