Messages

I posted the response below in the VPN section to a thread I started with the same problem. Hopefully it might help resolve your issue. I was getting the same output as you when I did a wireguard restart from the command line.

I did finally figure out the problem and it was a configuration issue. In the Local tab of the configuration I had the Tunnel IP address as 10.11.0.2/24 and in the Allowed IP's in Endpoints tab had 10.11.0.2/32 which caused a conflict. I also had 192.168.0.0/24 as the local network in the Allowed IP's on the other side of the tunnel. The Allowed IP's should have been 10.11.0.1/32 and once I made that change the tunnel worked. The misconfiguration though did work under 21.7 series so I was assuming my configuration was correct even though it was not. The 22.1 series I guess is less forgiving of this type of configuration error. Unfortunately it took me a long time to figure out the problem so I would go back and double check your configuration and not assume it was correct even if it worked in 21.7 series. I also posted in another thread on the 22.1 Production Series forum my resolution as that was a more active thread than this discussing a similar Wireguard problem. Good luck.

I did finally figure out the problem and it was a configuration issue. In the Local tab of the configuration I had the Tunnel IP address as 10.11.0.2/24 and in the Allowed IP's in Endpoints tab had 10.11.0.2/32 which caused a conflict. I also had 192.168.0.0/24 as the local network in the Allowed IP's on the other side of the tunnel. The Allowed IP's should have been 10.11.0.1/32 and once I made that change the tunnel worked. The misconfiguration though did work under 21.7 series so I was assuming my configuration was correct even though it was not. The 22.1 series I guess is less forgiving of this type of configuration error. Unfortunately it took me a long time to figure out the problem so I would go back and double check your configuration and not assume it was correct even if it worked in 21.7 series. I also posted in another thread on the 22.1 Production Series forum my resolution as that was a more active thread than this discussing a similar Wireguard problem. Good luck.

I'm having an issue where I can't get one interface to start after the upgrade and I can't figure it out as the config file works in 21.7.8 but not after the upgrade. I have 3 sites that I'm using Wireguard to connect and two of those sites I have upgraded to 22.1 and Wireguard worked without issue.

Edit:

I did finally figure out the issue. I had a misconfiguration of the Allowed IP's in the tunnel. The strange thing was the tunnel worked with the misconfiguration in versions up to 21.7.8 for a couple years which is why I had assumed my configuration was correct and something else was the problem.

I'm not trying to hijack a thread but I posted something similar in the VPN forum.

https://forum.opnsense.org/index.php?topic=26797.0

I only received 1 response from someone else who had the same issue. I've continued to try and troubleshoot without any luck. I resolved the package misconfigured in plugins manager hoping that was the problem but no luck. It was after upgrading from 21.7.8 to 22.1 I encountered the problem and reinstalled 21.7.8 with the same configuration and it now works but would like to upgrade.

I'm just posting this in case these are somehow related and will continue to watch this thread.

I wanted to do a fresh install of Opnsense to change to ZFS filesystem and thought this would be a good opportunity so made a backup of my config file and installed 22.1. I then uploaded the config file and thought everything went smoothly until I noticed 1 of the 2 tunnels I have was not active. I have not been able to figure out the problem as I checked to make sure no spaces might have been in the secrets from the reinstall of the config. I even deleted the vpn configuration and reentered and still did not resolve the problem. I also deleted the wg0.conf file as I thought that might remove any trace of the configuration before recreating the tunnel. After spending many hours trying to figure this out finally reinstalled 21.7 and upgraded to 21.7.8. I then reinstalled the config and rebooted and both tunnels were now active. I then attempted to upgrade in place from 21.7.8 to 22.1 and after the upgrade only1 tunnel is active. It is the same tunnel wg0 that is not active. I did run wireguard restart from the command line and this is the output while running 22.1.

Code Select Expand

root@turnstone:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
[#] rm -f /var/run/wireguard/wg1.sock
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                                                                                          │
│   Running wireguard-go is not required because this                                       │
│   kernel has first class support for WireGuard. For                                           │
│   information on installing the kernel module,                                                   │
│   please visit:                                                                                                    │
│         https://www.wireguard.com/install/                                                         │
│                                                                                                                          │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 10.11.0.2/24 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.11.0.2/32 -interface wg0
[#] rm -f /var/run/wireguard/wg0.sock
[#] ifconfig wg create name wg1
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg1
┌──────────────────────────────────────────────────────┐
│                                                                                                                         │
│   Running wireguard-go is not required because this                                      │
│   kernel has first class support for WireGuard. For                                          │
│   information on installing the kernel module,                                                  │
│   please visit:                                                                                                   │
│         https://www.wireguard.com/install/                                                        │
│                                                                                                                          │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg1 /dev/stdin
[#] ifconfig wg1 inet 10.11.3.2/24 alias
[#] ifconfig wg1 mtu 1420
[#] ifconfig wg1 up
[#] route -q -n add -inet 10.11.3.1/32 -interface wg1
[#] route -q -n add -inet 192.168.60.0/24 -interface wg1
[+] Backgrounding route monitor
ifconfig: interface wg0 does not exist


I see for wg0 at the bottom this statement rm -f /var/run/wireguard/wg0.sock so it is deleting wg0 where  normally should be my route to to an internal ip address of 192.168.0.0/24. I just don't know why it is breaking and the other VPN wg1 is working as the configurations are similar. When I look at the other Opnsense machine on the other side of the VPN it is showing the connection but no traffic is passing and the handshake time just keeps increasing until I restart the wireguard service.

I do have two other sites running Opnsense and upgraded to 22.1 without issue a couple weeks ago so I know it should work. I also noticed right before I'm posting this that the plugin for os-wireguard is showing misconfigured so don't know if that means anything as a couple other plugins also show misconfigured.  It is showing installed on the two other sites I have Opnsense running and all running os-wireguard 1.10. Also the hardware at all three sites is identical. 

I'm not going to be able to be on site at the location until next weekend but wanted to try and have some things ready to try to fix the problem and need to have this VPN active so any help to fix would be appreciated as I reinstalled 21.7.8 again to have he VPN's working.

I have a site to site Wireguard VPN setup and for the most part it functions without issue. The one issue I have noticed is when I'm at one site and try to access a device configuration settings via a browser at another site I get a timeout error and it will not connect. As an example I was trying to modify a configuration on a Yealink phone at the main site when I was at the remote site but got a connection timeout in the browser. However I could access a configuration on a Grandstream phone at the main site from the remote site. When at the main site I can access all the device configurations via browser. I can ping the device from the remote site to the main site and get a response with no packet loss so have connectivity. It's not a big deal but sometimes frustrating and just curious what might be preventing me from accessing some device configurations via the browser?

Make sure you don't have any other site to site VPN's enabled while trying to get this to work between the sites. I had an OpenVPN vpn between the two sites up while trying to get this to work and no traffic would pass through the Wireguard VPN. Once I disabled the OpenVPN vpn everything worked.

After much head scratching I finally figured out why I could not get this to work. I have an existing OpenVPN site to site VPN between both sites on the same networks I was trying to use for Wireguard. When I was entering the internal network ip addresses of the remote network in allowed ips in endpoints the Wireguard VPN would not start when I enabled. Once I turned off the OpenVPN server between the sites I could then enter the local remote ip addresses in allowed ips and the Wireguard VPN would start and allow traffic to pass as OpenVPN was no longer using the remote lan network.

I didn't really have time today to work on this but took a look at your website and found a site to site guide. Is this still a good one to follow? https://forum.opnsense.org/index.php?topic=11737.0 In looking at it quickly I know I didn't have all this configured so it might solve my issue if still valid as it looks like it was done in 2019. Thanks.

If I put more than 1 ip address in the allowed ips in endpoints for the Tunnel IP and my private network then wireguard will not start. I must be doing something wrong. Any way to see a screenshot of your configuration so I can better see what you mean?

Attached are the screen shots.

I have a working site to site VPN using OpenVPN and am considering switching to Wireguard however I cannot seem to get things to work correctly. I have tried to follow a couple setup guides and while I think I now have a connection between the sites as I have output in List Configuration and Handshakes I cannot seem to pass any traffic as I cannot ping anything on my home network. I have also seen a few posts recently where the latest version of Opnsense broke some Wireguard VPN's so not sure if that might be my issue.

I'm trying to go from my office with a static IP to my home with a dynamic IP.

Office Lan network is 192.168.0.1
Office Tunnel Address under Local for Wireguard is 192.168.100.1/24
Office Allowed IPs for Wireguard is 192.168.100.3/32

Home Lan network is 192.168.50.1
Home Tunnel Address under Local for Wireguard is 192.168.100.2/24
Office Allowed IPs for Wireguard is 192.168.100.3/32

Since I have a handshake between the two sites I'm thinking it might be a firewall issue so will attach screenshot of my firewall rules to see if I'm doing something incorrectly. I'm also a little confused about having to create a Wireguard interface. Some things I have read say you do not need to create it but if I don't create it I don't get the option under Rules in firewall for Wireguard. Therefore I have created rules for the interface WG and also for Wireguard so not sure if that is part of the problem.

Any assistance to get this figured out would be appreciated.