Messages

Update:  I posted this on the Github discussion of multiple instances, and got a quick response from Fingerlessgloves.  After supplying him with some details, he found that, for the multiple gateways to work, the Wireguard instances need to be using different port number.  He is modifying the script accordingly.

Hello, everyone.  Now that the FingerlessGlov3s script for configuring PIA Wireguard

https://github.com/FingerlessGlov3s/OPNsensePIAWireguard

supports multiple instances, I'm trying to configure two alternative gateways on my Opnsense router.  Both Wireguard instances have connected properly, but when I add a gateway using the wg1 instance, that gateway will not come online.  I've used the same setting for the wg1 gateway as for wg0. 

I'm not a networking expert by any means, so I've probably missed something obvious.  What am I doing wrong?

I'd really appreciate any help.

Update:  I may have fixed this by updating to the new script at

https://github.com/FingerlessGlov3s/OPNsensePIAWireguard/tree/main

I've somehow managed to create a phantom wg0 device, and I can't seem to get rid of it.  It is not affecting the operation of the vpn gateway, except that the Dashboard page sometimes shows it as "Offline" when the real wg0 device is actually online.

See the screenshots below.

How can I fix this?  Any help would be greatly appreciated.

Feature request -- although I may be the only one in the world who needs this:

When my router reboots, or the cron job runs with "changesever", I sometimes lose access to my IPTV streams.  Apparently, the IPTV provider is blocking one or more PIA server IP addresses within the region I'm using.  I can fix it by running the script manually with "changeserver", so that it selects a different PIA server within the same region.

However, it would be nice if the script would accept a blocklist of specific server IP addresses to bypass, perhaps in the json file.

Or...is there a way to accomplish this with the existing script?

Error messages are saying they can't connect to the web interface.

Have you changed its port?
[/quote]

Wow, thanks for the instantaneous reply and solution!

I had changed from https to http, and hadn't changed the line in PIAWireguard.json.

It's working now!

Hmm...I've installed the latest version of the script, and it has stopped working for me.  I've done something stupid, I'm sure, but I don't know what.

Can anyone help?

Code Select Expand

root@OPNsense:~ # /conf/PIAWireguard.py debug
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 169, in _new_conn
    conn = connection.create_connection(
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 96, in create_connection
    raise err
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/connection.py", line 86, in create_connection
    sock.connect(sa)
TimeoutError: [Errno 60] Operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 353, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.8/site-packages/urllib3/connection.py", line 181, in _new_conn
    raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.8/site-packages/urllib3/connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "/usr/local/lib/python3.8/site-packages/urllib3/util/retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/conf/PIAWireguard.py", line 202, in <module>
    r = requests.get(f'{opnsenseURL}/api/wireguard/server/searchServer/', auth=(config['opnsenseKey'], config['opnsenseSecret']), verify=urlVerify)
  File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 76, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/api.py", line 61, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/requests/adapters.py", line 516, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /api/wireguard/server/searchServer/ (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xcb2553f610>: Failed to establish a new connection: [Errno 60] Operation timed out'))
root@OPNsense:~ #


New to OPNsense but had no problem following along the guide and script and got the gateway online  :)   But then, the final step, Step 13 ... fail ... any clues on how to route all LAN traffic over the new wireguard gateway?  Googling just ends up with a spattering of pages that don't match the current version 21.1.1  :(

I followed this guide to set up the firewall rules, and it worked.

https://imgur.com/gallery/JBf2RF6

Hope this helps.

I noticed that a step had been added to the installation docs.  Doing this seems to have fixed the problems I was encountering. 

Code Select Expand

Last thing we need to set up is maximum MSS for TCP packets, which is 40 bytes smaller than the MTU of WireGuard, by default Wireguard uses 1420 bytes MTU. So we need to set an MSS maximum of 1380. (Without this you may have issues loading websites or slow speeds).
Goto Firewall: Settings: Normalization
     1. Click Add
     2. Interface select "WAN_PIAWG"
     3. Enter Description of "Maximum MSS for PIA WireGuard Tunnel"
     4. Max MSS to "1380"
     5. Save (you will notice it'll now list this as OPT rather than the interface name, don't worry it's still correct, just edit it to verify you made the right selection)

Thanks for all the work on this script!  I followed the instructions, and successfully established a VPN connection with PIA.  I also used this guide to restrict the VPN usage to certain nodes:

https://imgur.com/gallery/JBf2RF6

It worked for me...mostly...

But systems using this connection refuse to connect to certain destinations.  Notably, cnn.com doesn't work.  Also, my Docker containers don't update using Watchtower when using this connection. 

If I connect to PIA using PIA's client app (with Wireguard) on the same computers, everything works.  So something is different when I connect using Wireguard on OPNsense.

Any ideas?