Messages

My crowdsec is also working just fine after the update.  Nothing unusual in the logs.

REMOVED

There doesn't seem to be any way to manually delete/expire an assigned IP address lease.  When I change the MAC on a reserved IP it requires waiting until the DHCP lease time expires before kea will use it (24 hours in my case).  Am i missing something?

@Monviech it really looks great and I love how all the VPN widgets look alike now... Great work... BTW congrats on the new Job  :)

Looks great... Black boxes added for privacy in the screenshot below

You can do the monitoring with monit easily enough... not sure about the notification other than email though.... but under monit advanced settings there are some options for logging to another file and httpd server... 

See This Link "Monitor Wiregaurd Tunnel on OPNsense"
https://nicholassaraniti.com/2024/07/30/monitor-wiregaurd-tunnel-on-opnsense/


TLDR;

Services -> Monit -> Settings -> Service Test Settings
       Add Test
          Name: WG_VPN_ALERT
          Condition: failed ping address INSERT SOURCE IP
          Action: Alert

Services -> Monit -> Settings -> Service Settings
     Add Service
        Enable Service Checks: Checked
        Name: WG_VPN   
        Type: Remote Host
        Address: INSERT DESTINATION IP
        Tests: WG_VPN_ALERT

I can confirm that this is happening... I'm not sure its always sticking to the lowest numbered gateway though... Mine failed from primary (252) to secondary (253)... After primary was back up there was nothing I could do to push traffic back to it.. even when disabling the secondary (253) gateway traffic still flowed through secondary (253) and not primary (252).

The only way to restore traffic back to the primary (252) gateway was to reboot... This was definitely introduced in 24.7. 

And yes, all changes were "Applied"... I even re-started the interface multiple times. 

In addition, for whatever reason, when multiple gateways are enabled, sometimes after reboot they show down on the dashboard, and the only way to get them in an "UP" status is to edit the gateway, change nothing, and apply.

One final note, with multi wan on on 24.1 and starlink you needed "Disable Host Route" checked to be able to use gateway monitoring.  On 24.7 Disable Host Route must be UNCHECKED.  It doesnt seem to matter for the xfinity/comcast (primary) gateway.

I've been able to replicate all the above amongst multiple sites with the same multi-wan setups.

Cool.. Sorry I should have searched the PR's

Thanks for the hard work!

Would love to see the green horizontal arrows indicating a wiregaurd connection/tunnel is active like the ipsec tunnel widget uses. 

I understand wiregaurd makes this harder then ipsec to tell if tunnel is active, but maybe we can say if last wiregaurd handshake is < X the tunnel/connection is active and display the green arrows or dot.

@doktornotor I think its safe to use 8.8.8.8 to monitor your gateway... While not perfect, it's probably the best most of us can achieve.  Google understands they get lots of pings and mostly respond to ICMP way before it actually gets to their DNS servers.  If you have a PUBLIC alternative thats as reliable as google or cloudflare dns I suggest you post it.

This is also why you should make sure you miss more than X pings in a row before considering a gateway down...

My issue appears to be related to "dhcp6c_script: RENEW on igb3 executing"

[Services -> Monit -> Settings -> Service Test Settings]

SOLVED! 

Services -> Monit -> Settings -> Service Test Settings
   Add
      Name: WG_VPN_ALERT
      Condition: failed ping address INSERT SOURCE IP
      Action: Alert

Services -> Monit -> Settings -> Service Settings
   Add
      Enable Service Checks: Checked
      Name: WG_VPN   
      Type: Remote Host
      Address: INSERT IP TO PING
      Tests: WG_VPN_ALERT

I want to use Monit to monitor if my Wiregaurd tunnel is up.  But using "Remote Host" with a private IP doesnt seem to work (monit must be pinging from the WAN).  Is there any way to tell monit to ping a host on the LAN or WG0? 

Is there any other suggested way to monitor and get alerted when a Wiregaurd site to site VPN is down?

Setting the SOURCE address works in diagnostics, but I dont know how to do this in monit.

I'm also having this problem, but only in IPv6 gateways... and across multiple installs... The Ipv6 gateway for all my starlink connections has to be "edited" then applied before its considered up.  All installs have other default gateways and starlink IPv4 gateways that dont require this.

Allowing the lease to expire resolved the conflict.. But there "Should" be a way to manually remove addresses before their expiry in the GUI

Yes, Same issue... The lease should expire sometime tomorrow which I'm hoping will remove it.