Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - fabrice

Pages: [1]

Virtual private networks / Missing WireGuard interface addresses on reboot

« on: July 15, 2024, 11:27:49 am »

Hi,

I think I have discovered a bug which would explain why I and other users on the forum are having issues with wireguard / OPNsense.

My setup:

I have quite a few WireGuards I use to segregate my network and since I rebooted my firewall/router all of them can no longer communicate (The firewall blocks everything until the fix bellow). I fixed it as it was the same issue I had a few weeks ago and didn't report at the time.

I am doing the diagnosis on my proxy-lan WireGuard but the issue is on all my used / working WireGuards. I have a few I haven't finished setting up / implemented (They dont have clients / routes yet) and they aren't affected (They show an address on Lobby -> Dashboard -> Interfaces and probably work).

Code: [Select]

Versions:
OPNsense 24.1.10_2-amd64 (But the same issue happened in 24.1.9)
FreeBSD 13.2-RELEASE-p11
OpenSSL 3.0.14

The issue:

So yesterday I was testing my ddns setting so I rebooted my router to test how fast an IP change would be propagated. I didn't change anything at the time in my opnsense settings, I just wanted to test how fast my vps proxy would recover from an IP change / DuckDNS updated route. But that killed all my WireGuards.

All the WireGuards were working before the reboot.

The only abnormal thing I can see is that now on the Lobby -> Dashboard -> Interfaces those interfaces no longer have an address.

The fix:

I can fix it but it requires me to manually go into all the broken WireGuards interfaces and change the tunnel addresses to something else, save, apply and then restore the right address. In this case changing from 10.0.4.1/24 to 10.0.41.1/24 to 10.0.4.1/24 fixes it.

Just removing the tunnel address and re-adding it dosen't work. I really have to save it to some other random address, save and then I can re-add the real address and the second I save all traffic is restored / allowed.

Should I report this somewhere or am I the one doing something wrong ?

Thanks

PS: The screenshots are of the Interfaces section of the Lobby -> Dashboard. The first with the missing address, the second after I saved the VPN -> WireGuard -> Instance to a dummy address and the 3rd when I restored the initial address.

24.1 Legacy Series / Re: 24.1.2 Wireguard does not work after updating

« on: June 15, 2024, 08:27:49 pm »

For those with such issues I suggest adding firewall rules for each wireguard specifically allowing traffic to itself. In my case it solved the handshake but no ping/traffic issues.

Spent a long time debugging and that solution solved my issue. I saw the traffic was getting there with tcpdump but wasn't answering and setting rules, when appropriate, allowing traffic for example from wg0 to/form wg0 solved those issues.

Somehow the default/automatic rules were blocking traffic between the wireguard clients or client / server.

24.1 Legacy Series / API Interfaces Assignments

« on: June 15, 2024, 05:59:07 pm »

Hi,

I am working on some scripts to automate my network management and I am trying to find the api calls for assigning new interfaces. In this case I am trying to assign my new wireguards through the API.

I looked through the documents and also inspected api calls by the web ui and it seems it dosent use an api call but a form submit.

Am I wrong in understanding that assigning new interfaces is currently not supported by the API? Or is it just documented in another section than https://docs.opnsense.org/development/api/core/interfaces.html ?

Thanks

General Discussion / Re: Updates havent been possible in over a year

« on: February 04, 2023, 03:19:34 am »

Entering this on the command line gave me the following message:

Code: [Select]

opnsense-bootstrap -r 22.1

Quote

Must be a FreeBSD 12 release.

General Discussion / Re: Updates havent been possible in over a year

« on: February 02, 2023, 10:04:07 pm »

Code: [Select]

Versions
OPNsense 21.7.8-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1m 14 Dec 2021

Well somehow I'm running freebsd 13 with opnsense 21.7.

Must have crashed mid update somewhere and left me with a frankeninstall.

General Discussion / Re: Updates havent been possible in over a year

« on: February 02, 2023, 06:04:05 pm »

Here is what I am doing right now trying to fix this

I enabled ssh on a new admin user
I am running minor updates from command line (This worked!)
I am running 22.1 updates from command line and this seams successful until it reboots back into 21.7.8
Tried about a dozen mirrors with openssh/community to no avail
Tried "pkg bootstrap -f" as the error message was suggesting but that also failed with:

Code: [Select]

pkg: Error fetching http://mirror.sfo12.us.leaseweb.net/opnsense/FreeBSD:13:amd64/21.7/latest/Latest/pkg.txz: Not Found
A pre-built version of pkg could not be found for your system.
Consider changing PACKAGESITE or installing it from ports: 'ports-mgmt/pkg'.

Any suggestions ?

I did backup my config to my google drive account but i'm not sure whats the best way to restore during install.

General Discussion / Updates havent been possible in over a year

« on: February 02, 2023, 05:27:51 pm »

Hi,

I have been using OPNsense for years but since 21.7 I've been unable to update with the error that the mirrors dont exist.

I've postponed this issue for a year as I always lack time and really didn't feel like reinstalling. Now I finally decided to tackle this issue as my ISP needs me to adjust other things anyways.

So I am getting the error message that the mirror dosent exists on either default or any mirror I've tried (See screenshot).

Is there anyways I can fix this and update or do I really need to reinstall ? If so whats the best way to backup and restore my config in the reinstall process ?

Thank you in advance.

Pages: [1]