Messages

Running the cron job every minute is probably a strain on the system.

IMHO a cron job once per minute that decides there is nothing to do should do no harm. A minute is an eternity in CPU time.

Thanks, I will set it up.

"A minute is an eternity in CPU time." Totally agree, but I haven't checked how these cron actions are actually written. python, php, ...? the first 2 come with quite some overhead, since the interpreter has to be loaded every time. This means I could have a spike every minute. But I guess I'll see.

"Renew DNS" means "restart that connection so it will do a fresh DNS lookup".

Ok, then it makes sense and I agree with you: the wording is a bit off. ;-)

So you get your restart. Did you try that cron job, yet?

Not yet, because I do not know how often I should run it (and my GW hasn't gone down since). Running the cron job every minute is probably a strain on the system. 15 minutes could leave my VPN dead for 14 minutes and 59 seconds in the worst case. While I agree with you that it is workaround and might solve the issue, it is not as useful as triggering a command/action if the gw goes down.
I read up on dpinger and it seems that commands can be triggered and run, but I suppose that functionality was not added to opnsense.
I will open a feature request.

for a vpn instance I've added multiple "peers" to it.    thinking if the first one goes down, it will connect to the next peer. 

I first thought so as well and I have even created another peer but left it disabled. Because according to the Wireguard architecture peers are always active when enabled, unless I misunderstood it. Afaik there is no setting in Wireguard to allow for fail over connections. This means both are active (which counts towards your concurrent connections) and I have no idea what this does to sessions. e.g. If you connect to a web site every packet could come from either one of two IP addresses (or how many peers you have setup). This will certainly raise a flag, if continous packets have alternate IP addresses in their TCP headers.

I am sorry to bump this again, but both answers don't work, because the mentioned options do not exist.

The situation I described isn't a far-fetched theoretical problem, but a real-life possible scenario that is actually quite common for a router/firewall: if gw is down, run a script or trigger an action.

Welcome to OPNsense. ;-)

Alright, let's try to tackle this. First I need a bit of more info. You mentioned "WireGuard VPN on the desktop running OPNsense". Usually OPNsense is running on the edge router (the one that is connected to the Internet).

Internet <--> OPNsense <--> home network (proxmox, NAS, other clients)

But your statement points to something like: Internet <--> ??? <--> home network (OPNsense, proxmox, NAS, other clients)

Can you please clarify your topology?

I use Wireguard myself to access my network from the outside (road warrior setup).
For the sake of argument and the following examples, let's use 10.20.30.1 as your wireguard instance's tunnel address and 51820 as the port. Clients will then use 10.20.30.2 to 10.20.30.254. Your home network uses 192.168.1.0/24
There are a few things to be aware of:

1) You need one WAN rule to let traffic in to the Wireguard port
Protocol: IPv4 UDP | Source: * | Port: * | Destination: WAN address | Port: 51820 | Gateway: *
2) On your Wireguard interface (e.g. WG0) you need rules to specify what clients are allowed to access in your network
e.g. the client with ip address 10.20.30.2 is allowed to access your entire network
Protocol: IPv4 | Source: 10.20.30.2 | Port: * | Destination: * | Port: * | Gateway: *
3) The "Allowed IPs" setting on the wireguard client determines which traffic uses the Wireguard connection. Thus make sure your tunnel address and your home network are included.
AllowedIPs = 192.168.1.0/24, 10.20.30.1/32

@BrandyWine can you please let me know where I can find the option "Execute command on gateway failure"? It is not in the advanced gateway options. Are you using a patched version of OPNsense? If so, how do I get that patch? If not, how can you have that option, when I do not?

This would have been exactly what I was looking for. Well, and how to actually restart a wg2 instance on OPNsense via the command line. I certainly can't do a: systemctl restart wg-quick@wg2

Unfortunately there is no "Execute command on gateway failure" in my advanced section for gateways. I am using OPNsense 25.7.6-amd64.

These are the ones available after I slide the advanced button (image availabe for 7 days):

Thanks for the reply.

I checked the cron jobs before posting and the ones related to wg are:

- Renew DNS for Wireguard on stale connections
- Restart Wireguard

Both of which are not what I want. Restarting all my wireguard connections unconditionally is rather interrupting and I won't do that.
And renewing the DNS won't help, if wireguard is wonky in the first place.

But let's say there was a "Restart Wirguard instance on stale connections", how often would I run that? Every minute?
I need some other trigger. e.g. a hook to run a script when a gw goes down, or something like that. But then I still need to know how to restart a specififc wireguard instance on FreeBSD and/or OPNsense. I am great on Linux but rather inexperienced with FreeBSD.

[how do I automate the restart of the wg2 instance, if the gateway (of the interface assigned to wg2) goes down?]

It might sound like a VPN issue, but my workaround seems more like a question for this forum.

Short description: I am using 3 wireguard instances, one of which is for a VPN provider I use and I have also setup a GW which is used by specific clients in my network. All good. Works great.
However, today my network showed that this GW was offline (red status dot). My fix was to disable and then enable this wg2 instance. Aaaand, it became green again.

So here is my question: how do I automate the restart of the wg2 instance, if the gateway (of the interface assigned to wg2) goes down?

Before using Wireguard to connect to my VPN provider, I used OpenVPN and for some reason the openvpn connection and the gateway always recovered by itself. But the Wireguard GW does not recover on its own. Strange, because wireguard is actually great becoming automatically online again after issues with an endpoint.
I suspect it is rather complicated to find out why the gateway does not recover or why the Wireguard instance seems to be in a wonky state. (Should it happen again, I will collect as much info as possible. Maybe opening a topic in the VPN forum is then warranted.)

Anyhoo, retarting the wg2 instance is an easy fix, but it has to happen automatically. I just do not know how. Any ideas, pointers, black magic rituals?

Thanks for the replies. Before I submit a feature request, I'd like to hear from the devs whether this is something they'd consider. I do not like to create unneccessary cognitive load on people who are already busy with maintaining a product that also has a roadmap for future releases.

It's also a matter of priority. afaik this type of filtering is only used in the live view page, thus its reusability is basically non-existent.
I also do not know how complex this might be. (As I mentioned, I suck as a dev, when it comes to UI and frontend stuff.)
If I were a dev in this project, such a FR would be a rather low priority with a nice-to-have label, unless I could implement it in less than 30 minutes.

I was trying to narrow down the output in Firewall -> Log Files -> Live View, but noticed (to mu surprise) that I can either use AND, or OR operators, but not a combination of both and parenthesis.

Is there any way this will be added in the future or is this not useful to others? e.g. for me it is impossible to retrieve the info I want.

But I understand that it might be a GUI issue to set () and OR and AND and thus cannot be easily implemented. But I think I might have an idea: next to the apply button there could be other buttons for (, ), OR, AND
Apply just adds the current filter to the active filter, if you want to add additional ones, you have to use one of the other buttons first (and then apply to add the expression).
That seems doable.

I would love to implement this myself, but I suck at UIs and frontend stuff.
   

This is the new maximum default since 25.7.5. It's calculating now based on available RAM.

Yep. My point was rather that the test was quirky:

Code Select Expand

$cnf = Config::getInstance()->object();
        if (!empty($cnf->system->maximumtableentries) && $cnf->system->maximumtableentries >= 2000000) {
There are 2 things I want to give feedback on and please forgive my ignorance since I don't know the internals.

So this cnf object holds all the settings. Of course cnf->system->maximumtableentries is empty, since nothing is set. How do I get the effective value. e.g. the UI shows that my system uses 10000000 so that info must be available.

For a proper test the above code shouldn't test for !empty &&, but check_effective_value(maximumtableentries) > 2000000 ||

Aah that's some leftover code from the beta  version. We've removed it from the code now all together. To clean it you can run these commands:

Thanks, that did it. I did not even have to restart the webgui.

I am not sure I follow though. Leftover? So the file was not in the code, but still in the package? Or did you remove it from the code, after 1.2 was released?

Unfortunately I still get the warning:

QFeeds requires additional memory to be reserved for aliases. Please increase `Firewall Maximum Table Entries` in `Firewall: Settings: Advanced` to at least 2 million items.

I am using a blank setting (default) which amounts to 10,000,000 on my system. When I set it manually the warning disappears. As soon as I remove it so that the default is used, the warning shows up again.

@Q-Feeds Can you please point me to the part of the source code that does this check? IMO this check only looks for a value in that field. But if a value is not set, the test does not check what the default and thus the effective value actually is.

I am getting a warning:

QFeeds requires additional memory to be reserved for aliases. Please increase `Firewall Maximum Table Entries` in `Firewall: Settings: Advanced` to at least 2 million items.

However, when I check my settings, it is blank and my default is 10,000,000. (Note: Leave this blank for the default. On your system the default size is: 10000000)

I'd rather not set a value there, but go with my default which is already 5 times the value the QFeeds plugin requires.

[user+qfeeds@example.com]

I am not able to change my email address on the TIP web site.

I have noticed that the notifications are sent to the email I registered with. However, I usually like to add a modifier so that it is easier to filter. e.g. user+qfeeds@example.com