Messages

i posted a thread a couple weeks ago as well.  i never could get it resolved.
but when the new business edition was released i upgraded and it still works...

here is my question.  what version of Wireguard is Opnsense running?     here is says unknown for free bsd :  https://www.wireguard.com/install/#freebsd-kmod-userspace-go-tools

Updated to the latest business edition from previous business edition

Zero issues whatsoever
-shrug

interesting.  I've noticed weirdness since I've used kea.

i turned this setting off. we will see if that clears up some it

"ISC is going to be removed.
DNSmasq DHCP is the recommended replacement for small installations."

i wish i had read/ known that before i moved to kea...

i guess this means my old reliable dec670 1gb is end of life if its no longer receiving bios updates?

i am not sure what this means from the release notes:

unbound: move whitelist (passlist) handling to Unbound plugin

the last time unbound wasn't working right for me after an update. i had to do a full firewall reboot.  i am sure this is different

mullvad is going to say your are leaking, because you are not using their servers.

to test quad 9 use this link:  https://on.quad9.net/

cloudflare:  https://one.one.one.one/help/

using 2 different "services" is going to give you mixed replies...

good luck with your setup

I tried with proton. I am not using kea and still using isc. kea for me was buggy and so stayed with isc, as long as possible.

WG handshakes are fine and my isp gateway is working fine. I can see in firewall live logs the devices connected to wg interfaces are all allowed to go out and so firewall rules seems also not a problem. In gateway, dpinger is showing gateway down for wg gateways, tested with different monitor ips. isp gateway shows as up though when different ips are used as monitors.

I tried now with the existing config.xml in 25.1 live environment and its still the same. No internet to wg interface.

I am not able to pin point where the issue is and it only started to show up ever since upgrade to 25.3. Before that all was working fine. Any help is appreciated.

all my tunnels show up online.  the monitoring IP address is the gateway of the tunnel.
i started a thread under VPN>  about MTU.    i think part of this is MTU related.  but i am not updating a 5th time as i just reupped my business license

open the interface for the tunnel, and manually change the MTU entry to 1400 and see if it resolves the issue for you?   if not try 20 increments lower

OPNsense 24.10.2_6-amd64
FreeBSD 14.1-RELEASE-p7
OpenSSL 3.0.15


I've come to the conclusion that settings(5a) the manual here are being ignored : https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I've tested this theory by checking system > routes > stats.    all my tunnels are 1420 which is I guess the OPNsense default wireguard MTU?   even when I have 1320 set under the normalization rule.

I then added a MTU setting to the Wireguard tunnel > instance > advance tab.     restarted the tunnel even rebooted the firewall.  and under routes > stats its still set to 1420.

I then found   by opening the interface of the tunnel.  and adding a number to MTU, and by not even restarting the tunnel.    the routes > stats is show THAT number I inputted.

1.   where is the correct location to change the MTU setting for Wireguard tunnels
2.  is system>routes > stats  really the correct location to show the currently active MTU setting for those instances?

@DEC670airp414user: I might also be facing similar issues since this week when i updated to 25.1.3, though i am on community version and not business edition. Previously wireguard (wg) was working without any issues. After upgrade, devices connected to wg gateway pointing to vpn provider is not able to reach out to any websites.

I have separate wg interface for local network access from outside and i am able to use that wg to connect and access. This shows the inbound is working and so my assumption is wg in opnsense is working.

Not sure whether this issue is specific to Opnsense gateway or vpn provider.

Azirevpn is who that tunnel is through.   who are you using, and are you using Kea?

my business license expired within the last week if this troubleshooting.   and i will always subscribe even as a home user to support the project... i even have an official appliance that is 3 years old.

i reupped at 170 dollars.  and went back to using the license and everything works.

Franco recently posted in April Business Edition will be upgraded to 25.   at that time i plan to download the latest BE and write it to a new usb drive.    and start from complete scratch on the official appliance.      i just don't have the time to do that while my entire home network is down.

i had high hopes once changing Kea to  Auto collect option data.    but its still not fully fixed.    i really don't want to try ISC again

Done: https://forum.opnsense.org/index.php?topic=45616.msg232141#msg232141

updated.   did not reboot
unbound stopped and stopped reporting blocklists.  in fact it showed wiped out (thats a first for me)
i restarted the service and all was well again.

i believe ill set opnsense to reboot upon successful updates going forward as i did not reboot.

i upgraded again to 25.12 4th times i believe

and my tunnels do not work again,  i changed default MTU clamping. 1300 all the way up to 1400 from 1320 as the directions

 Nothing resolves this

 i can't believe i am the only person having this issue
i plan to reupp my Business license(it literally just expired) when i get home tonight and roll back to the latest Business Edition on my DEC Appliance

i think i may have found what the issue is.  i have not upgraded again to confirm but was having similar issues loading
Alma and Rocky and Debian linux on a few test boxes over the weekend.   all the boxes work normally with Ubuntu pro or PopOS loaded and have for YEARS!
the same issue would happen on Alma, rocky, debian:  during install the device would recognize the nic and get an IP address but could not download updates or load websites once on the desktop..    evening though the device had the default gateway listed as a DNS server.  and unbound IS set to listen on those interfaces.

i found the issue was actually Kea:

before i moved to kea i would statically assign DNS addresses to devices  so the gateway IP would be first, and then a another IP address would be listed for a alternate internet service provider.     i did this with Kea last year and continued to go that route

i found IF i checked i think its auto collect instead of adding the DNS servers manually to the devices.  everything worked normally.
i would then Edit the network card properties and add the DNS server on the device itself for it to work afterwards.

not sure if i will upgrade.  but i am happy at least my test boxes issue is resolved again, and can work on wireguard again

FWIW: Enabling/disabling the blocklist feature and hitting "Apply" does not change Unbound's behavior immediately - you have to restart it as well. Also, DNS cahing might come into play when you test different settings.

Apart from that detail, disabling the blocklist feature works for me.

im reading you should not have to restart the service in the manual.  but
https://docs.opnsense.org/manual/unbound.html

Note

Applying the blocklist settings will not restart Unbound, rather it will signal to Unbound to dynamically process the blocklists as soon as they're downloaded. There may be up to a minute of delay before Unbound has loaded everything. During this time Unbound will still be just as responsive.

wireguard is working on the latest BE with zero issues.

What does BE stand for? If you use abbreviations, please use at least the full term once for acronyms that are not immediately clear. If it stands for "build environment", it still lacks specificty. e.g. which build environment, what repo, git hash, ...

HI I have seen this posted many times.    paying customers I've seen have listed BE as Business Edition.  which is what I am using on the DEC appliance and works perfectly.  I've upgraded it 3 times now to 25.1. and Wireguard fails to work reliably.

I then pulled out an old minnow board 2 Nic PC.  and upgraded it to 25.1.  attempted and had the same issue,  factory reset within the console.  started over with all new keys.    and still have the same issue.
I don't believe its my fiber line as unstable, as it works perfectly on. Business Edition on the same appliance same cables and switches and Access Points etc.
I figured I would post if anyone else was having an issue.  or any ideas.  I've spent 3 days off work trying to figure it out, and can not

per the pictures,  everything is correct... to me.  and has worked for the many months I've used Wireguard.
it shows connected.  if I visit ford.com the website doesn't load.  if I visit amd.com the website loads.  if I attempt to download anything from distrowatch.    all the files downloaded fail 1/4. way.    it seems to me a MTU issue.  but I've enabled clamping.  removed clamping. used all working MTU of 1320    and I still have the issue of constantly websites not displaying even though I CAN ping external sites.    but downloads will also never complete

2nd screen shot
files are too big...