Messages

for those having the issue.  do you have 2 servers checked?

i have frequently had that issue.  but if i uncheck one server so only one is utilized.   i never had the issue again.

i am not on 25.7 yet but have that issue on the latest Business Edition and have for some time.   

Some time in October? Because 25.10 ...

surely there will be an update before then.   sitting on 8 vulnerabilities and have been for over a month 

I migrated to Kea probably a year ago on business edition. but now I am reading : but without Dnsmasq DHCP support
and the recent captive portal backend switch.

https://forum.opnsense.org/index.php?topic=47329.0

will DNSMasq eventually be added to the business edition?   

no dns over DOT?    yikes.    kea and unbound sound better and better to me all around

i posted a thread a couple weeks ago as well.  i never could get it resolved.
but when the new business edition was released i upgraded and it still works...

here is my question.  what version of Wireguard is Opnsense running?     here is says unknown for free bsd :  https://www.wireguard.com/install/#freebsd-kmod-userspace-go-tools

Updated to the latest business edition from previous business edition

Zero issues whatsoever
-shrug

interesting.  I've noticed weirdness since I've used kea.

i turned this setting off. we will see if that clears up some it

"ISC is going to be removed.
DNSmasq DHCP is the recommended replacement for small installations."

i wish i had read/ known that before i moved to kea...

i guess this means my old reliable dec670 1gb is end of life if its no longer receiving bios updates?

i am not sure what this means from the release notes:

unbound: move whitelist (passlist) handling to Unbound plugin

the last time unbound wasn't working right for me after an update. i had to do a full firewall reboot.  i am sure this is different

mullvad is going to say your are leaking, because you are not using their servers.

to test quad 9 use this link:  https://on.quad9.net/

cloudflare:  https://one.one.one.one/help/

using 2 different "services" is going to give you mixed replies...

good luck with your setup

I tried with proton. I am not using kea and still using isc. kea for me was buggy and so stayed with isc, as long as possible.

WG handshakes are fine and my isp gateway is working fine. I can see in firewall live logs the devices connected to wg interfaces are all allowed to go out and so firewall rules seems also not a problem. In gateway, dpinger is showing gateway down for wg gateways, tested with different monitor ips. isp gateway shows as up though when different ips are used as monitors.

I tried now with the existing config.xml in 25.1 live environment and its still the same. No internet to wg interface.

I am not able to pin point where the issue is and it only started to show up ever since upgrade to 25.3. Before that all was working fine. Any help is appreciated.

all my tunnels show up online.  the monitoring IP address is the gateway of the tunnel.
i started a thread under VPN>  about MTU.    i think part of this is MTU related.  but i am not updating a 5th time as i just reupped my business license

open the interface for the tunnel, and manually change the MTU entry to 1400 and see if it resolves the issue for you?   if not try 20 increments lower

OPNsense 24.10.2_6-amd64
FreeBSD 14.1-RELEASE-p7
OpenSSL 3.0.15


I've come to the conclusion that settings(5a) the manual here are being ignored : https://docs.opnsense.org/manual/how-tos/wireguard-client.html

I've tested this theory by checking system > routes > stats.    all my tunnels are 1420 which is I guess the OPNsense default wireguard MTU?   even when I have 1320 set under the normalization rule.

I then added a MTU setting to the Wireguard tunnel > instance > advance tab.     restarted the tunnel even rebooted the firewall.  and under routes > stats its still set to 1420.

I then found   by opening the interface of the tunnel.  and adding a number to MTU, and by not even restarting the tunnel.    the routes > stats is show THAT number I inputted.

1.   where is the correct location to change the MTU setting for Wireguard tunnels
2.  is system>routes > stats  really the correct location to show the currently active MTU setting for those instances?

@DEC670airp414user: I might also be facing similar issues since this week when i updated to 25.1.3, though i am on community version and not business edition. Previously wireguard (wg) was working without any issues. After upgrade, devices connected to wg gateway pointing to vpn provider is not able to reach out to any websites.

I have separate wg interface for local network access from outside and i am able to use that wg to connect and access. This shows the inbound is working and so my assumption is wg in opnsense is working.

Not sure whether this issue is specific to Opnsense gateway or vpn provider.

Azirevpn is who that tunnel is through.   who are you using, and are you using Kea?

my business license expired within the last week if this troubleshooting.   and i will always subscribe even as a home user to support the project... i even have an official appliance that is 3 years old.

i reupped at 170 dollars.  and went back to using the license and everything works.

Franco recently posted in April Business Edition will be upgraded to 25.   at that time i plan to download the latest BE and write it to a new usb drive.    and start from complete scratch on the official appliance.      i just don't have the time to do that while my entire home network is down.

i had high hopes once changing Kea to  Auto collect option data.    but its still not fully fixed.    i really don't want to try ISC again

Done: https://forum.opnsense.org/index.php?topic=45616.msg232141#msg232141

updated.   did not reboot
unbound stopped and stopped reporting blocklists.  in fact it showed wiped out (thats a first for me)
i restarted the service and all was well again.

i believe ill set opnsense to reboot upon successful updates going forward as i did not reboot.

i upgraded again to 25.12 4th times i believe

and my tunnels do not work again,  i changed default MTU clamping. 1300 all the way up to 1400 from 1320 as the directions

 Nothing resolves this

 i can't believe i am the only person having this issue
i plan to reupp my Business license(it literally just expired) when i get home tonight and roll back to the latest Business Edition on my DEC Appliance

i think i may have found what the issue is.  i have not upgraded again to confirm but was having similar issues loading
Alma and Rocky and Debian linux on a few test boxes over the weekend.   all the boxes work normally with Ubuntu pro or PopOS loaded and have for YEARS!
the same issue would happen on Alma, rocky, debian:  during install the device would recognize the nic and get an IP address but could not download updates or load websites once on the desktop..    evening though the device had the default gateway listed as a DNS server.  and unbound IS set to listen on those interfaces.

i found the issue was actually Kea:

before i moved to kea i would statically assign DNS addresses to devices  so the gateway IP would be first, and then a another IP address would be listed for a alternate internet service provider.     i did this with Kea last year and continued to go that route

i found IF i checked i think its auto collect instead of adding the DNS servers manually to the devices.  everything worked normally.
i would then Edit the network card properties and add the DNS server on the device itself for it to work afterwards.

not sure if i will upgrade.  but i am happy at least my test boxes issue is resolved again, and can work on wireguard again