Messages

I would like to setup 2 FWs with carp or otherwise to run in HA mode mainly to support for upgrades.  iE: patch the backup then move primary to backup and patch the master.    CARP should cover this, however I only have access to 1 "authorized" MAC address/IP address.  Will I have to tell my ISP the CARP MAC address is the only authorized MAC address?

The upgrade from 24.1 to 24.7 went flawless...Thank You!!

I'm trying to remove old plugins that no longer exist (os-wireguard).   I ran the automatic resolver however it doesn't remove it from the list.   How do I get this removed???

Do you have the IP and GW set on the  WG interface(s) ?

This should get you going. If it works apply the same changes on the other sites before uprading.


https://forum.opnsense.org/index.php?topic=36403.msg177980#msg177980

I have WG tunnel address set....I cannot set IP/GW on the interface as it says I cannot assign an IP to a tunnel

OpnSense to OpnSense

I have 1 site that is the main site and it connects to 3 remote sites.
The main site has been upgraded and since 'broke' all WG VPNs.
In testing on 2 of the remote sites, I'm easily able to make a WG VPNs between them, however I cannot make any WG VPN work on the main site.  No handshakes and "Adding wg route fails returned exit code '1'..." error in logs as well....

Can someone dumb-down the explanation of the/a work-around for WG site-to-site?     WG used to work great until a couple releases ago for me.   Now it's not at all...same issues as what is provided in this thread.   greatly appreciated!

Well darn it all....I knew I was missing something!

I had the keys messed up in my last 2 Wireguard tunnels and they were not started.    Once I fixed the keys, the interfaces showed up!

Thanks for the help!

Running the latest version Opnsense.

Trying to create 3 separate Wireguard VPNs, using separate interfaces.

Created the first Wireguard VPN, and interface just fine.

Created the second Wireguard VPN and no interface is shown (even though Wireguard screen shows "wg2")

Created a third Wireguard VPN and again no interface is shown to assign to...Wireguard shows this as "wg3"

[Site1 - OpnSense]

Still can't figure out why it isn't working...

Site1 - OpnSense

interface: wg2
  public key: <<removed "P1">>
  private key: (hidden)
  listening port: 51840

peer: <<removed "P2">>
  endpoint: xxx.xxx.xxx.xxx:51840
  allowed ips: 192.168.200.0/24, 10.11.3.2/32
  transfer: 0 B received, 444 B sent
  persistent keepalive: every 10 seconds


Site2 - PFSense
interface: tun_wg0
  public key: <<removed "P2">>
  private key: (hidden)
  listening port: 51840

peer: <<removed "P1">>
  preshared key: (hidden)
  endpoint: xxx.xxx.xxx.xxx:51840
  allowed ips: 172.18.1.0/24, 10.11.3.1/32
  transfer: 61.57 KiB received, 38.42 KiB sent


* notice the peer at site one isn't receiving but is sending data....

** firewall rules on both sites are ok - udp port 51840 is open on wan interface and the wireguard interface has <any><any> rules in place

Any suggestions on where to look next?

ok, figured there wasn't an issue....just me :-[

I have 2 Wireguard site-to-site VPNs setup already.   Both ends are OpnSense.   I want to setup a 3rd VPN to a PFSense box and I have not had any luck getting them to handshake (OpnSense to PFSense).    Anybody have any issues in this area?

public keys generated and copied appropriately.

FYI,

I re-enabled the Wireguard plug-in and turned off "Shared Forwarding".   

I also realized that this Proxmox host was not running Kernel 6.1 as my others are.   So upgraded the kernel.

I am currently at 8 hours of uptime without error.    Will continue to monitor this situation...

Curious what type of nic you're running, Chelsio by any chance?
Wireguard does not like Chelsio for some reason but it is fixed in newer BSD versions.

I'm running Intel i226.   8 port on this box that keeps panicking.   It's running as virtual nic in ProxMox however.   

I have 2 other nodes that aren't panicking and still have wireguard module enabled..(both are i225 and i226 nics)just no VPN traffic running on them as they are the site to site endpoints to this node that I am having trouble with.   


Sent from my iPhone using Tapatalk

IF this is what it is, what type of workaround do you suggest in the meantime?

I can try turning off "shared forwarding" and/or kmod if you think this would help.

I haven't tried the kmod version yet.     I have just found other threads which seem to be close to what I'm seeing but not sure yet.


kernel trap 12 with interrupts disabled


Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0x3b6
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff80cdb671
stack pointer           = 0x28:0xfffffe000378fa70
frame pointer           = 0x28:0xfffffe000378fa90
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = resume, IOPL = 0
current process         = 12 (swi1: netisr 0)
trap number             = 12
timeout stopping cpus
panic: page fault
--More--(51%)cpuid = 1
time = 1674353202
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe000378f830
vpanic() at vpanic+0x17f/frame 0xfffffe000378f880
panic() at panic+0x43/frame 0xfffffe000378f8e0
trap_fatal() at trap_fatal+0x385/frame 0xfffffe000378f940
trap_pfault() at trap_pfault+0x4f/frame 0xfffffe000378f9a0
calltrap() at calltrap+0x8/frame 0xfffffe000378f9a0
--- trap 0xc, rip = 0xffffffff80cdb671, rsp = 0xfffffe000378fa70, rbp = 0xfffffe000378fa90 ---
tdq_notify() at tdq_notify+0x31/frame 0xfffffe000378fa90
sched_add() at sched_add+0x25c/frame 0xfffffe000378fad0
intr_event_schedule_thread() at intr_event_schedule_thread+0xb8/frame 0xfffffe000378fb00
swi_sched() at swi_sched+0x6b/frame 0xfffffe000378fb40
pfsync_update_state() at pfsync_update_state+0x29d/frame 0xfffffe000378fb90
pf_test() at pf_test+0xfbe/frame 0xfffffe000378fd00
pf_check_in() at pf_check_in+0x25/frame 0xfffffe000378fd20
pfil_run_hooks() at pfil_run_hooks+0x97/frame 0xfffffe000378fd60
ip_input() at ip_input+0x759/frame 0xfffffe000378fdf0
swi_net() at swi_net+0x13e/frame 0xfffffe000378fe60
ithread_loop() at ithread_loop+0x25a/frame 0xfffffe000378fef0
fork_exit() at fork_exit+0x7e/frame 0xfffffe000378ff30
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe000378ff30
--- trap 0x80d09430, rip = 0xffffffff80c313af, rsp = 0, rbp = 0 ---
mi_startup() at mi_startup+0xdf
KDB: enter: panic

KMOD is NOT installed.