Messages

For example, users can no longer use DDNS (ddclient) service to check their public IPs THROUGH THE WIREGUARD INTERFACE (no matter in "ddclient" or "native" mode). They can still select the WG Interface as the interface using, but the IP-checking traffic is actually going out through the WAN Interface/IP which leads DDNS grabbing the public IPs of the direct Internet connection instead of the public IPs through the WireGuard VPN.

My test shows that if I DISABLE the WG Interface while keeping the WireGuard VPN CONNECTED, then DDNS (ddclient) / OPNsense (native) will start to truly use the WG Interface/IP as the Source (even it's been disabled) to go out to IP-checking Web/URL to figure out its public IPs, and become working correctly. But unfortunately we simply cannot keep the WG Interface disabled all the time, as we have to use/refer it in many Firewall rules.

"Could it be that the undefined way of setting a static IPv4 mode on the wireguard assigned interface is causing this?"

Yes, I can confirm that was the root cause for a lot of buggy things related to WG in 23.7.6.


"Functionally there is nothing wrong with setting the tunnel address in the wireguard setting which ends up as the static IPv4 anyway."

Well, it's Yes and No...
Functionally there is nothing wrong with setting the tunnel address in the WireGuard setting for the WireGuard VPN to work normally, but not for some other important features in OPNsense to recognize and utilize the WG assigned Interface correctly.

I have "Disable Host Route" under System >> Gateways, but after a reboot same Error is show.

Code Select Expand

2023-10-12T15:28:00 Error wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add '-4' '10.18.0.1' -iface 'wg2'' returned exit code '1', the output was ''
2023-10-12T15:28:00 Error wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add '-4' '10.20.0.1' -iface 'wg1'' returned exit code '1', the output was ''

VPN -> WireGuard -> Settings -> Instances -> Edit instance: If "Disable routes" is checked, it will cause the above quoted error.

In "advanced mode" of Edit instance, if uncheck "Disable routes" but leave a filled "Gateway" IP address there, it will say "You have to enable Disable Routes option." A workaround: Remove/clear the "Gateway" IP first, uncheck "Disable routes", and Save, then re-open Edit instance to add the "Gateway" IP address back and Save. Now the UI will no longer force you to put a check mark on "Disable routes". This trick WILL eliminate the above quoted error, however, the system actually IGNORES your filled "Gateway" IP. The beautiful Gateway IP address is sitting there for nothing. It looks like the UI maker doesn't want "Unchecking 'Disable routes'" and "Filled 'Gateway' IP address" to coexist, just like he/she doesn't want a cat and a dog coexist in a house. If you already have a cat, then the house doesn't allow you to bring in a dog. But if you already have a dog, the house allows you to bring in a cat? A UI bug to fix?

A lot of problems occurr since OPNsense 23.7.6 no longer allows applying Static IP to any WG tunnel Interface in the "Interfaces" management. If you have created a Gateway based on that WG interface (for monitoring status or for firewall rule use), without changing the WG interface's "IPv4 Configuration Type" to "Static IPv4", you loss the options to put the static "IPv4 address" and select the Gateway you created as the interface's "IPv4 Upstream Gateway". This will cause a series of problems in OPNsense. These are what I found so far:
1. Automatic rules of "Outbound" in "NAT" will not be generated correctly for the WG network. (You will have to create it manually. - Step 10 in https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html)
2. Automatic rules of "Floating" will not be generated correctly for the firewall host itself to use the WG Gateway (You will have to create it manually. - Step 9 in https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html)
3. In DDNS (ddclient) service, if you select the WG interface to detect external IP (check ip method: any ip-check provider), the firewall is not actually using the WG interface. (For my setup, it uses the WAN.) Therefore it will not grab your correct external IP through the WG VPN provider.

Before OPNsense 23.7.6, when you were able to specify "Static IP" address and select the "Gateway" for the WG interface in "Interfaces" management, none of the mentioned 3 problems existed. The Outbound NAT rules and Floating rules were automatically and perfectly generated by the system, and how the DDNS (ddclient) service utilizing the WG tunnel interface to detect external IP was working fine.

Essentially, without the "Static IP" and assigned "Gateway" for the WG interface, OPNsense is not treating the WG interface correctly, even with WG VPN connected.