Messages

Hello,

I noticed a weird behavior on a proxmox VPS. A running wireguard tunnel with one peer suddenly stopped working. After checking settings in web interface and even rebooting several times i found no configuration problems and ssh-ed to the router. It turned the peer endpoint port does not match the one set in web UI and restarting interface or router just changes it to a different random one. If i change the port to another, save/apply, then back to the actual one and save/apply again both changes are correctly applied. However if i  just press apply again, change anything but the pot, disable/enable interface or reboot router remote port changes to random one again. Web UI however continues to show the one i set in it.

Until now each time i used wireguard on OPNSense it was on the receiving connections end so i have no idea if what i see is unique bug or a known "feature". This time however the router is behind two layers of NAT, one of them not controllable by me, so there is no way to rely on incoming connection. It has to be initiated by the router.

Any idea what can be happening and how to debug the issue?

I agree it is wrong to believe that port knocking improves security, but it undoubtedly improves reliability. For example i just spend ~50 minutes attempting to get in line to ssh opnsense, that refused browser logins with "CSRF check failed." error. Turned somebody managed to find the ssh port and over jealously attempted to bruteforce it using large bot net, filling all free space with filter.log's. Unfortunately ssh has no distinct answer that can inform bots that no password logins are allowed and non-standard port when found triggers much more intense attacks, as bot writers most likely consider such servers more interesting. In cases like this what turned to be quite successful DDoS would be impossible if i had port knocking set.

Just had same problem, this message appeared on any browser. Turned to be lack of free space, result of extreme filter.log sizes last few days due to overly active ssh bruteforcing. Found this post while attempting to get in line to ssh. As i understand in this case Opnsense was reinstalled without free space check, so it is quite possible it had same problem,

I have set OPT1 to be a Wireuard interfave called [with description] VPN1. When i set TOR's Configuration/Listen Interfaces to VPN1 the setting is completely ignored and TOR's SOCKS proxy and config interface listen only on 127.0.0.1.
I thought one can run around this by setting virtual interface and route it via Wireguard, but TOR does not bind to aliases on lo0 and i can't figure how to create completely virtual interface with assignment in Interfaces/Asignements, that makes it selectable in TOR's settings. Forwarding both ports from Wireguard interface to 127.0.0.1 also does not seem to work.
Is this supposed to be so, or should it be reported as a bug? And if it is a bug is it in Wireguard or in TOR plugin? Also any idea how to make TOR available to Wireguard peers?