Messages

Sorry, can't prove I'm not a camel.

The reason that makes me somehow pushy is that Opnsense VPS-es with WireGuard are already used for regional hubs, the problem is real and has lately become extremely annoying. I have to keep everything somehow working but using third party plugin has it's problems. Meanwhile as tech i lack the influence to make them buy licenses for Opnsense, as they know it can be used for free and thus have no leverage to request AmneziaWG support.

especially by somebody who actually lives in EU.

Europe area in general or one of the countries that are part of the European Union ?!

EU as composite of multiple countries and local authorities over a complex network infrastructure. Most issues I've seen were not clearly traceable although usually there is specific exchange or mobile operator that can be suspected to be most the likely place to block traffic. Unfortunately the only one i can clearly confirm is a DPI platform that was tested for several weeks in the Bulgarian BIX exchange. Also due to how the VPN structure i work with is spread my impressions are related mostly to eastern, central and southern Europe. Also we had to drop VPS in France because of to many blocking hits. It was before i started to migrate to Amnezia.

This is not WireGuard related only, VPN issues are something new, while random web site blocking (can speak mostly of Bulgaria here) started more than year ago. However until now never seen EU originated blocking (dnssec hijacking is clearly US originated) that i can explain logically (based on politics, legal reasons, etc.) and in most cases blocking live is just to short to be of practical use. This is why it leaves an impression of somehow discreet live tests instead of actual censorship, but this does not make it less obstructive when it hits your current work.

BTW: My impressions of Amnezia are great, not even a single randomly blocked destination for two months since first migration.

AmneziaWG protocol support is not just yet another WireGguard plugin implementation. While originally based on WireGuard, Amnezia is modified to be very resistant to the centralized DPI filtering efforts in countries like Russia. This however makes it even more valuable for people, who live in the DPI wild west of EU, where there are just to many countries with to many authorities that currently play with Internet censorship where and as they manage, while also being responsible for maintaining the official stance that "no such thing exists in The Civilized World". This results in total anarchy and constantly increasing amount of random hits on various types of traffic, including wireguard VPN's.
My job is related to a vast network of WG interconnections in many EU countries. It started to experience random DPI hits around 12.2025 and things are only getting worse since, with at least 1 hit per 2 days in March. Blocking generally targets specific protocol/port combination between specific IP's, although some filters seem to be adaptive and detect port changes very fast. Usually blocking lasts few hours to few days, but several IP/UDP port combinations remain blocked for months now.
Seeking support from ISP or hosting is usually meaningless in this situation, as they are not in position to do anything, while managing to find the authority, responsible for each specific misbehaving filter you hit... They are sure to employ thousands of professionals in proving that you are extremist per each subcontracted tech that can actually solve the issue. And it won't be a hard job, as stating that you have issue with Something that does not exist^tm is the exact type of extremism they are responsible to counter.
So switching from plain WG to AmneziaWG 2.0 with QUIC or DNS obfuscation right now seems to be the best solution for someone in EU, even if AWG is much less mobile device friendly. And for Opnsense AWG support is something that should not simply be discarded as useless double of WG, especially by somebody who actually lives in EU.

Hello,

I noticed a weird behavior on a proxmox VPS. A running wireguard tunnel with one peer suddenly stopped working. After checking settings in web interface and even rebooting several times i found no configuration problems and ssh-ed to the router. It turned the peer endpoint port does not match the one set in web UI and restarting interface or router just changes it to a different random one. If i change the port to another, save/apply, then back to the actual one and save/apply again both changes are correctly applied. However if i  just press apply again, change anything but the pot, disable/enable interface or reboot router remote port changes to random one again. Web UI however continues to show the one i set in it.

Until now each time i used wireguard on OPNSense it was on the receiving connections end so i have no idea if what i see is unique bug or a known "feature". This time however the router is behind two layers of NAT, one of them not controllable by me, so there is no way to rely on incoming connection. It has to be initiated by the router.

Any idea what can be happening and how to debug the issue?

I agree it is wrong to believe that port knocking improves security, but it undoubtedly improves reliability. For example i just spend ~50 minutes attempting to get in line to ssh opnsense, that refused browser logins with "CSRF check failed." error. Turned somebody managed to find the ssh port and over jealously attempted to bruteforce it using large bot net, filling all free space with filter.log's. Unfortunately ssh has no distinct answer that can inform bots that no password logins are allowed and non-standard port when found triggers much more intense attacks, as bot writers most likely consider such servers more interesting. In cases like this what turned to be quite successful DDoS would be impossible if i had port knocking set.

Just had same problem, this message appeared on any browser. Turned to be lack of free space, result of extreme filter.log sizes last few days due to overly active ssh bruteforcing. Found this post while attempting to get in line to ssh. As i understand in this case Opnsense was reinstalled without free space check, so it is quite possible it had same problem,

I have set OPT1 to be a Wireuard interfave called [with description] VPN1. When i set TOR's Configuration/Listen Interfaces to VPN1 the setting is completely ignored and TOR's SOCKS proxy and config interface listen only on 127.0.0.1.
I thought one can run around this by setting virtual interface and route it via Wireguard, but TOR does not bind to aliases on lo0 and i can't figure how to create completely virtual interface with assignment in Interfaces/Asignements, that makes it selectable in TOR's settings. Forwarding both ports from Wireguard interface to 127.0.0.1 also does not seem to work.
Is this supposed to be so, or should it be reported as a bug? And if it is a bug is it in Wireguard or in TOR plugin? Also any idea how to make TOR available to Wireguard peers?