Show Posts
1
Virtual private networks / Wireguard client disconnect in Opensense 24.1
« on: February 01, 2024, 12:53:17 am »
Identified Wireguard VPN client disconnect issue with upgrade from 23.7.12 to 24.1 to VPN providers. Only way to resolve issue is to restart Wireguard (Disable / Enable in Wireguard Settings)
24.1 Release Notes state the following:
- wireguard: installed by default using the bundled FreeBSD 13.2 kernel module
- core inclusion of the os-firewall and os-wireguard plugins
(os-wireguard plugins are no longer available in v24.1.)
A disconnect of Router WAN port (ADSL2+ which is very unstable in remote location) causes the VPN tunnel to fail (100%). v23.7.12 had the same issue but reverted to the older os-wireguard-go plugin (non kernel version) to resolve the issue. Only way to fix issue is to fully restart wireguard service on every WAN disconnect. Also setup CRON job to restart FW every 24 hours as small workaround to issue.
Investigated numerous fixes to resolve issue including adjusting MTU, keepalives, inspecting routes etc. Nothing has resolved the issue. V24.1 no longer has option to revert to os-wireguard-go package. Opensense has been working well through multiyear upgrades, so unlikely to be fundamental configuration error.
https://forum.opnsense.org/index.php?topic=33927.0
On error, the gateway configuration will show the status of the WG VPN tunnel as "offline" (see attached screenshot).
On restart of the VPN connection, error in VPN logs:
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route add -'inet' '10.25.169.200' -interface 'wg3'' returned exit code '1', the output was 'add host 10.25.169.200: gateway wg3 fib 0: route already in table'
Suggestions for fix will be welcome. Happy to experiment as Opensense running as Proxmox VM with snapshots, so rollback of a broken config is very easy.
24.1 Release Notes state the following:
- wireguard: installed by default using the bundled FreeBSD 13.2 kernel module
- core inclusion of the os-firewall and os-wireguard plugins
(os-wireguard plugins are no longer available in v24.1.)
A disconnect of Router WAN port (ADSL2+ which is very unstable in remote location) causes the VPN tunnel to fail (100%). v23.7.12 had the same issue but reverted to the older os-wireguard-go plugin (non kernel version) to resolve the issue. Only way to fix issue is to fully restart wireguard service on every WAN disconnect. Also setup CRON job to restart FW every 24 hours as small workaround to issue.
Investigated numerous fixes to resolve issue including adjusting MTU, keepalives, inspecting routes etc. Nothing has resolved the issue. V24.1 no longer has option to revert to os-wireguard-go package. Opensense has been working well through multiyear upgrades, so unlikely to be fundamental configuration error.
https://forum.opnsense.org/index.php?topic=33927.0
On error, the gateway configuration will show the status of the WG VPN tunnel as "offline" (see attached screenshot).
On restart of the VPN connection, error in VPN logs:
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route add -'inet' '10.25.169.200' -interface 'wg3'' returned exit code '1', the output was 'add host 10.25.169.200: gateway wg3 fib 0: route already in table'
Suggestions for fix will be welcome. Happy to experiment as Opensense running as Proxmox VM with snapshots, so rollback of a broken config is very easy.