1
High availability / Wireguard VPN no traffic on OpnSense HA Cluster in CARP backup state
« on: March 15, 2024, 03:30:15 pm »
Hello everyone,
I have a problem with an OpnSense HA cluster with Wireguard VPN server. The cluster contains two physical nodes with each NICs for WAN, LAN, DMZ & and a direct sync interface between the nodes. Everything is up and running and I can connect to Wireguard. When I try to switch the primary cluster node via CARP from master to backup I loose the Wireguard connection - only on Windows clients! I can see on Wireguard diagnostics tab a handshake for this specific clients but I'm not able to get any traffic through the tunnel. I tried the same settings on a linux client and don't have any issues at all. If I change the primary nodes CARP from backup to master everything works correct again. Are there any suggestions or did I do any mistakes in my configuration.
OpnSense Version: 24.1.3
Wireguard Win Client: latest Version (0.5.3) on Win10 (x64)
VPN -> WireGuard -> Settings -> Instances
VPN -> WireGuard -> Settings -> Peers
Interfaces -> WG1
Interfaces -> Virtual IPs
# The following Address/Alias is created on both nodes!
Firewall -> NAT -> Outbound NAT
Firewall to and from WireGuard VPN temporarly allow anything!
Config is synced to both nodes. As mentioned above everything else works flawless.
Thank you very much & best regards
Thomas
I have a problem with an OpnSense HA cluster with Wireguard VPN server. The cluster contains two physical nodes with each NICs for WAN, LAN, DMZ & and a direct sync interface between the nodes. Everything is up and running and I can connect to Wireguard. When I try to switch the primary cluster node via CARP from master to backup I loose the Wireguard connection - only on Windows clients! I can see on Wireguard diagnostics tab a handshake for this specific clients but I'm not able to get any traffic through the tunnel. I tried the same settings on a linux client and don't have any issues at all. If I change the primary nodes CARP from backup to master everything works correct again. Are there any suggestions or did I do any mistakes in my configuration.
OpnSense Version: 24.1.3
Wireguard Win Client: latest Version (0.5.3) on Win10 (x64)
VPN -> WireGuard -> Settings -> Instances
Code: [Select]
Wireguard Server instance: 1
Name: HomeOfficeServer
Public key: <snip>
Private key: <snip>
Listen port: 51822
Tunnel address: 192.168.144.1/22
Depend on (CARP): vhid 5
Peers: several Win & Linux clients
Disable routes: <unchecked>
VPN -> WireGuard -> Settings -> Peers
Code: [Select]
Enabled: <checked>
Name: Q-000582_TR_Win10_Test
Public key: <snip>
Allowed IPs: 192.168.144.2/32
Instances: HomeOfficeServer
All other settings are unset
Interfaces -> WG1
Code: [Select]
Enabled: <checked>
- no additional config
Interfaces -> Virtual IPs
Code: [Select]
Mode: CARP
Interface: LAN
Network / Address: 192.168.144.1/22
Password: <snip>
VHID Group: 5
advbase: 1
Code: [Select]
Mode: CARP
Interface: WAN
Network / Address: <Reverse Proxy WAN VIP Address>
Password: <snip>
VHID Group: 4
advbase: 1
Code: [Select]
Mode: CARP
Interface: DMZ
Network / Address: 10.1.0.4/16
Password: <snip>
VHID Group: 3
advbase: 1
Code: [Select]
Mode: CARP
Interface: WAN
Network / Address: <WAN VIP Address>
Password: <snip>
VHID Group: 2
advbase: 1
Code: [Select]
Mode: CARP
Interface: LAN
Network / Address: 10.0.0.4/16
Password: <snip>
VHID Group: 1
advbase: 1
# The following Address/Alias is created on both nodes!
Code: [Select]
Mode: IP Alias
Interface: LAN
Network / Address: 10.0.14.2/24
Firewall -> NAT -> Outbound NAT
Code: [Select]
Interface: LAN
TCP/IP Version: IPv4
Protocol: any
Source address: 192.168.144.2/32
Destination address: any
Translation / target: 10.0.14.2
Firewall to and from WireGuard VPN temporarly allow anything!
Config is synced to both nodes. As mentioned above everything else works flawless.
Thank you very much & best regards
Thomas