Show Posts
1
24.1 Legacy Series / Wireguard issues after upgrades now leads to weird issues...
« on: April 11, 2024, 10:38:48 am »
Hello,
I've been using OPNsense happily for the past 2 years, but the last 2 releases raised Wireguard issues for me (see reddit issue I described here: https://www.reddit.com/r/opnsense/comments/1c0h163/wireguard_issues_since_update_to_2414/).
According to one comment, I decided to start from scratch and deleted all my Wireguard instances and linked interfaces, firewall rules (on the WAN) to have a "clean slate".
I took the "WireGuard Road Warrior Setup" guide and followed the instructions. As it happened last time I tried to add a new Wireguard instance and interface, then my whole network went down. But this time, I didn't panic and investigated before restoring.
My findings:
- before I add the Wireguard interface linked to the Wireguard instance, everything works
- I create a new interface linked to the Wireguard instance
- all my network to the Internet is down, local network works fine
- in the "Log files" -> "Live view", I see ALL traffic going out of my local network on the Wireguard interface!
- I check the routes and one route has been added automatically (System -> Routes -> Status): 0.0.0.0/1 on the wg0 interface
- I delete the route (and also remaining route from the previous Wireguard instances) -> I can ping outside based on IP address but I cannot resolve any Internet server name!
- I restarted Unbound -> nothing changed
- I restored previous backup
Here is some output of the ping (if that helps):
From a Linux machine:
From the OPNsense firewall directly:
Of course, if I change the DNS on a local machine, it works, so somehow, I completely loose the ability to resolve any name from the firewall when I added that interface. I have added VLAN interfaces not so long ago and it worked fine (although I cannot recall if I was already on 24.1.4 when I did).
Can you please help me to understand and fix what's going on?
I really hope that after this is solved, I would be able to (re-)create a working Wireguard connection with my devices...
I've been using OPNsense happily for the past 2 years, but the last 2 releases raised Wireguard issues for me (see reddit issue I described here: https://www.reddit.com/r/opnsense/comments/1c0h163/wireguard_issues_since_update_to_2414/).
According to one comment, I decided to start from scratch and deleted all my Wireguard instances and linked interfaces, firewall rules (on the WAN) to have a "clean slate".
I took the "WireGuard Road Warrior Setup" guide and followed the instructions. As it happened last time I tried to add a new Wireguard instance and interface, then my whole network went down. But this time, I didn't panic and investigated before restoring.
My findings:
- before I add the Wireguard interface linked to the Wireguard instance, everything works
- I create a new interface linked to the Wireguard instance
- all my network to the Internet is down, local network works fine
- in the "Log files" -> "Live view", I see ALL traffic going out of my local network on the Wireguard interface!
- I check the routes and one route has been added automatically (System -> Routes -> Status): 0.0.0.0/1 on the wg0 interface
- I delete the route (and also remaining route from the previous Wireguard instances) -> I can ping outside based on IP address but I cannot resolve any Internet server name!
- I restarted Unbound -> nothing changed
- I restored previous backup
Here is some output of the ping (if that helps):
From a Linux machine:
Code: [Select]
ping google.com
PING google.com (142.250.179.206) 56(84) bytes of data.
From _gateway (10.0.69.1) icmp_seq=1 Destination Host Unreachable
From _gateway (10.0.69.1) icmp_seq=2 Destination Host Unreachable
From _gateway (10.0.69.1) icmp_seq=3 Destination Host UnreachableFrom the OPNsense firewall directly:
Code: [Select]
ping google.com
PING google.com (142.250.179.206): 56 data bytes
ping: sendto: No route to host
92 bytes from 127.0.0.1: Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 c435 0 0000 40 01 05aa 10.0.100.1 142.250.179.206
ping: sendto: No route to host
92 bytes from 127.0.0.1: Destination Host Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 828f 0 0000 40 01 4750 10.0.100.1 142.250.179.206Of course, if I change the DNS on a local machine, it works, so somehow, I completely loose the ability to resolve any name from the firewall when I added that interface. I have added VLAN interfaces not so long ago and it worked fine (although I cannot recall if I was already on 24.1.4 when I did).
Can you please help me to understand and fix what's going on?
I really hope that after this is solved, I would be able to (re-)create a working Wireguard connection with my devices...