1
Virtual private networks / Wireguard server failure after wan failover/recovery
« on: October 22, 2024, 07:32:27 pm »
Hello
I have opnsense 24.7.6 (previous versions also had the same issue) running with Dual Wan/ISP
I have a mix of road warriors and s2s connected to a wireguard instance. After a primary ISP outage and restore one wireguard tunnel always fails to come back up. I am aware of the DNS cache issue on the client sides however this issue can be resolved by clearing a single firewall state from the state table. restarting the wireguard service does not work.
The state that I am able to clear and immediately bring the client up is hitting the rule "let out anything from firewall" see attached. (x.x.203.89 Is the wireguard server this instance, x.x.32.38 is the remote client (also opnsense)
I also grabbed a wireshark capture at the same time. screen shot also attached.
I believe the Source port mismatch (53531 & 51820) is what is causing the handshake problem but I cant get to a cause or fix.
I have opnsense 24.7.6 (previous versions also had the same issue) running with Dual Wan/ISP
I have a mix of road warriors and s2s connected to a wireguard instance. After a primary ISP outage and restore one wireguard tunnel always fails to come back up. I am aware of the DNS cache issue on the client sides however this issue can be resolved by clearing a single firewall state from the state table. restarting the wireguard service does not work.
The state that I am able to clear and immediately bring the client up is hitting the rule "let out anything from firewall" see attached. (x.x.203.89 Is the wireguard server this instance, x.x.32.38 is the remote client (also opnsense)
I also grabbed a wireshark capture at the same time. screen shot also attached.
I believe the Source port mismatch (53531 & 51820) is what is causing the handshake problem but I cant get to a cause or fix.