Messages

Thanks for clarification, this is also as I understand and configured our system at the moment.

So to close the discussion in this thread, my take home message from Franco is that the MTU configuration logic change for  wireguard is indeed as intended. Thanks a lot!

Hi Franco,

I used the kmod version before.

I do have an interface assigned to the wireguard tunnel, see attached screenshot, with the manual MTU setting present.

But when I keep the MTU option field blank, I get the "wrong" MTU of 1420.

Are you suggesting that the wg setting is supposed to be overwritten by the setting in "WAN0site2" and thus we should define it there manually? Because if I try so I get the error message

Cannot assign an IP configuration type to a tunnel interface.

minor note: because I installed several upgrades in a bunch, I noticed now that this behavior is not new in version 24.1 but already appeared when upgrading from 23.7.5 and 23.7.12_5

cheers, Albert

Hi all,

in our setup we use jumbo frames through a wireguard VPN tunnel between two OPNsense instances together with OSPF. After the upgrade to 24.1 the dynamic routing stopped working and I could find in the logs

[XZZ9Y-NNTMQ][EC 134217741] Packet[DD]: Neighbor x.x.x.x MTU 8920 is larger than [wg2:x.x.x.x]'s MTU 1420

After switching temporarily to static routing and some hours of debugging I was able to trace down the problem to the MTU logic used in wireguard. In the pre 24.1 OPNsense instance it says in the help for MTU option

Set the interface MTU for this interface. Leaving empty uses the MTU from main interface which is fine for most setups.

But in the 24.1 instance it simply says

Set a specific device MTU for this instance.

Thus, the MTU from the parent device, which is set to 9000, seems not to be considered anymore with 24.1 and OSPF refused to work!

Is this change in the default logic in wireguard intended?

This was a nasty bug, because the MTU option is also hidden in "advanced mode", but setting MUT to 8920 made everything work again right away!

Cheers,
Albert

Hi all,

I am using HA setups at three different locations which are connected via wireguard VPN tunnels using dynamic routing with OSPF.
For easier administration I would like to access the backup instances via the tunnels. Any ideas how this can be achieved?

I thought of maybe solving this with VRF, but the frr service is being disabled as soon as the instance is switched into backup mode.

Cheers,
Albert

I ran into the same problem and wasn't aware where do disable circular logging.

Here is a hint for others:
it is a system option, so go to "System" -> "Settings" -> "Logging" -> first option

and then you need to restart FRR to have logging output

here is the issue on github https://github.com/opnsense/plugins/issues/2524

Hi, I also want to implement a multiWAN site-to-site setup with wireguard in HA configuration and your suggested solution sounds very interesting and simple to add to OPNsense.

Looking forward to any action on this topic!

I have opened an issue here https://github.com/opnsense/plugins/issues/1850

I see the same problem running wireguard on OPNsense 20.1.5

As Hektor mentioned there are no Log entries and thus this problem is very difficult to debug.

Running `wireguard-go wg0` on the command line eventually reveals the problem in the wg0.config!