Messages

@bubbagump: THX for challenge me to check once more ;-)

Arggghhh, been going over those config's triple times...

But as it goes with quick saturday Couch tasks I fucked up triple!...

Rechecked the exchanged pubkeys and got the first tunnel up!!!

But there's a 2nd tunnel/target giving me a hard time:



Looking via SSH I can see the config seems to be fine:

Code Select Expand

[Interface]
PrivateKey = PRIVKEY
Address = 172.10.xx.x/24
ListenPort = xx822

[Peer]
PublicKey = PEERPUBKEY
Endpoint = 172.10.xx.x:xx822
AllowedIPs = 172.10.xx.0/24,10.10.xx.x/24
PersistentKeepalive = 60

There's no other config inside the wireguard config dir:

Code Select Expand

$ sudo ls -l /usr/local/etc/wireguard/
total 8
-rw-------  1 root  wheel  305 Jul 25 18:51 wg0.conf

But the Interface is really crooked:

Code Select Expand

--help: flags=8002<BROADCAST,MULTICAST> metric 0 mtu 1420
options=80000<LINKSTATE>
groups: tun
nd6 options=103<PERFORMNUD,ACCEPT_RTADV,NO_DAD>
Opened by PID 44943

This is a machine on which I already took the XML removed all Wireguard mentions and restored it as a backup

On my router, which already has one working tunnel to another target, I can see that there's no contact to the other side:

Code Select Expand

interface: wg1
  public key: PUBKEY
  private key: (hidden)
  listening port: xx822

peer: PEERPUBKEY
  endpoint: 185.35.xx.xx:xx822
  allowed ips: 10.10.xx.xx/24, 10.x.x.0/24, 10.x.x.0/24
  transfer: 0 B received, 31.80 KiB sent
  persistent keepalive: every 1 minute

Handshake is empty:

Code Select Expand

wg1 PEERPUBKEY 0

So as there is that interface with this highly uncommon name:

Code Select Expand


# sudo ifconfig -g tun
ovpns1
--help

how do I delete that interface?

After a reboot it's gone... So lets reconfigure this target.

I sure did... ;-)

But thx for asking anyways! :-)

For all the following readers I'll add a screenshot and a note to the initial posting

You can also define "any" port but define a gateway for that rule... So if that gateway is unavailable it should work as expected...

Thank you, that's what I do usually too...

But I'm afraid that won't solve my prob, as I can't even see a config.

You might wanna show how/what you've setup so far...

I'ld suggest checking the ondisk config's maybe they sticked to the old IP somewhere in /usr/local/etc/syslog-ng

Alternative'ly try downloading the config edit out all the modified Syslog target and restore that as backup...

Hi all,

just wanted to migrate from IPsec to WG using his guide, but the issue's won't let me...

A FW rule is in place


Checking the config it seems fine:




Except that it doesn't show Config nor handshake



On the dashboard I can see that the service isn't started:


When I check the *.conf using SSH it seems fine:

Code Select Expand


$ sudo cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = LOCALPRIVKEY
Address = 172.160.x.2/24
ListenPort = xx822

[Peer]
PublicKey = PEERSPUBKEY
Endpoint = 185.x.x.x:21822
AllowedIPs = 10.160.x.x/24,172.160.x.x/24
PersistentKeepalive = 60


And when I try to start the WG Service from the Dashboard this show's up in system.log:

Code Select Expand


Jul 24 16:56:33 router kernel: tun0: link state changed to UP
Jul 24 16:56:33 router kernel: tun0: changing name to 'wg0'
Jul 24 16:56:33 router kernel: wg0: link state changed to DOWN
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: entering configure using defaults
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: IPv4 default gateway set to opt2
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: setting IPv4 default route to 185.x.x.x
Jul 24 16:56:33 router opnsense[58788]: /usr/local/etc/rc.routing_configure: ROUTING: keeping current default gateway '185.x.x.x
Jul 24 16:56:34 router opnsense[58788]: plugins_configure monitor (1)
Jul 24 16:56:34 router opnsense[58788]: plugins_configure monitor (execute task : dpinger_configure_do(1))
Jul 24 16:56:34 router opnsense[58788]: /usr/local/etc/rc.routing_configure: The WAN_PROVIDER_PPPOE monitor address is empty, skipping.
Jul 24 16:56:34 router opnsense[58788]: /usr/local/etc/rc.routing_configure: The WAN_PROVIDER_DHCP_DHCP monitor address is empty, skipping.
Jul 24 16:56:35 router kernel: pflog0: promiscuous mode disabled
Jul 24 16:56:35 router kernel: pflog0: promiscuous mode enabled


And I've already restored the config: downloaded the xml removed all WireGuard Contents from the file and restored it as a backup...

Hope one of you has a hint!

BTW: all this is on 21.1.8_1

I'ld create an alias and bind that to the gateway...

This way the traffic from that IP or MAC can only leave through the specified GW ;-)

Hi @franco,

the problem remains with 21.1.7_1... Had to run:

Code Select Expand

opnsense-revert -r 21.1.5 os-dyndns
to get it working again...

My issue was chained to the os-dyndns failure...

THX franco, going back to 1.23_2 solved the Problem...

Before I followed your advice I tried reinstalling, as the (misconfigured) state seemed weird...

But even after the reinstall it refused to work as expected...

After running

Code Select Expand


opnsense-revert -r 21.1.5 os-dyndns

it works as expected :-)

Same here without the revert:

Code Select Expand

***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.1.6 (amd64/OpenSSL) at Fri May 28 18:24:26 CEST 2021
>>> Check installed kernel version
Version 21.1.6 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.1.6 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: ..................................................................... done
***DONE***

Here's the full log of a "force Upgrade" run with verbose logging activated:

Code Select Expand


May 28 17:43:59 router config[29630]: /services_dyndns_edit.php: Dynamic DNS: updatedns() starting
May 28 17:43:59 router config[29630]: /services_dyndns_edit.php: Dynamic DNS (my.ddns.xx): 217.225.xxx.yyy extracted
May 28 17:43:59 router config[29630]: /services_dyndns_edit.php: Dynamic DNS (my.ddns.xx): running dyndns_failover_interface for opt1. found pppoe0
May 28 17:43:59 router config[29630]: /services_dyndns_edit.php: Dynamic DNS (my.ddns.xx via No-IP): _update() starting.
May 28 17:43:59 router configctl[50841]: event @ 1622216639.35 msg: May 28 17:43:59 router.some.lan config[29630]: config-event: new_config /conf/backup/config-1622216639.3456.xml
May 28 17:43:59 router configctl[50841]: event @ 1622216639.35 exec: system event config_changed
May 28 17:44:00 router config[29630]: /services_dyndns_edit.php: Dynamic DNS (my.ddns.xx): _checkStatus() starting.
May 28 17:44:00 router config[29630]: /services_dyndns_edit.php: Dynamic DNS (my.ddns.xx): Current Service: noip
May 28 17:44:00 router config[29630]: /services_dyndns_edit.php: Dynamic DNS (my.ddns.xx): (Unknown Response)


After upgrading from 21.1.5 to .6 last night No-IP do no longer work...

First thing I recognized were broken IPsec Tunnels, then I tried to SSH in and got timeouts. So I used anydesk to check on the webif's from the other side of the WAN...

I could see that the "Cached IP" is red, so I tried a forced Update, here's what the log said:

Code Select Expand


May 28 15:57:16 router config[49757]: /services_dyndns_edit.php: Dynamic DNS (my.dns.xx): (Unknown Response)

or during bootup (right after the upgrade):

Code Select Expand


May 28 03:22:50 router opnsense[11052]: /usr/local/etc/rc.newwanip: Dynamic DNS (my.dns.xx): (Unknown Response)


So I tried setting the passwd, and got success, at least I thought so, the WebIF told me that it updated the cached IP to the actual WAN-IP...

Now I just realized I still can't SSH into the router, so I pinged and saw that No-IP still holds the old IP... Double checked their WebIF which stat's the same.

OPNsense Plugin WebIF seems happy with changed cached-IP but No-Ip doesn't get/receive that change!

@franco hope you've got a hint... ;-)

Same might be true for No-IP:

Code Select Expand


May 28 15:57:16 router config[49757]: /services_dyndns_edit.php: Dynamic DNS (my.dns.xx): (Unknown Response)


I recopied the password into the field and got it working again that way...

EDIT: As it seems those two issue's aren't all to similar I opened a topic for my No-IP issue.