Wireguard tunnel not staying up

[Mantis314]

I have two sites both running Protectli appliances with OpnSense 21.1.9 installed.
I have Wireguard site to site VPN configured and working.
The VPN refuses to stay up for long though. It will only stay up for a couple of hours.
I have Keep Alive configured on both ends and set to 25.
The VPN-Wireguard-List Configuration and Handshakes tabs are blank on the remote end.
To get it working again I need to visit the Endpoints tab (on the remote firewall) and click Apply. It will come right back up and work for a couple more hours. Also at this point, the List Configuration and Handshakes tabs are populated again.
What do I need to do to keep the tunnel up?

Thanks in advance for any suggestions.

Mantis314

[mimugmail]

Try keepalives at 5sec for testing

[Mantis314]

Set the Keep Alive to 5 at both ends. It ran for over an hour. I went out to the grocery store this evening and when I returned it was down again.
Logged into the remote appliance,
Verified that List Configuration was blank again.
Verified that Handshakes was blank again.
Went to Endpoints and simply clicked Apply.
Seconds later List Configuration is populated as is Handshakes.
Tunnel is back up.
It will be down again in the morning.
It has been doing this since I first set it up a few months ago.
I don't get it.

[mimugmail]

Screenshots of config please

[Mantis314]

These snips are of the end that drops, and were taken when the tunnel is up.
After it drops the list configuration and Handshakes go completely blank.
The local config has a field for DNS. I have tried with and without a DNS server here. I used 8.8.8.8

Mantis314

[mimugmail]

At Endpoint remove 192.168.19.0/24

It seems the daemon crashes for some reason.

[Mantis314]

I removed 192.168.19.0/24 from the Endpoint.
There is now only the relevant LAN subnet at each end.
I restarted the tunnel at 11:00 this morning.
When I returned home from work this afternoon at 4:00 it was down again in the same manner as before.
Going to Endpoints and clicking Apply Lights it back up again.
Are there any logs for Wireguard which might provide a clue as to what is happening?

Mantis314

[mimugmail]

Maybe you can plug in a display and watch the output

[Mantis314]

It's 200 miles away.
But I will be there over the weekend. I might try that.

Mantis

[Mantis314]

I gave up on it.
It's just not worth all the frustration.
Tonight I built an IPSec tunnel instead.
Hoping that stays up.

Thanks for the support though, much appreciated!

Mantis314

[chemlud]

just for testing I would start a cam stream over the tunnel and see if it remains stable. The IPs on both ends are stable?

[Mantis314]

By the "IPs on both ends" I assume you mean the public WAN interface IPs.
Both ends are dynamic, and I use a dynamic DNS service to maintain hostname integrity.
Both IPs are stable in that neither address has changed in months.
I in fact tested using the IPs as opposed to the hostnames, but the outcome was the same.
The history of these two sites is that both ends were protected by old Sonicwalls (NSA-240 & TZ-100).
I had an IPSEC tunnel between the Sonicwalls which was quite reliable.
It has been about 24 hours now since I established an IPSec tunnel between the two OPNsense firewalls.
So far it is stable again.
My observation of the Wireguard is that, true to it's claim, it is very easy to set up and get running.
I never ran an iPerf test to see how much faster Wireguard was, but it did have a nice "feel" to it while it was up.
The Wireguard would not recover on it's own from a restart of either firewall. I always had to disable/enable it to get it running again.
And of course the site to site tunnel refused to stay up on it's own.

Mantis314

[mimugmail]

Hard to troubleshoot from remote, but you are also save and fast with IPsec :)