23.1.7 broke wireguard routing

[keropiko]

Hello, after upgrade to 23.1.7 (and also _3 update) my wireguard routings that used to work with wireguard gateways setup stopped working without any change to my settings.

[boersencrash]

Same here. A quick
"opnsense-revert -r 23.1.6 opnsense"
fixed it temporarily after I found no other solution after a few hours. Wireguard does successfully connect to the other opnsense (handshake is working), but after that nothing is happening, if somehow all the routing was gone.

[franco]

It could be duplicated gatway_item entries in config.xml. Here is a patch to diagnose:

https://github.com/opnsense/core/commit/c1784ad1ad5e

# opnsense-patch c1784ad1ad5e


Cheers,
Franco

[keropiko]

Hi Franco, thanks for the reply.

I installed the patch, nothing at the gateway logs. The strange thing is that out of 4 wireguard tunnels routing is not working for the two of the tunnels, after the upgrade without any configuration change.

In the system-> routes->status , if i type wg i see only the 2 of the 4 wireguard tunnels.
All tunes have the same initial configuration and NAT/firewall rules (different providers).
Everything worked perfect before update.

wg0,wg2 are working and wg1 and wg3 routing is not working.

The strange thing, is that even for the wg tunnels that routing is not working, the gateway monitor is working okay.

---

The only "warning" i have in the gateway logs, is

"Warning   dpinger   WAN_DHCP xx.xx.xx.xx: duplicate echo reply received"

this both for my wan_pppoe connection (used to be dhcp), and for the two tunnels wg1 and wg3 that routing is not working.
This "warning" is not present for the other tunnels or WANS i have in my multiwan setup.
Don't know if relevant.

[franco]

With the patch installed run:

# /usr/local/etc/rc.routing_configure

And then grep for error condition:

# opnsense-log | grep duplicated


Cheers,
Franco

[keropiko]

Installed the patch, runned the commands and got empty reply.

[keropiko]

-Update-

I think i temporarily resolved, by inserting to the wireguard interface i had routing problems, instead of "NONE" to "STATIC" IPV4 the ip of the tunnel  (Local) and as gateway the wireguard gateway i had created and at the firewall rules, of the opnsense networks that want to reach the wireguard internal network choose instead of "default" the gateway i have created for wireguard.

Now seems to work. Before the update all of this wasn't needed, routings where working with just a static route for the wireguard internal network (also from the OPNsense guides).

What i don't understand is why if i set a static route for the tunnel internal network using the manual wireguard gateway , routing does not work and i have to change the gateway at the firewall rules too from default to the manual wireguard gateway. :/

[RamSense]

thnx, changed it here also. Maybe better to have static ipv4 and ipv6 on wireguard; e.g. manual config, over auto "none" and "default". I think I'll keep it this way :-)

[saleh]

We have the same issue. Static routing not working for "IPsec - Route based setup" after upgrade to 23.1.7
How we can fix this issue.
Thank you.

[boersencrash]

The patch c1784ad1ad5e and the following search for duplicates didn't find anything.
However, I found these entries in my warning log after reboot:

Code Select Expand

2023-05-13T21:06:35 Error opnsense /usr/local/etc/rc.routing_configure: The command '/sbin/route add -host -'inet' '10.100.0.1' '10.100.0.9'' returned exit code '1', the output was 'route: writing to routing socket: Network is unreachable add host 10.100.0.1: gateway 10.100.0.9 fib 0: Network is unreachable'
2023-05-13T21:06:35 Error opnsense /usr/local/etc/rc.routing_configure: The command '/sbin/route add -host -'inet' '10.100.0.1' '10.100.0.9'' returned exit code '1', the output was 'route: writing to routing socket: Network is unreachable add host 10.100.0.1: gateway 10.100.0.9 fib 0: Network is unreachable'
2023-05-13T21:06:24 Warning opnsense /usr/local/etc/rc.bootup: The required WireGuard_GW IPv4 interface address could not be found, skipping.
2023-05-13T21:06:22 Error opnsense /usr/local/etc/rc.bootup: The command '/bin/kill -'TERM' '69570'' returned exit code '1', the output was 'kill: 69570: No such process'
2023-05-13T21:06:16 Error opnsense /usr/local/etc/rc.bootup: Unable to configure nonexistent interface opt10 (wg0)
2023-05-13T21:06:15 Error opnsense /usr/local/etc/rc.bootup: The command '/sbin/ifconfig 'bce0_vlan4' media '1000baseT' mediaopt 'full-duplex'' returned exit code '1', the output was 'ifconfig: SIOCSIFMEDIA (media): Invalid argument'
2023-05-13T21:06:15 Error opnsense /usr/local/etc/rc.bootup: The command '/usr/sbin/arp -s '10.0.10.103' 'xxxxxxxxxxxxx'' returned exit code '1', the output was 'arp: writing to routing socket: No such process arp: 10.0.10.103: No such process'
2023-05-13T21:06:15 Error opnsense /usr/local/etc/rc.bootup: The command '/usr/sbin/arp -s '10.0.10.102' 'xxxxxxxxxxxxx'' returned exit code '1', the output was 'arp: writing to routing socket: No such process arp: 10.0.10.102: No such process'
2023-05-13T21:06:15 Error opnsense /usr/local/etc/rc.bootup: The command '/usr/sbin/arp -s '10.0.10.100' 'xxxxxxxxxxxxx'' returned exit code '1', the output was 'arp: writing to routing socket: No such process arp: 10.0.10.100: No such process'
2023-05-13T21:06:15 Error opnsense /usr/local/etc/rc.bootup: The command '/sbin/ifconfig 'bce0_vlan20' media '1000baseT' mediaopt 'full-duplex'' returned exit code '1', the output was 'ifconfig: SIOCSIFMEDIA (media): Invalid argument'

Reverting to 23.1.6 via "opnsense-revert -r 23.1.6 opnsense" immediately fixes the wireguard issues, patching to 23.1.7 brings them back.