two problems with multiple WG tunnels on 23.1.11

Started by crt333, July 29, 2023, 05:27:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 29, 2023, 05:27:09 PM
My setup uses latest opnsense 23.1.11:
I have usual WAN, LAN, and 4 wireguard tunnels (WG1...WG4) all configured as gateways
I have VLANS that I connect to wireguard tunnels for different destinations (VLAN_WAN, VLAN_WG1, etc) using different wireless SSIDs.

This all works as desired, but I have 2 problems:

1) wg gateways don't reconnect on temp loss of WAN.  When the wan comes back, all the wireguard handshakes are restored, showing the wg connection exists, but all wg gateways are marked down forever

2) for some of the wg tunnels I'd like to do dns resolution in the tunnel, rather than using unbound. I've configured the DNS address in wireguard which didn't work. I can tell the VLAN DHCP 4 to use a specific public service and that does go through each tunnel properly, but I'd like to use the private resolution specified by the wireguard provider and I can't figure out how.

Any suggestions for either problem would be appreciated!
July 29, 2023, 05:48:40 PM #1
1) sounds like a gateway monitoring issue. Do the gateways come back up when you restart dpinger? Did you lock the wg interfaces?
2) DNS servers configured in the WireGuard settings don't apply to devices in the VLANs. You have to announce these DNS servers via DHCP instead.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
July 29, 2023, 06:09:30 PM #2
Quote from: Maurice on July 29, 2023, 05:48:40 PM
1) sounds like a gateway monitoring issue. Do the gateways come back up when you restart dpinger? Did you lock the wg interfaces?
2) DNS servers configured in the WireGuard settings don't apply to devices in the VLANs. You have to announce these DNS servers via DHCP instead.

thanks, here are my answers:
1) if I restart each dpinger it shows green briefly and then goes offline again. The wireguard handshakes look good, but the status tab shows last handshake more than 5 minutes before. If I appy wg config everything is happy again, but the handshakes numbers change (persistent keepalive is 25 for all).  The interfaces are locked, yes
2) I have that working, and can use cloudflare etc through each tunnel, but there would be privacy benefits to resolving in the tunnel, since these dhcp specified queries aren't encrypted
July 29, 2023, 06:24:17 PM #3
2) If you route everything coming from VLAN_WG1 through WG1, this includes DNS queries of course. Simply advertise your WireGuard provider's DNS servers via DHCP.
You don't need to configure DNS servers in the WireGuard settings at all.
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
July 29, 2023, 06:38:57 PM #4
I do route everything from the VLAN_WG1 through WG1, but I haven't come up with the correct way to pass dns through using dhcp. My various addresses are:
wireguard and interface: 10.13.101.237/24
provider wireguard dns: 10.8.0.1 (private, but not in 10.13.101.237/24)
vlan 192.168.10.1/24
dhcp DNS for vlan: ?
July 29, 2023, 06:43:46 PM #5
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
July 29, 2023, 07:20:54 PM #6
I had tried that and failed, but of course I needed a rule to allow it, and now it works. Thanks for pointing me in the right direction!
Print
Go Up Pages1
User actions