WireGuard 2.0 connection down

Started by logan23, August 31, 2023, 04:33:39 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 31, 2023, 04:33:39 PM
Hi,

I've just upgraded my router to WireGuard 2.0, OPNsense 23.7.3.

For some reason, the WireGuard connection to my VPN server provider (Mullvad) doesn't work anymore.
My endpoint sends data to negotiate the handshake but doesn't receive any data.

What's wrong??

Thanks
August 31, 2023, 04:54:56 PM #1
There seems to be a bug when adding a route in the latest opnsense code.

in /usr/local/opnsense/Wireguard/wg-service-control.php
line 87
Code Select

} elseif (!empty((string)$server->gateway)) {
                /* Only bind the gateway ip to the tunnel */
                $ipprefix = strpos($tunneladdress, ":") === false ? "-4" :  "-6 ";
                mwexecf('/sbin/route -q -n add [b]-%s[/b] %s -iface %s', [$ipprefix, $server->gateway, $server->interface]);
            }

the line mwexecf has a bug in it, causing the ip prefix to have an extra [b]-[/b] in it.
I fixed the bug by changing the line to:
[code]
mwexecf('/sbin/route -q -n add [b]%s[/b] %s -iface %s', [$ipprefix, $server->gateway, $server->interface]);


[/code]
           
August 31, 2023, 04:57:36 PM #2
Thanks for your reply but what can I do to get my connection back??
August 31, 2023, 05:10:22 PM #3
I fixed the bug, by updating line 91
August 31, 2023, 05:30:33 PM #4
in "System: Settings: Administration"

I tried "Secure Shell Server    X Enable Secure Shell "

but got this error message :

The following input errors were detected:
    Certificate Web GUI SSL certificate is not intended for server use.
August 31, 2023, 07:08:15 PM #5
ok I finally was able to ssh my OPNsense.

However, I was surprised NOT to find the dash character you mentionned above.

Here is my script file and it still doesn't work :

Code Select
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php

     83         foreach ($routes_to_add as $ipproto => $routes) {
     84             foreach (array_unique($routes) as $route) {
     85                 mwexecf('/sbin/route -q -n add -%s %s -interface %s', [$ipproto,  $route, $server->interface]);
     86             }
     87         }
     88     } elseif (!empty((string)$server->gateway)) {
     89         /* Only bind the gateway ip to the tunnel */
     90         $ipprefix = strpos($tunneladdress, ":") === false ? "-4" :  "-6";
     91         mwexecf('/sbin/route -q -n add %s %s -iface %s', [$ipprefix, $server->gateway, $server->interface]);
     92     }
August 31, 2023, 08:56:34 PM #6
There have been two hotfixes since. Try to update first.


Cheers,
Franco
September 02, 2023, 01:44:43 AM #7
as of time of writing, I applied all updates.  The wireguard does not work on any VPN provider.  the whole issue started for me yesterday after last update round.

wg interface does handshake and shows as green in the dashboard.  it worked for past 5 months.
September 02, 2023, 01:59:31 AM #8
Quote from: logan23 on August 31, 2023, 07:08:15 PM
ok I finally was able to ssh my OPNsense.

However, I was surprised NOT to find the dash character you mentionned above.

Here is my script file and it still doesn't work :

Code Select
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php

     90         $ipprefix = strpos($tunneladdress, ":") === false ? "-4" :  "-6";
     91     [b]    mwexecf('/sbin/route -q -n add %s %s -iface %s', [$ipprefix, $server->gateway, $server->interface]);[/b]
     92     }


on my box, the line #91 looks the same, no dash.
September 02, 2023, 02:03:05 AM #9
Quote from: worst_version on September 02, 2023, 01:44:43 AM
as of time of writing, I applied all updates.  The wireguard does not work on any VPN provider.  the whole issue started for me yesterday after last update round.

wg interface does handshake and shows as green in the dashboard.  it worked for past 5 months.

Careful reporting 3rd party VPN issues as OPNsense issues. Sometimes servers change, are decommissioned or down for an extended period of time. When the server is back it may happen to have different keys altogether.

Your VPN provider should have a status page listing the servers.



September 02, 2023, 06:41:15 PM #10
Quote from: newsense on September 02, 2023, 02:03:05 AM
Quote from: worst_version on September 02, 2023, 01:44:43 AM
as of time of writing, I applied all updates.  The wireguard does not work on any VPN provider.  the whole issue started for me yesterday after last update round.

wg interface does handshake and shows as green in the dashboard.  it worked for past 5 months.

Careful reporting 3rd party VPN issues as OPNsense issues. Sometimes servers change, are decommissioned or down for an extended period of time. When the server is back it may happen to have different keys altogether.

Your VPN provider should have a status page listing the servers.

Nope.  Verified there are no issues with VPN providers.

I installed 23.1 "Quintessential Quail" [23.1.10] and just set VPNs with same configuration.  The issue of not connecting to VPN provider is due to 23.7 "Restless Roadrunner" [23.7.3], probably related to WG 2.0.

i setup 2nd box with 23.7.3, maybe we can debug...
Print
Go Up Pages1
User actions