OpnSense after three months use

Started by tverweij, October 04, 2023, 10:26:37 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3 4
User actions
October 12, 2023, 03:51:26 PM #45
The non internet problem continues in https://forum.opnsense.org/index.php?topic=36382.0
October 13, 2023, 04:11:24 PM #46
Quote from: Monviech on October 11, 2023, 05:09:27 PM
Keepalive has to be set on the wireguard peer that is behind NAT. That means, it's almost always the client peer, almost never the OPNsense peer. So the current default in the OPNsense is the default that Wireguard calls best practice.

https://www.wireguard.com/quickstart/

Quote
Because NAT and stateful firewalls keep track of "connections", if a peer behind NAT or a firewall wishes to receive incoming packets, he must keep the NAT/firewall mapping valid, by periodically sending keepalive packets. This is called persistent keepalives. When this option is enabled, a keepalive packet is sent to the server endpoint once every interval seconds. A sensible interval that works with a wide variety of firewalls is 25 seconds. Setting it to 0 turns the feature off, which is the default, since most users will not need this, and it makes WireGuard slightly more chatty.

The value of 25 seconds is used because the UDP state/session timeout in most firewalls is 30 seconds. So if the mobile phone of a roadwarrior wireguard user sends a packet all 25 seconds to the opnsense, their own "socket" will stay open for the return packets.

EDIT:

I think most problems come from users who choose wireguard because they think it's easier to use. That means less users will choose ipsec, and thus there are less people having problems with it (ipsec), since they don't use it.

But here is an example that even a very simple wireguard setup can pose a big challenge because some vendors like AVM implement it badly: https://forum.opnsense.org/index.php?topic=36273.0

Sorry even more EDIT:

There's also the thing about Wireguard not using TCP-MSS Clamping by default. That creates a lot of hard to troubleshoot scenarios too. https://github.com/opnsense/docs/pull/498

I've been behind NAT using WG in a road warrior setup the entire time.  Previously, the WG tunnel would reconnect whenever new traffic was sent down it.  After an OPNSense update, that was no longer the case and Keepalive 25 became required to prevent the connection from dropping and requiring a reconnect.  So I don't believe this is due to NAT.

I'll try to remember to dig back through my history and see if I can determine roughly which update caused the change.  If I get time I'll try testing with 0 as well but I'll be surprised if that works considering the recent forum posts.
Print
Go Up Pages 1 2 3 4
User actions