[SOLVED] Adding wg route falis returned exit code '1', the output was ''

Started by Dab1362, September 07, 2023, 02:43:23 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
October 12, 2023, 04:05:48 PM #15
I've sent you the output via PM.

I've also tried to delete everything. tunnels, interfaces, gateway and firewall rules, and I've created everything again, but after the reboot, the same error shows up.

For the records, everything is working fine. dpinger is working, the gateway is up.... but for some reason I don't know, that's displayed on the Logs.
October 15, 2023, 03:33:17 AM #16 Last Edit: October 15, 2023, 04:38:51 AM by Sniper_999
Quote from: furfix on October 12, 2023, 03:31:09 PM
I have "Disable Host Route" under System >> Gateways, but after a reboot same Error is show.

Code Select
2023-10-12T15:28:00 Error wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add '-4' '10.18.0.1' -iface 'wg2'' returned exit code '1', the output was ''
2023-10-12T15:28:00 Error wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add '-4' '10.20.0.1' -iface 'wg1'' returned exit code '1', the output was ''

VPN -> WireGuard -> Settings -> Instances -> Edit instance: If "Disable routes" is checked, it will cause the above quoted error.

In "advanced mode" of Edit instance, if uncheck "Disable routes" but leave a filled "Gateway" IP address there, it will say "You have to enable Disable Routes option." A workaround: Remove/clear the "Gateway" IP first, uncheck "Disable routes", and Save, then re-open Edit instance to add the "Gateway" IP address back and Save. Now the UI will no longer force you to put a check mark on "Disable routes". This trick WILL eliminate the above quoted error, however, the system actually IGNORES your filled "Gateway" IP. The beautiful Gateway IP address is sitting there for nothing. It looks like the UI maker doesn't want "Unchecking 'Disable routes'" and "Filled 'Gateway' IP address" to coexist, just like he/she doesn't want a cat and a dog coexist in a house. If you already have a cat, then the house doesn't allow you to bring in a dog. But if you already have a dog, the house allows you to bring in a cat? A UI bug to fix?

A lot of problems occurr since OPNsense 23.7.6 no longer allows applying Static IP to any WG tunnel Interface in the "Interfaces" management. If you have created a Gateway based on that WG interface (for monitoring status or for firewall rule use), without changing the WG interface's "IPv4 Configuration Type" to "Static IPv4", you loss the options to put the static "IPv4 address" and select the Gateway you created as the interface's "IPv4 Upstream Gateway". This will cause a series of problems in OPNsense. These are what I found so far:
1. Automatic rules of "Outbound" in "NAT" will not be generated correctly for the WG network. (You will have to create it manually. - Step 10 in https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html)
2. Automatic rules of "Floating" will not be generated correctly for the firewall host itself to use the WG Gateway (You will have to create it manually. - Step 9 in https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html)
3. In DDNS (ddclient) service, if you select the WG interface to detect external IP (check ip method: any ip-check provider), the firewall is not actually using the WG interface. (For my setup, it uses the WAN.) Therefore it will not grab your correct external IP through the WG VPN provider.

Before OPNsense 23.7.6, when you were able to specify "Static IP" address and select the "Gateway" for the WG interface in "Interfaces" management, none of the mentioned 3 problems existed. The Outbound NAT rules and Floating rules were automatically and perfectly generated by the system, and how the DDNS (ddclient) service utilizing the WG tunnel interface to detect external IP was working fine.

Essentially, without the "Static IP" and assigned "Gateway" for the WG interface, OPNsense is not treating the WG interface correctly, even with WG VPN connected.
October 16, 2023, 07:28:48 PM #17
Could it be that the undefined way of setting a static IPv4 mode on the wireguard assigned interface is causing this?

Here is a relevant support effort: https://github.com/opnsense/core/issues/6934

Functionally there is nothing wrong with setting the tunnel address in the wireguard setting which ends up as the static IPv4 anyway. The go implementation may have had a number of restrictions in the past that caused this problem to appear and pop up in suboptimal workarounds in tutorials.


Cheers,
Franco
October 16, 2023, 08:17:34 PM #18 Last Edit: October 16, 2023, 08:48:53 PM by Sniper_999
"Could it be that the undefined way of setting a static IPv4 mode on the wireguard assigned interface is causing this?"

Yes, I can confirm that was the root cause for a lot of buggy things related to WG in 23.7.6.


"Functionally there is nothing wrong with setting the tunnel address in the wireguard setting which ends up as the static IPv4 anyway."

Well, it's Yes and No...
Functionally there is nothing wrong with setting the tunnel address in the WireGuard setting for the WireGuard VPN to work normally, but not for some other important features in OPNsense to recognize and utilize the WG assigned Interface correctly.
October 16, 2023, 08:41:47 PM #19 Last Edit: October 16, 2023, 09:10:33 PM by Sniper_999
For example, users can no longer use DDNS (ddclient) service to check their public IPs THROUGH THE WIREGUARD INTERFACE (no matter in "ddclient" or "native" mode). They can still select the WG Interface as the interface using, but the IP-checking traffic is actually going out through the WAN Interface/IP which leads DDNS grabbing the public IPs of the direct Internet connection instead of the public IPs through the WireGuard VPN.

My test shows that if I DISABLE the WG Interface while keeping the WireGuard VPN CONNECTED, then DDNS (ddclient) / OPNsense (native) will start to truly use the WG Interface/IP as the Source (even it's been disabled) to go out to IP-checking Web/URL to figure out its public IPs, and become working correctly. But unfortunately we simply cannot keep the WG Interface disabled all the time, as we have to use/refer it in many Firewall rules.
October 17, 2023, 08:00:13 AM #20
> Functionally there is nothing wrong with setting the tunnel address in the WireGuard setting for the WireGuard VPN to work normally, but not for some other important features in OPNsense to recognize and utilize the WG assigned Interface correctly.

You can still assign the interface and create a gateway for it, no? You can also set "Dynamic gateway policy" and see if that works for you.

While it's true that NAT was set up automatically in this case, the gateway and the IPv4 mode adjustments are more or less the same amount of work to set up the manual/hybrid NAT which is more straightforward/explicit anyway.

Keep in mind that WireGuard has had a complicated history on FreeBSD with Go version, first kernel version being removed, then ports tree kernel version, then base kernel version again and the plugin has been a community effort by Michael for all these years since 2019 so bringing it into the core like you would expect it from OpenVPN or IPsec is a little bit of work on both sides (user and development) to get to that point. It's been a long road. :)

Last bit is updating the official documentation and we will be all set for 24.1.


Cheers,
Franco
October 18, 2023, 11:51:23 PM #21
Can someone dumb-down the explanation of the/a work-around for WG site-to-site?     WG used to work great until a couple releases ago for me.   Now it's not at all...same issues as what is provided in this thread.   greatly appreciated!

October 19, 2023, 01:23:34 AM #22
Site2site between OPNsense and ?
October 19, 2023, 03:08:24 AM #23
OpnSense to OpnSense

I have 1 site that is the main site and it connects to 3 remote sites.
The main site has been upgraded and since 'broke' all WG VPNs.
In testing on 2 of the remote sites, I'm easily able to make a WG VPNs between them, however I cannot make any WG VPN work on the main site.  No handshakes and "Adding wg route fails returned exit code '1'..." error in logs as well....
October 19, 2023, 03:14:11 AM #24 Last Edit: October 19, 2023, 03:20:06 AM by newsense
Do you have the IP and GW set on the  WG interface(s) ?

This should get you going. If it works apply the same changes on the other sites before uprading.


https://forum.opnsense.org/index.php?topic=36403.msg177980#msg177980

October 19, 2023, 08:48:49 AM #25
I see the same error since upgrade. Before the upgrade I just added the VPN with routes checkbox and all was fine. Since the update, i had some problems. VPN was up but firewall was blocking specific traffic until i connected to the remote site once (just ssh) and then all was fine ...

Now I've disabled auto routes, created interface and gateway and apart from the annoying log message, all is fine.
October 20, 2023, 02:39:13 PM #26
Quote from: newsense on October 19, 2023, 03:14:11 AM
Do you have the IP and GW set on the  WG interface(s) ?

This should get you going. If it works apply the same changes on the other sites before uprading.


https://forum.opnsense.org/index.php?topic=36403.msg177980#msg177980

I have WG tunnel address set....I cannot set IP/GW on the interface as it says I cannot assign an IP to a tunnel
October 20, 2023, 02:58:17 PM #27
Correct, and you can actually assign as many tunnel addresses as you need.


Cheers,
Franco
Print
Go Up Pages 1 2
User actions