Wireguard issues after upgrades now leads to weird issues...

[theseus1980]

Hello,

I've been using OPNsense happily for the past 2 years, but the last 2 releases raised Wireguard issues for me (see reddit issue I described here: https://www.reddit.com/r/opnsense/comments/1c0h163/wireguard_issues_since_update_to_2414/).

According to one comment, I decided to start from scratch and deleted all my Wireguard instances and linked interfaces, firewall rules (on the WAN) to have a "clean slate".

I took the "WireGuard Road Warrior Setup" guide and followed the instructions. As it happened last time I tried to add a new Wireguard instance and interface, then my whole network went down. But this time, I didn't panic and investigated before restoring.

My findings:

- before I add the Wireguard interface linked to the Wireguard instance, everything works
- I create a new interface linked to the Wireguard instance
- all my network to the Internet is down, local network works fine
- in the "Log files" -> "Live view", I see ALL traffic going out of my local network on the Wireguard interface!
- I check the routes and one route has been added automatically (System -> Routes -> Status): 0.0.0.0/1 on the wg0 interface
- I delete the route (and also remaining route from the previous Wireguard instances) -> I can ping outside based on IP address but I cannot resolve any Internet server name!
- I restarted Unbound -> nothing changed
- I restored previous backup

Here is some output of the ping (if that helps):

From a Linux machine:

Code Select Expand

ping google.com

PING google.com (142.250.179.206) 56(84) bytes of data.
From _gateway (10.0.69.1) icmp_seq=1 Destination Host Unreachable
From _gateway (10.0.69.1) icmp_seq=2 Destination Host Unreachable
From _gateway (10.0.69.1) icmp_seq=3 Destination Host Unreachable

From the OPNsense firewall directly:

Code Select Expand


ping google.com

PING google.com (142.250.179.206): 56 data bytes
ping: sendto: No route to host
92 bytes from 127.0.0.1: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 c435   0 0000  40  01 05aa 10.0.100.1  142.250.179.206

ping: sendto: No route to host
92 bytes from 127.0.0.1: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 0054 828f   0 0000  40  01 4750 10.0.100.1  142.250.179.206

Of course, if I change the DNS on a local machine, it works, so somehow, I completely loose the ability to resolve any name from the firewall when I added that interface. I have added VLAN interfaces not so long ago and it worked fine (although I cannot recall if I was already on 24.1.4 when I did).

Can you please help me to understand and fix what's going on?
I really hope that after this is solved, I would be able to (re-)create a working Wireguard connection with my devices...

[jbakuwel]

Hi,

For what it's worth I'm struggling from what seems the exact same issue. First I thought I must have missed something obvious but now I'm no longer ruling out that this is a bug. I added 0.0.0.0/0 to the AllowedIP (in addition to the internal WG subnet) which then works for a while. Sometime during the night, OPNsense changed that route to 0.0.0.0/1 (??) and the Wireguard gateway (I intend to use Wireguard as one of the available gateways / WANs went down.

I haven't put my finger on it yet, but am fairly sure that there is something not quite right with the Wireguard subsystem.

Jan