multiple wireguard instances not routing

Started by Tadeus99, November 28, 2024, 04:53:43 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 28, 2024, 04:53:43 PM
OPNsense 24.7.9_1-amd64


This is based on the OPNsense docs on azire-vpn road warrior example.

The OPNsense router has 3 lan Ethernet ports, each for a different lanX subnet exiting to a gateway that is a wgX tunnel. Each wgX tunnel has different wg keys, is connected to a different server and shows a handshake time, appearing to be connected

All works in the first lan. The other 2 have no traffic going thru.

The routing table only shows entries for the lan0 tunnel


Proto  Destination    Gateway  Flags   Use    MTU  Netif      Netif (name)
ipv4    0.0.0.0/1        link#9      US      NaN   1420  wg0        wireguard lan0
ipv4    10.0.0.0/8      link#9      U        NaN   1420  wg0        wireguard lan0
ipv4    128.0.0.0/1     link#9     US      NaN   1420  wg0        wireguard lan0



Wireguard logs show errors in all 3 opt interfaces

2024-11-28T14:07:11   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid opt3 interface gateway address: 'missing'   
2024-11-28T14:04:52   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid opt4 interface gateway address: 'missing'   
2024-11-28T13:59:39   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid opt5 interface gateway address: 'missing'   



But only show this for lan1 and lan2,  lan0 connects and works fine.

2024-11-28T14:07:11   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '128.0.0.0/1' -interface 'lan2'' returned exit code '1', the output was ''   
2024-11-28T14:07:11   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '0.0.0.0/1' -interface 'lan2'' returned exit code '1', the output was ''   
   
2024-11-28T14:07:11   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '128.0.0.0/1' -interface 'lan1'' returned exit code '1', the output was ''   
2024-11-28T14:07:11   Error   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '0.0.0.0/1' -interface 'lan1'' returned exit code '1', the output was ''   



If any of the 3 wireguard connections is enabled while disabling the other 2, that port/lan/connection works, traffic goes thru. Meaning the wireguard keys, ports,etc and opnsense firewall rules would be ok.

Hoping for some ideas on why the routing table only shows 1 out of 3 wg connections.
November 28, 2024, 05:11:51 PM #1
If your intent is to have each LAN use a different VPN, you probably want to use the "Disable routes" option for your WireGuard instances, and use policy-based routing. https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html for the general direction....
Print
Go Up Pages1
User actions