Wireguard flakey

[whit]

After setting up Wireguard between a new OPNsense appliance and a Linux server that's rock-solid with Wireguard connections to other Linux devices, it only intermittently works. Strangely, it will work to allow connections from the Linux end both to the Wireguard IP on the OPNsense box, and to the LAN behind it, but only for a while. After it fails for both, if I then go to the VPN:Wireguard > Endpoints page and simply press "Save" it starts working again. But after a few minutes it sometimes fails. The "List Configuration" tab however shows it as active nonetheless. Sometimes it does seem to recover on its own.

I've not seen the like between Linux Wireguard machines flake in this way. Both ends are on public IPs, and configured explicitly with those IPs.

[mimugmail]

Did you set short keepalives?

[whit]

Define "short". I haven't needed keepalives at all between Linux systems provided they're on public IPs, as is this case. Last I looked the Wireguard docs only recommend keepalives when one end is behind a NAT. In this case I had a keepalive initially at 10 minutes from the OPNsense side. Then I moved that down to 25 seconds, and also added one initiated from the Linux end, also at 25 seconds. That has kept the tunnel up overnight. So the OPNsense implementation is more dependent on keepalives in general, or else dependent on keepalives being initiated from the other side, or both.

[mimugmail]

wireguard implementation on FreeBSD doesn't have too many active users .. there may be some problems. One of them was those so we added a keepalive field

[whit]

Since adding keepalives on both ends, WireGuard has behaved well.

[mimugmail]

Great, thanks for your feedback