One Wireguard VPN tunnel does not start after upgrade to 22.1

[dmmincrjr]

I wanted to do a fresh install of Opnsense to change to ZFS filesystem and thought this would be a good opportunity so made a backup of my config file and installed 22.1. I then uploaded the config file and thought everything went smoothly until I noticed 1 of the 2 tunnels I have was not active. I have not been able to figure out the problem as I checked to make sure no spaces might have been in the secrets from the reinstall of the config. I even deleted the vpn configuration and reentered and still did not resolve the problem. I also deleted the wg0.conf file as I thought that might remove any trace of the configuration before recreating the tunnel. After spending many hours trying to figure this out finally reinstalled 21.7 and upgraded to 21.7.8. I then reinstalled the config and rebooted and both tunnels were now active. I then attempted to upgrade in place from 21.7.8 to 22.1 and after the upgrade only1 tunnel is active. It is the same tunnel wg0 that is not active. I did run wireguard restart from the command line and this is the output while running 22.1.

Code: [Select]

root@turnstone:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
[#] rm -f /var/run/wireguard/wg1.sock
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌──────────────────────────────────────────────────────┐
│                                                                                                                          │
│   Running wireguard-go is not required because this                                       │
│   kernel has first class support for WireGuard. For                                           │
│   information on installing the kernel module,                                                   │
│   please visit:                                                                                                    │
│         https://www.wireguard.com/install/                                                         │
│                                                                                                                          │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 10.11.0.2/24 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.11.0.2/32 -interface wg0
[#] rm -f /var/run/wireguard/wg0.sock
[#] ifconfig wg create name wg1
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg1
┌──────────────────────────────────────────────────────┐
│                                                                                                                         │
│   Running wireguard-go is not required because this                                      │
│   kernel has first class support for WireGuard. For                                          │
│   information on installing the kernel module,                                                  │
│   please visit:                                                                                                   │
│         https://www.wireguard.com/install/                                                        │
│                                                                                                                          │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg1 /dev/stdin
[#] ifconfig wg1 inet 10.11.3.2/24 alias
[#] ifconfig wg1 mtu 1420
[#] ifconfig wg1 up
[#] route -q -n add -inet 10.11.3.1/32 -interface wg1
[#] route -q -n add -inet 192.168.60.0/24 -interface wg1
[+] Backgrounding route monitor
ifconfig: interface wg0 does not exist

I see for wg0 at the bottom this statement rm -f /var/run/wireguard/wg0.sock so it is deleting wg0 where  normally should be my route to to an internal ip address of 192.168.0.0/24. I just don't know why it is breaking and the other VPN wg1 is working as the configurations are similar. When I look at the other Opnsense machine on the other side of the VPN it is showing the connection but no traffic is passing and the handshake time just keeps increasing until I restart the wireguard service.

I do have two other sites running Opnsense and upgraded to 22.1 without issue a couple weeks ago so I know it should work. I also noticed right before I'm posting this that the plugin for os-wireguard is showing misconfigured so don't know if that means anything as a couple other plugins also show misconfigured.  It is showing installed on the two other sites I have Opnsense running and all running os-wireguard 1.10. Also the hardware at all three sites is identical. 

I'm not going to be able to be on site at the location until next weekend but wanted to try and have some things ready to try to fix the problem and need to have this VPN active so any help to fix would be appreciated as I reinstalled 21.7.8 again to have he VPN's working.

[nsteinmetz]

Same here, my site to site interface (wg1) disappeared on my wife's office router post 21.7 to 22.1 upgrade :-/

Fortunately, I still have the RoadWarrior configuration so I don't lose access but it's less convenient.

On my office side, wg1 interface is up and running. So I don't get why it worked on 1 router and not the other one as it should be also exactly the same hardware.

[sourcenux]

Hi,

I have the same problem. I upgraded to 22.1.1_3, but this did not fix the issue either. Did anybody find a fix for this problem?

[dmmincrjr]

I did finally figure out the problem and it was a configuration issue. In the Local tab of the configuration I had the Tunnel IP address as 10.11.0.2/24 and in the Allowed IP's in Endpoints tab had 10.11.0.2/32 which caused a conflict. I also had 192.168.0.0/24 as the local network in the Allowed IP's on the other side of the tunnel. The Allowed IP's should have been 10.11.0.1/32 and once I made that change the tunnel worked. The misconfiguration though did work under 21.7 series so I was assuming my configuration was correct even though it was not. The 22.1 series I guess is less forgiving of this type of configuration error. Unfortunately it took me a long time to figure out the problem so I would go back and double check your configuration and not assume it was correct even if it worked in 21.7 series. I also posted in another thread on the 22.1 Production Series forum my resolution as that was a more active thread than this discussing a similar Wireguard problem. Good luck.

[nsteinmetz]

Thanks dmmincrjr !

The related post and a more detailed answer about what to do exactly:

https://forum.opnsense.org/index.php?topic=27092.msg131768#msg131768