Wireguard plugin stopped working

Started by scubbo, June 06, 2022, 06:03:24 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 06, 2022, 06:03:24 AM
I followed this guide to set up Wireguard on OPNSense. I was able to successfully connect to the VPN both from my Android phone and from my Macbook. However, a couple of days ago, something has changed and, whenever either client tries to access the Internet via this VPN, the requests fail.

Debugging information:

Code Select

// Commands on OPNSense

# grep -irl 'wireguard' /var/log
/var/log/audit/audit_20220605.log
/var/log/audit/latest.log
/var/log/audit/audit_20220423.log
/var/log/audit/audit_20220424.log
/var/log/pkg/pkg_20220423.log
/var/log/pkg/latest.log
# grep -ir 'wireguard' /var/log/audit/latest.log
/var/log/audit/latest.log:<37>1 2022-06-05T20:07:02-07:00 OPNsense.avril audit 83763 - [meta sequenceId="1"] user root@192.168.1.101 changed configuration to /conf/backup/config-1654484822.5635.xml in /api/wireguard/general/set
/var/log/audit/latest.log:<37>1 2022-06-05T20:08:05-07:00 OPNsense.avril audit 83763 - [meta sequenceId="1"] user root@192.168.1.101 changed configuration to /conf/backup/config-1654484885.8788.xml in /api/wireguard/general/set
#grep -ir 'wireguard' /var/log/pkg/latest.log
/var/log/pkg/latest.log:<13>1 2022-04-23T12:54:18-07:00 OPNsense.avril pkg 15707 - [meta sequenceId="2"] wireguard-tools-1.0.20210914_1 installed
/var/log/pkg/latest.log:<13>1 2022-04-23T12:54:18-07:00 OPNsense.avril pkg 15707 - [meta sequenceId="3"] wireguard-go-0.0.20220316_1,1 installed
/var/log/pkg/latest.log:<13>1 2022-04-23T12:54:25-07:00 OPNsense.avril pkg 15707 - [meta sequenceId="1"] os-wireguard-1.10 installed
# /usr/local/etc/rc.d/wireguard start   // from https://forum.opnsense.org/index.php?topic=14279.0
wg-quick: `wg0' already exists
# /usr/local/etc/rc.d/wireguard status
interface: wg0
  public key: SqSsD[REDACTED]
  private key: (hidden)
  listening port: 51822

peer: tt5su[REDACTED] // Macbook
  endpoint: 172.58.32.150:48561
  allowed ips: 10.10.10.3/32
  latest handshake: 3 minutes, 31 seconds ago
  transfer: 109.77 KiB received, 494.89 KiB sent

peer: 8AJ96[REDACTED] // Android phone
  endpoint: 172.58.31.71:50324
  allowed ips: 10.10.10.2/32
  latest handshake: 5 minutes, 58 seconds ago
  transfer: 109.46 KiB received, 130.67 KiB sent
# curl ifconfig.io
135.180.218.171
# cat /usr/local/etc/wireguard/wg0.conf
[Interface]
PrivateKey = [REDACTED]
Address = 10.10.10.1/24
ListenPort = 51822

[Peer]
PublicKey = tt5su[REDACTED]

AllowedIPs = 10.10.10.3/32

[Peer]
PublicKey = 8AJ96[REDACTED]

AllowedIPs = 10.10.10.2/32
---
// Interface definition on Android
Interface:
  Name: [REDACTED]
  Public Key: 8AJ96[REDACTED]
  Addresses: 10.10.10.2/32
Peer:
  Public Key: SqSsD[REDACTED]
  Allowed IPs: 0.0.0.0/0
  Endpoint: vpn.scubbo.org:51822
---
$ nslookup vpn.scubbo.org
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
Name: vpn.scubbo.org
Address: 135.180.218.171


No logs for "wireguard" or "wg0" in Log Files in OPNSense GUI. I've tried restarting the Wireguard plugin but it didn't fix the issue.

Given that `/usr/local/etc/rc.d/wireguard status` shows recent handshakes, I believe that the clients are connecting _to_ the VPN but then failing to connect out to the wider Internet, but I'm not sure why - in particular, the Outbound NAT rule and Firewall rules still appear to be correct.

Any debugging suggestions gratefully received!
June 07, 2022, 12:48:12 AM #1
How did you manage to allow all addresses on the internet to go over the tunnel to your clients?
Print
Go Up Pages1
User actions