23.7.1_3 Wireguard client receives exactly 92 B and client doesn't work

[nzkiwi68]

I've been running WG client on 443 UDP for quite some time. I have the OPNsense GUI moved to another port and HAPROXY running, but listening on 127.0.0.1:44443 with a NAT port forward to TCP 443 to the localhost 127.0.0.1:44443 so 443 UDP is definitely free.

This has been running fine, for quite some time. I use 443 UDP because some places lock down outbound traffic and since the introduction of HTTPS over UDP, I find WG often works and a traditional WG port of say 51820 does not.

Anyway, all working great on an iPad, iPhone and Win 11 laptop. I don't use the client WG VPN much, but I just noticed if I connect, I get exactly 92 B received and nothing works.

Rebooted OPNsense, start and stop WG, try different client (iPad, iPhone and PC) but it just doesn't work. Move WG on OPNsense to UDP 1194 (I know, that's really oVPN, but I'm not running oVPN), move the client port to 1194 and voilia, it all works again.

Something changed upgrading from 23.7 to 23.7.1_3 that broke WG listening on 443 UDP.

I'm waiting until 23.7.3 before I upgrade further, unless 23.7.2 is known to fix this.

*** Update! ****
I changed the GUI to only listen on the LAN interface

System > Settings > Administration > Listen Interfaces > LAN

And now I can have WG working on 443 UDP again.

It looks like 23.7.1_3 binds the GUI somehow to 443 UDP... not to sure how that works....

[CJ]

Setting specific listen interfaces can cause you problems down the road, so you want to be careful doing that.

I'm a little confused as to why have HAProxy and NAT for 443/tcp just to access the UI without adding the port to the URL.  Was there some scenario that required this?  It seems like it would be a lot easier just to set the UI port and not bother with all of the rest.

[nzkiwi68]

Force of habit re HA.

With HA and a CARP VIP, I find it best to bind HAPROXY to localhost and have a NAT for the WAN CARP VIP fwd to localhost.