WireGuard 2.0 connection down

[logan23]

Hi,

I've just upgraded my router to WireGuard 2.0, OPNsense 23.7.3.

For some reason, the WireGuard connection to my VPN server provider (Mullvad) doesn't work anymore.
My endpoint sends data to negotiate the handshake but doesn't receive any data.

What's wrong??

Thanks

[despised]

There seems to be a bug when adding a route in the latest opnsense code.

in /usr/local/opnsense/Wireguard/wg-service-control.php
line 87

Code: [Select]

} elseif (!empty((string)$server->gateway)) {
                /* Only bind the gateway ip to the tunnel */
                $ipprefix = strpos($tunneladdress, ":") === false ? "-4" :  "-6 ";
                mwexecf('/sbin/route -q -n add [b]-%s[/b] %s -iface %s', [$ipprefix, $server->gateway, $server->interface]);
            }

the line mwexecf has a bug in it, causing the ip prefix to have an extra [b]-[/b] in it.
I fixed the bug by changing the line to:
[code]
mwexecf('/sbin/route -q -n add [b]%s[/b] %s -iface %s', [$ipprefix, $server->gateway, $server->interface]);

[/code]
           

[logan23]

Thanks for your reply but what can I do to get my connection back??

[despised]

I fixed the bug, by updating line 91

[logan23]

in "System: Settings: Administration"

I tried "Secure Shell Server    X Enable Secure Shell "

but got this error message :

The following input errors were detected:
    Certificate Web GUI SSL certificate is not intended for server use.

[logan23]

ok I finally was able to ssh my OPNsense.

However, I was surprised NOT to find the dash character you mentionned above.

Here is my script file and it still doesn't work :

Code: [Select]

/usr/local/opnsense/scripts/Wireguard/wg-service-control.php

     83         foreach ($routes_to_add as $ipproto => $routes) {
     84             foreach (array_unique($routes) as $route) {
     85                 mwexecf('/sbin/route -q -n add -%s %s -interface %s', [$ipproto,  $route, $server->interface]);
     86             }
     87         }
     88     } elseif (!empty((string)$server->gateway)) {
     89         /* Only bind the gateway ip to the tunnel */
     90         $ipprefix = strpos($tunneladdress, ":") === false ? "-4" :  "-6";
     91         mwexecf('/sbin/route -q -n add %s %s -iface %s', [$ipprefix, $server->gateway, $server->interface]);
     92     }


[franco]

There have been two hotfixes since. Try to update first.


Cheers,
Franco

[worst_version]

as of time of writing, I applied all updates.  The wireguard does not work on any VPN provider.  the whole issue started for me yesterday after last update round.

wg interface does handshake and shows as green in the dashboard.  it worked for past 5 months.

[worst_version]

ok I finally was able to ssh my OPNsense.

However, I was surprised NOT to find the dash character you mentionned above.

Here is my script file and it still doesn't work :

Code: [Select]

/usr/local/opnsense/scripts/Wireguard/wg-service-control.php

     90         $ipprefix = strpos($tunneladdress, ":") === false ? "-4" :  "-6";
     91     [b]    mwexecf('/sbin/route -q -n add %s %s -iface %s', [$ipprefix, $server->gateway, $server->interface]);[/b]
     92     }


on my box, the line #91 looks the same, no dash.

[newsense]

as of time of writing, I applied all updates.  The wireguard does not work on any VPN provider.  the whole issue started for me yesterday after last update round.

wg interface does handshake and shows as green in the dashboard.  it worked for past 5 months.

Careful reporting 3rd party VPN issues as OPNsense issues. Sometimes servers change, are decommissioned or down for an extended period of time. When the server is back it may happen to have different keys altogether.

Your VPN provider should have a status page listing the servers.

[worst_version]

as of time of writing, I applied all updates.  The wireguard does not work on any VPN provider.  the whole issue started for me yesterday after last update round.

wg interface does handshake and shows as green in the dashboard.  it worked for past 5 months.

Careful reporting 3rd party VPN issues as OPNsense issues. Sometimes servers change, are decommissioned or down for an extended period of time. When the server is back it may happen to have different keys altogether.

Your VPN provider should have a status page listing the servers.

Nope.  Verified there are no issues with VPN providers.

I installed 23.1 “Quintessential Quail” [23.1.10] and just set VPNs with same configuration.  The issue of not connecting to VPN provider is due to 23.7 “Restless Roadrunner” [23.7.3], probably related to WG 2.0.

i setup 2nd box with 23.7.3, maybe we can debug...