wireguard at start up

Started by malac, September 04, 2023, 06:36:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 04, 2023, 06:36:29 PM
after reboot of my opnsense 23.7.3, wireguard does not come up, it shows green in dashboard but is not working

log shows following entry:
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/usr/bin/wg setconf 'wg0' '/usr/local/etc/wireguard/wg0.conf'' returned exit code '1', the output was 'Name does not resolve: `xxxyyy.com:53956' Configuration parsing error'

manually restarting wireguard helps and wireguard is running again.
I assume it is a timeing problem, because wireguard starts and at this point i do not have an official IP adress on WAN interface, because DHCP takes some time.

how can i solve this issue?
September 04, 2023, 06:38:08 PM #1
Use an IP address instead of a DNS name for your peer.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 04, 2023, 06:47:31 PM #2
but peer has an dynamic ipadress
September 04, 2023, 06:50:15 PM #3
If one end has a fixed IP address let the other one initiate the connection. You can leave the peer IP address field empty or set to 0.0.0.0 - don't exactly remember which. If both ends have dynamic addresses, bad luck. I don't work with anything but fixed for site 2 site VPNs.

The problem is that WG starts before your uplink and DNS is ready ...
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 04, 2023, 06:59:40 PM #4
If the DNS is not ready at startup you can have Cron job checking for stale WG tunnels and restarting DNS resolution

https://forum.opnsense.org/index.php?topic=35732.msg173763#msg173763

...maybe your exisiting Cron job needs a work-over after renaming the job...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
September 04, 2023, 07:08:28 PM #5
Quote from: Patrick M. Hausen on September 04, 2023, 06:50:15 PM
If one end has a fixed IP address let the other one initiate the connection. You can leave the peer IP address field empty or set to 0.0.0.0 - don't exactly remember which. If both ends have dynamic addresses, bad luck. I don't work with anything but fixed for site 2 site VPNs.

The problem is that WG starts before your uplink and DNS is ready ...

ok, i'll try this. The central Opnsense has an fixed address, the S2S peers are "FritzBox" i'll put a persistant keepalive to conf

Let's see if this works
September 04, 2023, 07:09:16 PM #6
ok, good idea to restart, maybe i can use monit as well
September 04, 2023, 07:26:32 PM #7
thanks a lot for your input.

Looking good for now, that the remote site initiates the vpn connection!!

thx
September 05, 2023, 08:46:23 AM #8
Print
Go Up Pages1
User actions