[SOLVED] Wireguard not working after upgrade.

Started by bobbythomas, August 02, 2020, 06:04:01 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
August 02, 2020, 06:04:01 PM Last Edit: August 03, 2020, 02:03:05 PM by bobbythomas
Hi All,

I just upgraded my firewall from 20.1.9 to 20.7, the upgrade went smooth. The only issue I am seeing is with the wireguard vpn. After the upgrade the wireguard vpn service was showing down, but when I tried to start the service it's not starting. So I went through the logs and I found below.

Code Select

root@firewall:~ # cat /var/log/system.log | grep wg
Aug  2 20:52:13 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:52:13 firewall kernel: wg0: deletion failed: 3
Aug  2 20:52:13 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:56:30 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:56:30 firewall kernel: wg0: deletion failed: 3
Aug  2 20:56:30 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:58:07 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:58:08 firewall kernel: wg0: deletion failed: 3
Aug  2 20:58:08 firewall kernel: wg0: link state changed to DOWN
Aug  2 21:12:08 firewall kernel: tun0: changing name to 'wg0'
Aug  2 21:12:09 firewall kernel: wg0: deletion failed: 3
Aug  2 21:12:09 firewall kernel: wg0: link state changed to DOWN
Aug  2 21:13:46 firewall kernel: tun0: changing name to 'wg0'
Aug  2 21:13:46 firewall kernel: wg0: deletion failed: 3
Aug  2 21:13:46 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:01:26 firewall kernel: ifa_maintain_loopback_route: deletion failed for interface wg0: 3
Aug  2 20:01:26 firewall kernel: wg0: link state changed to DOWN


Is this some kind of bug? It seems to me like the system is unable to rename the tunnel interface.

Any help is appreciated.

Thank you,
Regards,
Bobby Thomas
August 02, 2020, 07:36:41 PM #1
/usr/local/etc/rc.d/wireguard restart

Via console
August 02, 2020, 08:16:50 PM #2
Hi Michael,

I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?

Regards,
Bobby Thomas
August 02, 2020, 11:01:31 PM #3
Hi,
had a similar issue right after upgrading to version 20.7
A manual reboot fixed it for me.
August 02, 2020, 11:59:45 PM #4
I have the same issue.  I had 11 endpoints, with local 10.0.0.x addresses and access to my local 10.10.10.x network, all working fine prior to upgrading.

After upgrade, the wireguard service shows as stopped in the dashboard.  Additionally, none of the configurations or keys show in the "List Configurations" tab.

Logging into the console and running wireguard restart gives me this output:

root@OPNsense:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
  • wireguard-go wg0
    INFO: (wg0) 2020/08/02 17:43:04 Starting wireguard-go version 0.0.20200320
  • wg setconf wg0 /tmp/tmp.00CkDeZV/sh-np.us6fIr
  • ifconfig wg0 inet 10.0.0.1/24 10.0.0.1 alias
  • ifconfig wg0 mtu 1420
  • ifconfig wg0 up
  • route -q -n add -inet 10.0.0.5/32 -interface wg0
  • route -q -n add -inet 10.0.0.4/32 -interface wg0
  • route -q -n add -inet 10.0.0.3/32 -interface wg0
  • route -q -n add -inet 10.0.0.25/32 -interface wg0
  • route -q -n add -inet 10.0.0.24/32 -interface wg0
  • route -q -n add -inet 10.0.0.2/32 -interface wg0
  • route -q -n add -inet 10.0.0.13/32 -interface wg0
  • route -q -n add -inet 10.0.0.12/32 -interface wg0
  • route -q -n add -inet 10.0.0.11/32 -interface wg0
  • route -q -n add -inet 10.0.0.10/32 -interface wg0
  • route -q -n add -inet 10.10.10.0/24 -interface wg0
  • rm -f /var/run/wireguard/wg0.sock

    I have re-installed the previous version of wireguard and restored my backup and all works as expected.  If I upgrade, then it breaks.

    Someone pointed out in another post that if the endpoints have two different networks shown in the allowed IP's field, then Wireguard will not start.  Removing access to the local network WILL allow the configuration to display, but defeats the purpose of the VPN.
August 03, 2020, 09:19:51 AM #5 Last Edit: August 03, 2020, 09:22:24 AM by hsw
Deleting the 192.161.1.0/24 from the list, leaving only the Wireguard-IP/32 in all endpoints allows it to start

Also I can still ssh to a LAN machine at 192.168.1.100 so there seems to be no need to have that local setting in the endpoint config.

The web ui is also accessible with this setting.
August 03, 2020, 09:59:48 AM #6
Quote from: bobbythomas on August 02, 2020, 08:16:50 PM
Hi Michael,

I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?

Regards,
Bobby Thomas

/usr/local/etc/rc.d/wireguard restart

Via console

I need this output
August 03, 2020, 10:01:04 AM #7
Quote from: witenoize on August 02, 2020, 11:59:45 PM

Someone pointed out in another post that if the endpoints have two different networks shown in the allowed IP's field, then Wireguard will not start.  Removing access to the local network WILL allow the configuration to display, but defeats the purpose of the VPN.

Please open a new thread with more details and screenshots as it may not be related to this one
August 03, 2020, 10:02:13 AM #8
Quote from: hsw on August 03, 2020, 09:19:51 AM
Deleting the 192.161.1.0/24 from the list, leaving only the Wireguard-IP/32 in all endpoints allows it to start

Also I can still ssh to a LAN machine at 192.168.1.100 so there seems to be no need to have that local setting in the endpoint config.

The web ui is also accessible with this setting.

Correct, it seems there is a guide out there which states that on endpoint config you have to put in your local LAN which is nonsense .. and it was working with 20.1 but will break in 20.7 (because it is still nonsense).
August 03, 2020, 11:30:30 AM #9
Quote from: mimugmail on August 03, 2020, 09:59:48 AM
Quote from: bobbythomas on August 02, 2020, 08:16:50 PM
Hi Michael,

I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?

Regards,
Bobby Thomas

/usr/local/etc/rc.d/wireguard restart

Via console

I need this output

Sorry I thought you wanted to know the status of the service after entering that command. Below is the output of the command.

Quote
root@firewall:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface
  • wireguard-go wg0
    INFO: (wg0) 2020/08/03 14:56:06 Starting wireguard-go version 0.0.20200320
  • wg setconf wg0 /tmp/tmp.UtpkrEW8/sh-np.dztf3d
  • ifconfig wg0 inet 10.1.1.1/32 10.1.1.1 alias
  • ifconfig wg0 mtu 1420
  • ifconfig wg0 up
  • route -q -n add -inet 10.1.1.3/32 -interface wg0
  • route -q -n add -inet 10.1.1.2/32 -interface wg0
  • route -q -n add -inet 10.1.1.1/32 -interface wg0
  • route -q -n add -inet 192.168.2.0/24 -interface wg0
  • rm -f /var/run/wireguard/wg0.sock
    root@firewall:~ #
By the by, I tried a manual restart and the issue still persist.

Thank you,
Regards,
Bobby Thomas
August 03, 2020, 12:35:44 PM #10
route -q -n add -inet 192.168.2.0/24 -interface wg0

Is this your LAN?
August 03, 2020, 12:42:25 PM #11
Quote from: mimugmail on August 03, 2020, 12:35:44 PM
route -q -n add -inet 192.168.2.0/24 -interface wg0

Is this your LAN?

No that's my Zerotier Network. I wanted to access devices in the Zerotier Network when I'm connected to the vpn.
August 03, 2020, 12:43:19 PM #12
But it points to wireguard interface .. can you remove it?
August 03, 2020, 12:57:04 PM #13
Quote from: mimugmail on August 03, 2020, 12:43:19 PM
But it points to wireguard interface .. can you remove it?

Yeah, I'll remove that, not sure why it's not working now, it was working previously with the same config in 20.1. I will remove that and try.

Thanks and regards,
Bobby Thomas
August 03, 2020, 01:01:40 PM #14
Quote from: bobbythomas on August 03, 2020, 12:57:04 PM
Quote from: mimugmail on August 03, 2020, 12:43:19 PM
But it points to wireguard interface .. can you remove it?

Yeah, I'll remove that, not sure why it's not working now, it was working previously with the same config in 20.1. I will remove that and try.

Thanks and regards,
Bobby Thomas

I removed it, still the service is down.

Quote
root@firewall:~ # service wireguard restart
wg-quick: `wg0' is not a WireGuard interface
  • wireguard-go wg0
    INFO: (wg0) 2020/08/03 16:29:35 Starting wireguard-go version 0.0.20200320
  • wg setconf wg0 /tmp/tmp.HQjWBJgx/sh-np.rUTYLg
  • ifconfig wg0 inet 10.1.1.1/32 10.1.1.1 alias
  • ifconfig wg0 mtu 1420
  • ifconfig wg0 up
  • route -q -n add -inet 10.1.1.3/32 -interface wg0
  • route -q -n add -inet 10.1.1.2/32 -interface wg0
  • route -q -n add -inet 10.1.1.1/32 -interface wg0
  • route -q -n add -inet 192.168.1.0/24 -interface wg0
  • rm -f /var/run/wireguard/wg0.sock
    root@firewall:~ #
Do I need to remove LAN (192.168.1.0/24).

Thank you,
Regards,
Bobby Thomas
Print
Go Up Pages1 2
User actions