[SOLVED] Wireguard not working after upgrade.

[bobbythomas]

Hi All,

I just upgraded my firewall from 20.1.9 to 20.7, the upgrade went smooth. The only issue I am seeing is with the wireguard vpn. After the upgrade the wireguard vpn service was showing down, but when I tried to start the service it's not starting. So I went through the logs and I found below.

Code: [Select]

root@firewall:~ # cat /var/log/system.log | grep wg
Aug  2 20:52:13 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:52:13 firewall kernel: wg0: deletion failed: 3
Aug  2 20:52:13 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:56:30 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:56:30 firewall kernel: wg0: deletion failed: 3
Aug  2 20:56:30 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:58:07 firewall kernel: tun0: changing name to 'wg0'
Aug  2 20:58:08 firewall kernel: wg0: deletion failed: 3
Aug  2 20:58:08 firewall kernel: wg0: link state changed to DOWN
Aug  2 21:12:08 firewall kernel: tun0: changing name to 'wg0'
Aug  2 21:12:09 firewall kernel: wg0: deletion failed: 3
Aug  2 21:12:09 firewall kernel: wg0: link state changed to DOWN
Aug  2 21:13:46 firewall kernel: tun0: changing name to 'wg0'
Aug  2 21:13:46 firewall kernel: wg0: deletion failed: 3
Aug  2 21:13:46 firewall kernel: wg0: link state changed to DOWN
Aug  2 20:01:26 firewall kernel: ifa_maintain_loopback_route: deletion failed for interface wg0: 3
Aug  2 20:01:26 firewall kernel: wg0: link state changed to DOWN

Is this some kind of bug? It seems to me like the system is unable to rename the tunnel interface.

Any help is appreciated.

Thank you,
Regards,
Bobby Thomas

[mimugmail]

/usr/local/etc/rc.d/wireguard restart

Via console

[bobbythomas]

Hi Michael,

I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?

Regards,
Bobby Thomas

[alexharvard]

Hi,
had a similar issue right after upgrading to version 20.7
A manual reboot fixed it for me.

[witenoize]

I have the same issue.  I had 11 endpoints, with local 10.0.0.x addresses and access to my local 10.10.10.x network, all working fine prior to upgrading.

After upgrade, the wireguard service shows as stopped in the dashboard.  Additionally, none of the configurations or keys show in the "List Configurations" tab.

Logging into the console and running wireguard restart gives me this output:

root@OPNsense:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface

• wireguard-go wg0

INFO: (wg0) 2020/08/02 17:43:04 Starting wireguard-go version 0.0.20200320

• wg setconf wg0 /tmp/tmp.00CkDeZV/sh-np.us6fIr
• ifconfig wg0 inet 10.0.0.1/24 10.0.0.1 alias
• ifconfig wg0 mtu 1420
• ifconfig wg0 up
• route -q -n add -inet 10.0.0.5/32 -interface wg0
• route -q -n add -inet 10.0.0.4/32 -interface wg0
• route -q -n add -inet 10.0.0.3/32 -interface wg0
• route -q -n add -inet 10.0.0.25/32 -interface wg0
• route -q -n add -inet 10.0.0.24/32 -interface wg0
• route -q -n add -inet 10.0.0.2/32 -interface wg0
• route -q -n add -inet 10.0.0.13/32 -interface wg0
• route -q -n add -inet 10.0.0.12/32 -interface wg0
• route -q -n add -inet 10.0.0.11/32 -interface wg0
• route -q -n add -inet 10.0.0.10/32 -interface wg0
• route -q -n add -inet 10.10.10.0/24 -interface wg0
• rm -f /var/run/wireguard/wg0.sock

I have re-installed the previous version of wireguard and restored my backup and all works as expected.  If I upgrade, then it breaks.

Someone pointed out in another post that if the endpoints have two different networks shown in the allowed IP's field, then Wireguard will not start.  Removing access to the local network WILL allow the configuration to display, but defeats the purpose of the VPN.

[hsw]

Deleting the 192.161.1.0/24 from the list, leaving only the Wireguard-IP/32 in all endpoints allows it to start

Also I can still ssh to a LAN machine at 192.168.1.100 so there seems to be no need to have that local setting in the endpoint config.

The web ui is also accessible with this setting.

[mimugmail]

Hi Michael,

I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?

Regards,
Bobby Thomas

/usr/local/etc/rc.d/wireguard restart

Via console

I need this output

[mimugmail]

Someone pointed out in another post that if the endpoints have two different networks shown in the allowed IP's field, then Wireguard will not start.  Removing access to the local network WILL allow the configuration to display, but defeats the purpose of the VPN.

Please open a new thread with more details and screenshots as it may not be related to this one

[mimugmail]

Deleting the 192.161.1.0/24 from the list, leaving only the Wireguard-IP/32 in all endpoints allows it to start

Also I can still ssh to a LAN machine at 192.168.1.100 so there seems to be no need to have that local setting in the endpoint config.

The web ui is also accessible with this setting.

Correct, it seems there is a guide out there which states that on endpoint config you have to put in your local LAN which is nonsense .. and it was working with 20.1 but will break in 20.7 (because it is still nonsense).

[bobbythomas]

Hi Michael,

I tried the same using service wireguard restart and the method you mentioned here but the result is same, the service is not coming up. Do I need to reboot the system manually after upgrade?

Regards,
Bobby Thomas

/usr/local/etc/rc.d/wireguard restart

Via console

I need this output

Sorry I thought you wanted to know the status of the service after entering that command. Below is the output of the command.

root@firewall:~ # /usr/local/etc/rc.d/wireguard restart
wg-quick: `wg0' is not a WireGuard interface

• wireguard-go wg0

INFO: (wg0) 2020/08/03 14:56:06 Starting wireguard-go version 0.0.20200320

• wg setconf wg0 /tmp/tmp.UtpkrEW8/sh-np.dztf3d
• ifconfig wg0 inet 10.1.1.1/32 10.1.1.1 alias
• ifconfig wg0 mtu 1420
• ifconfig wg0 up
• route -q -n add -inet 10.1.1.3/32 -interface wg0
• route -q -n add -inet 10.1.1.2/32 -interface wg0
• route -q -n add -inet 10.1.1.1/32 -interface wg0
• route -q -n add -inet 192.168.2.0/24 -interface wg0
• rm -f /var/run/wireguard/wg0.sock

root@firewall:~ #

By the by, I tried a manual restart and the issue still persist.

Thank you,
Regards,
Bobby Thomas

[mimugmail]

route -q -n add -inet 192.168.2.0/24 -interface wg0

Is this your LAN?

[bobbythomas]

route -q -n add -inet 192.168.2.0/24 -interface wg0

Is this your LAN?

No that's my Zerotier Network. I wanted to access devices in the Zerotier Network when I'm connected to the vpn.

[mimugmail]

But it points to wireguard interface .. can you remove it?

[bobbythomas]

But it points to wireguard interface .. can you remove it?

Yeah, I'll remove that, not sure why it's not working now, it was working previously with the same config in 20.1. I will remove that and try.

Thanks and regards,
Bobby Thomas

[bobbythomas]

But it points to wireguard interface .. can you remove it?

Yeah, I'll remove that, not sure why it's not working now, it was working previously with the same config in 20.1. I will remove that and try.

Thanks and regards,
Bobby Thomas

I removed it, still the service is down.

root@firewall:~ # service wireguard restart
wg-quick: `wg0' is not a WireGuard interface

• wireguard-go wg0

INFO: (wg0) 2020/08/03 16:29:35 Starting wireguard-go version 0.0.20200320

• wg setconf wg0 /tmp/tmp.HQjWBJgx/sh-np.rUTYLg
• ifconfig wg0 inet 10.1.1.1/32 10.1.1.1 alias
• ifconfig wg0 mtu 1420
• ifconfig wg0 up
• route -q -n add -inet 10.1.1.3/32 -interface wg0
• route -q -n add -inet 10.1.1.2/32 -interface wg0
• route -q -n add -inet 10.1.1.1/32 -interface wg0
• route -q -n add -inet 192.168.1.0/24 -interface wg0
• rm -f /var/run/wireguard/wg0.sock

root@firewall:~ #

Do I need to remove LAN (192.168.1.0/24).

Thank you,
Regards,
Bobby Thomas