Wireguard Broken after Successful Upgrade

Started by tezgno, August 07, 2020, 08:39:06 PM

Previous topic - Next topic
Print
Go Down Pages1 2 3 4
User actions
August 07, 2020, 08:39:06 PM
Yesterday, I performed the upgrade from 20.1 to 20.7. After upgrading, everything appeared to be in working order. However, last night, I discovered that Wireguard, which I had installed and configured prior to the upgrade, was broken. While the enable, server, and client screens appear to work, the other screens (configuration and handshake) are broken and do not load. Uninstalling the packages or reinstalling the packages require reboots in order for the plugins to actually be visible. I'm not seeing anything in the logs either so I'm not sure if the packages are installing but not enabling or if something is failing.

Any help (or somewhere to look for the logs) would be appreciated. I would prefer to use Wireguard over OpenVPN for my VPN.
August 07, 2020, 08:51:44 PM #1
The screens were empty because WireGuard didnt start. Screenshots of local instance and endpoint please
August 08, 2020, 05:55:49 AM #2
Attached are the screenshots.
August 08, 2020, 06:38:49 AM #3
Update:

I figured out the problem and it appears as though if the client allowed IP range has multiple ranges, it breaks. If I change it to a single range, then it works just fine. Looking like a bug here.
August 10, 2020, 07:14:05 AM #4 Last Edit: August 10, 2020, 07:18:15 AM by pkejval
I can confirm that there is problem with updating from 20.1 to 20.7. If Endpoint Allowed IPs configuration contains its own LAN subnet, wireguard won't start. I admit it was completely Wireguard config misunderstood but it worked before.

Example:
GW ip 192.168.3.1/24 - if Endpoint Allowed IPs on that machine contains 192.168.1.0/24, 192.168.3.0/24 - WG won't start. Remove 192.168.3.0/24 and it will start and works as expected.
August 10, 2020, 05:52:47 PM #5
I've also noticed an issue that if under a "local" instance I tie more than 1 peer (even though it's allowed) wireguard stops working as well.  1 peer is OK.

I'd like to have a single WG interface with a bunch of peers (laptop/cell phone/etc) so I can tie one set of firewall rules to a bunch of devices rather than recreate for every device.
August 11, 2020, 09:27:47 AM #6
Quote from: 5SpeedFun on August 10, 2020, 05:52:47 PM
I've also noticed an issue that if under a "local" instance I tie more than 1 peer (even though it's allowed) wireguard stops working as well.  1 peer is OK.

I'd like to have a single WG interface with a bunch of peers (laptop/cell phone/etc) so I can tie one set of firewall rules to a bunch of devices rather than recreate for every device.

Endpoint has to be /32
August 11, 2020, 03:21:40 PM #7 Last Edit: August 11, 2020, 03:31:25 PM by Manini
I can confirm if you are using multiple ranges in Allowed IPs it wont start after the upgrade to 20.7

Found the issue:
When you are getting a route matching the range from somewhere OSPF static does not matter the wireguard will not start
August 11, 2020, 05:39:09 PM #8
To expand on this further, it appears as though wg0 needs a unique route. Whatever you put into Allowed IP's creates a static route. If the route exists already, Wireguard fails to start. I created a Allowed IP range and mask that includes the 3 subnets that I want to allow and it is now working. But, if I specify the IP's like I previously had them, it fails.
August 14, 2020, 11:28:49 PM #9
So, finally dug into this quite a bit and it would appear as though the way the instructions state to setup Wireguard may have worked fine in 20.1, but definitely shouldn't work in 20.1 either. The allowed IP range needs to be the /32 Wireguard address only. I think I saw another post where this is stated as well. Once I did that, problem is resolved.
August 16, 2020, 01:36:26 PM #10
Has anyone get WireGuard to work after Update 20.7 (20.7.1)?
In my case it looks like an issue with the KeyPairs.
I canĀ“t find a failure in my configuration.
If i type a false key in the Client, the Output is another as with the correct key, so the Client should reach the Server.
August 16, 2020, 01:51:41 PM #11
Is it started?
August 16, 2020, 01:59:24 PM #12
Take a look at the list.jpg I think so.
If I type a false key in the Windows-Client I get another screen. So I think that the Server is started.

I have the issue too, that the Server didn't start, if I configure and aktivate more than 1 Client on the WireGuard-Server.

My other WireGuard-Server on my Synology runs in a VM and works after the last WireGuard Update only with WireGuard on OPNsense I have such issues.
August 16, 2020, 04:50:00 PM #13 Last Edit: August 16, 2020, 05:10:01 PM by gurpal2000
Quote from: tezgno on August 14, 2020, 11:28:49 PM
So, finally dug into this quite a bit and it would appear as though the way the instructions state to setup Wireguard may have worked fine in 20.1, but definitely shouldn't work in 20.1 either. The allowed IP range needs to be the /32 Wireguard address only. I think I saw another post where this is stated as well. Once I did that, problem is resolved.

Thanks this seems to have fixed it for me also. Removed all entries and then put the actual wg ip address with a /32 on the end; lastly bounced wg. Although now I can't ping other subnets.
OPNsense + TP-Link W9970
August 16, 2020, 06:47:28 PM #14
Quote from: Schubbie on August 16, 2020, 01:59:24 PM
Take a look at the list.jpg I think so.
If I type a false key in the Windows-Client I get another screen. So I think that the Server is started.

I have the issue too, that the Server didn't start, if I configure and aktivate more than 1 Client on the WireGuard-Server.

My other WireGuard-Server on my Synology runs in a VM and works after the last WireGuard Update only with WireGuard on OPNsense I have such issues.

This usually happens when endpoint has no /32
Print
Go Up Pages1 2 3 4
User actions