WireGuard Interface Beta 22.1

[Mondmann]

Hello All,

OPNsense 22.1.b_5-amd64 - without kmod

The following problem with WireGuard:
1 interface for example (WG0) - > everything OK
add a
2 interface for example (WG1 or WG2) - interface chaos
until then the WAN interface disables itself and only via GUI
to start services reload.

Could it be related to Php 7.4.25 which is EoL as of Dec 2021?
(PHP 8 is probably in the starting blocks)?
or a Prog/ development bug?

Info: the same problem follows us already since 21.7.4

WireGuard was just rolled out an update is now possible since 22.1.b
WireGuard via the console directly to update since now the kernel BSD 13?

Greetings from Germany

[MartB]

I do have multiple wg interfaces assigned without any problems, can you try getting rid of these OpenVPN interfaces and checking then?

The error you posted seems somewhat odd.

[Mondmann]

@MartB

Oh dear and to our shame we have to confess now that we are
with 2x OPNsense FW of different hardware on productive environment...

The only chance will be tonight for testing.
Will be after Config backup the OpenVPN interfaces
times testwise delete and activate the WG interfaces.

See you later and thanks for the suggestion
Greetings from Germany

[franco]

Two small things for now:

PHP 7.4 is EoL on 28 Nov 2022 for security updates. Plenty of time left...

Yes, OpenVPN tun devices are also used for WireGuard go implementation (not the kmod one). As WireGuard is handling the tun's itself and OpenVPN tun is required to be put in order by the OPNsense subsystem this could clash indeed.


Cheers,
Franco

[mimugmail]

For what reason do you assign WireGuard interfaces?

[Mondmann]

@franco
Sorry with PHP 7.4 I had expressed myself inaccurately, it was of course meant Active Support Until...

@martB
WireGuard now with kmod the same problems...

Result:

only WireGuard everything OK
only WireGuard with kmod everything OK
only OpenVPN everything OK
OpenVPN and WireGuard the above mentioned problems which lt. @franco could occur

our conclusion:
unfortunately waive the WireGuard project for the time being because we currently do not OpenVPN
at the moment...

One thing is still incomprehensible after WireGuard including kmod is completely removed from the FW...
and the factory settings were done and the backup config was restored, the error see photo from the post (2021-11-18 175611.png) still occurs...

Greetings from Germany

[Mondmann]

For what reason do you assign WireGuard interfaces?

@mimugmail
Which way would you take under the assumption that OpenVPN
runs in peaceful coexistence with WireGuard? An installation link where we will read in
would be sufficient for us. Maybe also your hint whether with or without kmod.
Unfortunately we are a little off track regarding WireGuard. WG should
only as a separate site to site line and as a WG server for mobile tab for admin.
tasks...

Thank you and kind regards from Germany

[mimugmail]

The only reason to assign Interfaces with OpenVPN or WireGuard are for using VPN providers like Mullvad. Usually no business needs to assign them in any way. We have OpenVPN for remote users and WireGuard for mobile. We also have customers with nearly 100 branches connected via OpenVPN, no assigning needed.

Both can coexist without assigning for sure.

[Mondmann]

@mimugmail

thank you very much for the crucial hint of the interfaces.
We had completely uninstalled everything that was connected to WireGuard. Since we have the VPN provider Surfshark completely in the system.
we have implemented the VPN provider Surfshark completely in the system, we were on the wrong track regarding the interface assignment.
By your hint today a rollback of the Config imported all WG interfaces removed and what I want to say -> THANKS

Please a question still: have you installed the -kmod or still required?

With kind regards from Germany

[mimugmail]

I dont use WireGuard on production systems .. but both work fine :)

[mfpck]

The only reason to assign Interfaces with OpenVPN or WireGuard are for using VPN providers like Mullvad. Usually no business needs to assign them in any way. We have OpenVPN for remote users and WireGuard for mobile. We also have customers with nearly 100 branches connected via OpenVPN, no assigning needed.

Both can coexist without assigning for sure.

Just curious reading your post in ref. to not using interfaces for wg instances while there are a plenty of good reasons for assigning interfaces eg. form the opsense doku.

Code Select Expand

Step 5(a) - Assign an interface to WireGuard (recommended)

Hint

This step is not strictly necessary in any circumstances for a road warrior setup. However, it is useful to implement, for several reasons:

First, it generates an alias for the tunnel subnet(s) that can be used in firewall rules. Otherwise you will need to define your own alias or at least manually specify the subnet(s)

Second, it automatically adds an IPv4 outbound NAT rule, which will allow the tunnel to access IPv4 IPs outside of the local network (if that is desired), without needing to manually add a rule

Finally, it allows separation of the firewall rules of each WireGuard instance (each wgX device). Otherwise they all need to be configured on the default WireGuard group that OPNsense creates. This is more an organisational aesthetic, rather than an issue of substance


For what reason do you recommend not assigning WG interfaces?