Wireguard stopped working OPNsense 22.7.2

Started by Rhabarbertorte, August 21, 2022, 09:31:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 21, 2022, 09:31:09 PM Last Edit: August 21, 2022, 09:37:00 PM by Rhabarbertorte
Hello together,

Since the last update to OPNsense 22.7.2, none of my wireguard tunnels work anymore. I never had a problem with Wireguard and OPNsense before, how can this be?

Am I the only one for whom Wireguard no longer works?

The error image shows that traffic reaches the Wireguard server on my OPNsense and the server supposedly responds (see image) --> however, this traffic does not reach the endpoints on the other side.



I also did a complete reinstall of OpnSense and played back a backup. Problem stays the same.

August 21, 2022, 09:43:21 PM #1
I have some addition: This is what a wireguard log looks like. I captured on WAN side.

Is 0.0.0.0 as sender OK? Looks not right.
August 22, 2022, 05:19:45 AM #2
That peer only allows traffic coming from a single IP address of 10.48.150.2 and nothing else.

Normally, the peer would have at least 2 sets of IP addresses:
10.48.150.2/32 (the tunnel peer IP address I assume)
PLUS say 192.168.83.0/24 - the LAN subnet, or whatever subnet or subnets from that peer

See my peer partner in my setup:
Code Select

peer: wx5ahL.....................
  preshared key: (hidden)
  endpoint: 202.XXXX.XXXXX.244:51820
  allowed ips: 192.168.83.0/24, 10.1.18.1/32
  latest handshake: 3 days, 6 hours, 46 minutes, 6 seconds ago
  transfer: 35.49 KiB received, 28.43 KiB sent


192.168.83.0/24 is the LAN subnet of the other side
10.1.18.1/32 is the peer's tunnel IP address (and my end happens to be 10.1.18.2/24)

August 22, 2022, 10:41:59 AM #3
That peer is a smartphone, therefore only one ip is correct.
August 22, 2022, 03:57:08 PM #4 Last Edit: August 22, 2022, 04:00:19 PM by Demusman
Quote from: Rhabarbertorte on August 22, 2022, 10:41:59 AM
That peer is a smartphone, therefore only one ip is correct.

This worked fine without the tunnel as allowed?

Did you try to delete and recreate the tunnel?
August 22, 2022, 04:19:04 PM #5
I was able to narrow down the problem even further.
Now it's getting really interesting!

Everything that leaves the firewall and is not bound by IP to a specific interface, e.g. ping, goes out with the source ip 0.0.0.0. Therefore no response is received.

See screenshot.
August 22, 2022, 06:02:22 PM #6
Seems you have a broken nat rule.
Check them please
August 22, 2022, 08:22:44 PM #7
I was able to fix it. But don't ask me how. Tried so many things.
Most likely it was related to a old failover interface (not connected).
Print
Go Up Pages1
User actions