Site to Site wireguard - service will not start.

Started by breakaway, October 27, 2022, 04:21:18 PM

Previous topic - Next topic
Hi all

I have tried using this guide https://www.youtube.com/watch?v=RoXHe5dqCM0 and also read this https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html however I cannot get my site to site wireguard to even start.

Side A is running
OPNsense 22.1.10_4-amd64
os-wireguard   1.11
wireguard-go   0.0.20220316_2,1
wireguard-tools   1.0.20210914_1

Side B is running
OPNsense 22.7.6-amd64
os-wireguard   1.12
wireguard-go   0.0.20220316_6,1
wireguard-tools   1.0.20210914_1

LAN Network of Subnet behind Side A: 10.13.254.0/24
LAN Network of Subnet behind Side B: 10.12.254.0/24

Side A Settings - Local

Name: S2StoSideBLOCAL
Public Key: *REDACTED*
Private Key: *REDACTED*
Listen Port: 51825
Tunnel Address: 192.168.0.1/24
Peers: SideB


Side A Settings - Endpoint
Name: S2StoSideBEndPoint
Public Key: *REDACTED*
Shared Secret: Blank
Allowed IPs: 10.12.254.0/24 192.168.0.1/32
Endpoint Address: <IP address of side B>
Endpoint Port:
Keepalive: 60


Side B Settings - Local

Name: S2StoSideALOCAL
Public Key: *REDACTED*
Private Key: *REDACTED*
Listen Port: 51825
Tunnel Address: 192.168.0.2/24
Peers: SideB


Side B Settings - Endpoint
Name: S2StoSideAEndPoint
Public Key: *REDACTED*
Shared Secret: Blank
Allowed IPs: 10.13.254.0/24 192.168.0.2/32
Endpoint Address: <IP address of side B>
Endpoint Port:
Keepalive: 60


If I do that, I can't get the wireguard tunnel to establish. When I check "List Configuration" on side B, I see no mention of this new local/endpoint. On Side B (where this WG config is the only one), I can see the service is not even starting. If I try to manually start wireguard:

root@router:~ # service wireguard start
[#] ifconfig wg create name wg1
[!] Missing WireGuard kernel support (ifconfig: SIOCIFCREATE2 (wg): Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg1
┌──────────────────────────────────────────────────────┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└──────────────────────────────────────────────────────┘
[#] wg setconf wg1 /dev/stdin
[#] ifconfig wg1 inet 192.168.0.1/24 alias
[#] ifconfig wg1 mtu 1420
[#] ifconfig wg1 up
[#] route -q -n add -inet 192.168.0.1/32 -interface wg1
[#] rm -f /var/run/wireguard/wg1.sock


Any ideas?

You have no port selected on either endpoint to start.

Port is not required. If it isn't supplied, it defaults to the default wg port which is 51820.

Anyway, I got this working. I had a lot of trouble with it. Documentation is inconsistent, and it seems this randomly breaks after firmware updates. Here's an example https://forum.opnsense.org/index.php?topic=27092.msg131768#msg131768

Anyway my ultimate config that works.

The config files as located in /usr/local/etc/wireguard

SIDE A
[Interface]
PrivateKey = < REDACTED >
Address = 10.64.12.1/24
ListenPort = 51820

[Peer]
PublicKey = < REDACTED >
Endpoint = < SIDE B WAN IP >:51820
AllowedIPs = < Enter CIDRs of the networks at remote side >
PersistentKeepalive = 60


SIDE B
[Interface]
PrivateKey = < REDACTED >
Address = 10.64.12.2/24
ListenPort = 51820

[Peer]
PublicKey = < REDACTED >
Endpoint = < SIDE A WAN IP >:51820
AllowedIPs = < Enter CIDRs of the networks at remote side >
PersistentKeepalive = 60


Once I got all that working, on Side B, I found if I went to Firewall -> Rules I couldn't see "Wireguard (Group)" which I could see on Side A. I thought it was a caching issue, but it was not as the issue persisted when using incognito mode. A reboot of the opnSense fixed it.

That was a fairly painful experience. At first I used /32s in my "Address" field under the "Local" config, because the documentation implies you must do so. Maybe this documentation should be updated to make it a bit more clear exactly what is needed https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html


You're right now that I look back on it. However, if you read the rest of my post I say I can't even get the service to start. It turns out the reason the service wouldn't start was because I had /32s as my address under Allowed IPs as alluded to in the documentation https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html

Don't think you read it right. It says "This will set the remote tunnel IP address (/32 is important when using multiple endpoints) "
You aren't using multiple endpoints.

not sure if you sorted this.....

I had the same issue with the service not starting on my custom built OPN SENSE routing hardware.

I found the following solution.
1. Uninstalled the WIRE GUARD plugin.

when I tried to reinstall it, it forced a bull multiple update of everything ... took about 30 minutes to complete  the multiple update or kernal and everything.
but then reinstalled the plug in and now it works.

This may or may not be your solution, but it worked for me and all is up and running again.
Cheers
Westy 69