Wireguard does not start at boot time

[brandl_it]

Hallo zusammen,
ich bin neu im Forum und kenne mich leider noch nicht ganz mit allen Funktionen aus. Entschuldigt bitte, sollte ich den Post falsch oder einen doppelten erstellen.

Wenn ich die Opnsense neu starte, wird der Wireguard Service nicht gestartet. Es scheint daran zu liegen, dass ich eine Site2Site Verbindung mit einem FQDN eingerichtet habe? Könnt Ihr den Fehler bestätigen bzw. wie kann ich diesen korrigieren?

Grüße

-----------------------------------------------------------------------------------------------------------------------------

Hello all,
I'm new to the forum and unfortunately I'm not quite familiar with all the features yet. Apologies if I create the post wrong or a duplicate.

When I restart the opnsense, the wireguard service does not start. It seems to be because I have a Site2Site connection set up with an FQDN? Can you confirm the error or how can I correct it?

Greetings

[Patrick M. Hausen]

Use an IP address for your peer instead of a hostname.

[brandl_it]

Wow, that was fast.

Is it not possible to work with a FQDN? For example: vpn.opensense.de?

The other side has a dynamic IP address. Unfortunately I have to work with a No-IP account.

[franco]

It depends on where you define your hostnames... If you use an external DNS server in your internal network which OPNsense is supposed to query always it works a lot better than trying to start a VPN during a boot sequence that may or may not have access to root servers yet.

It depends on the employed routing and DNS behaviour A LOT.


Cheers,
Franco

[brandl_it]

Hello Franco,

I have the hostname for the endpoint under: Wireguard -> Endpoint -> Endpoint Address defined. I used the Opnsense as DNS server in the internal network. Furthermore I configured DNS over TLS via the Cloudfare servers.

Greetings

[franco]

The trouble starts with e.g. DHCP not coming up early enough during boot to provide you with DNS. I suppose you do not have a static WAN setup...


Cheers,
Franco

[brandl_it]

No, I do not have a static IP connection. My internet connection is via PPPOE. I.e.: that the start of Wireguard is faster than the DNS system and therefore the service can not start properly, because it can not resolve the FQDN of a VPN tunnel?

Greetings

[franco]

That's likely. PPPoE can be especially slow in this regard.

Additionally, the WireGuard plugin appears to not register a facility to restart on IP address changes which is needed for this to work in the first place. That maybe the easier part to solve.


Cheers,
Franco

[brandl_it]

Hello Franco,

What would be your recommendation to solve the problem? Do you happen to know if this issue will be fixed in an update?

Regards

[franco]

It would be best to raise a ticket over at https://github.com/opnsense/plugins/issues/new?assignees=&labels=&template=feature_request.md&title= and reference this topic.


Cheers,
Franco

[brandl_it]

Thanks very much! I opened an issue:

https://github.com/opnsense/plugins/issues/3186

[franco]

thank you

[brandl_it]

Hello,

the described behavior of Wireguard is unfortunately normal at the moment. I have also talked to colleagues again. The problem also exists in the same form with Mikrotik or under Linux directly. So for the moment I will continue to stay with Openvpn. I use some VPN Site2Site connections with dynamic IP. Under Openvpn this works without problems.

Greetings

[chemlud]

Did you try to set up the Cron job for restarting stale WG tunnels (provided in the GUI) and it didn't help?

https://forum.opnsense.org/index.php?topic=21659.msg149147#msg149147

Here It works just fine for me...

[brandl_it]

Hi,

no, I have not tested that. Thanks!

Honestly, I must confess, I find it a great pity that Wireguard does not simply try to connect again.

Greetings