Wireguard requires manual start at reboot

Started by scline, February 01, 2023, 01:47:13 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
January 03, 2026, 09:32:59 PM #30
serious question: and this problem really can't be adressed adequately by the cron job on DNS resolution of wireguard endpoints outtlined above? really?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 03, 2026, 09:35:17 PM #31
It probably can but the issue was that wireguard remained stopped right after boot. If it starts eventually later with a cronjob was not part of the issue here.
Hardware:
DEC740
January 03, 2026, 10:37:43 PM #32
Quote from: Monviech (Cedrik) on January 03, 2026, 09:03:03 PMI don't think I can explain it better without writing way too much.

TLDR: You don't have to change anything more. You could also input your quad dns server in system - settings - general and uncheck using the ISP dns servers again if you want.

For anybody that comes after: Using wireguard with hostnames and forcing the OPNsense to be a DNS client to Adguard itself can be a bad idea due to race conditions during boot.


There is no selection  system - settings - general and uncheck using the ISP dns servers again if you want.

You cannot view this attachment.Do you mean untick the selection Allow DNS server list to be overridden by DHCP/PPP on WAN  then I put the empy line on DNS server 9.9.9.9 ????

and use gateway?

I upload screenshot

January 04, 2026, 12:17:08 AM #33
For stable VPN connections static IP addresses are mandatory, IMHO. I never used anything else. At least one side of the connection must have a static IP address. Everything else is a gamble for which OPNsense is not to blame, Pick your poison.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 04, 2026, 11:18:56 AM #34
Quote from: Patrick M. Hausen on January 04, 2026, 12:17:08 AMFor stable VPN connections static IP addresses are mandatory, IMHO. I never used anything else. At least one side of the connection must have a static IP address. Everything else is a gamble for which OPNsense is not to blame, Pick your poison.

Why? I never had any issues with none static IPv4 over WireGuard.
January 04, 2026, 11:51:36 AM #35
Quote from: Patrick M. Hausen on January 04, 2026, 12:17:08 AMFor stable VPN connections static IP addresses are mandatory, IMHO.

Hell, no, works just fine.

Quote from: Patrick M. Hausen on January 04, 2026, 12:17:08 AMI never used anything else.

So, how can you know in the first place? With zero practical experience with WG and DynDNS? I prefer to post only on issues I personally have experience with...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 04, 2026, 11:52:41 AM #36
That depends on how you define "stable VPN connection". The problem with dynamic IPs is threefold:

1. When one side changes the IP, a standing wireguard connection from the other side will not detect the change and wait forever. This is because Wireguard does DNS lookups only at start.
2. The cron job will detect stale connections and restart them if need be. However, many people do not know this and thus complain here in the forum - partly, they are correct, because the official docs do not mention it.
3. Still, this will induce a drop of connectivity for an even longer period than the actual outage takes, depending on the cron periodicity and how fast the dynamic DNS gets updated.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
January 04, 2026, 02:50:48 PM #37
Practical experience over about 10 years with openVPN and then the last maybe 5-6 years with WG:

Configure more than one dynDNS fpr each IP to be monitored. Nearly no service interruption, only if the net access provider fails to do what he is paid for.

Experience of others in this forums, too...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 04, 2026, 03:03:34 PM #38
Quote from: chemlud on January 04, 2026, 11:51:36 AMSo, how can you know in the first place? With zero practical experience with WG and DynDNS?

I treat "dynamic IP addresses" and DynDNS as a bad hack and would never use them in a business critical context. For a private "consumer" line, maybe. But then I would not consider using DynDNS for public services but rent a VPC at some cloud provider and build a tunnel from the dynamic IP uplink using the fixed address of the VPC as both VPN endpoint and public service address.

You do you. If customers ask me I tell them to get a fixed IP address if they want a reliable connection between office locations.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 04, 2026, 09:57:50 PM #39
Quote from: novel on January 03, 2026, 10:37:43 PM
Quote from: Monviech (Cedrik) on January 03, 2026, 09:03:03 PMI don't think I can explain it better without writing way too much.

TLDR: You don't have to change anything more. You could also input your quad dns server in system - settings - general and uncheck using the ISP dns servers again if you want.

For anybody that comes after: Using wireguard with hostnames and forcing the OPNsense to be a DNS client to Adguard itself can be a bad idea due to race conditions during boot.


There is no selection  system - settings - general and uncheck using the ISP dns servers again if you want.

You cannot view this attachment.Do you mean untick the selection Allow DNS server list to be overridden by DHCP/PPP on WAN  then I put the empy line on DNS server 9.9.9.9 ????

and use gateway?

I upload screenshot



You can remove the checkbox "Allow DNS server list to be overridden by DHCP/PPP" and add 9.9.9.9 in one of these DNS fields, but do not select a gateway.

Also please read the helptexts and think about what you are doing, I cannot hand hold every configuration change you want to make. Try things out and try to understand the why and how. (E.g., why is the firewall a DNS client, and a DNS server, whats the difference...)
Hardware:
DEC740
Today at 06:32:33 PM #40
Quote from: Monviech (Cedrik) on January 04, 2026, 09:57:50 PM
Quote from: novel on January 03, 2026, 10:37:43 PM
Quote from: Monviech (Cedrik) on January 03, 2026, 09:03:03 PMI don't think I can explain it better without writing way too much.

TLDR: You don't have to change anything more. You could also input your quad dns server in system - settings - general and uncheck using the ISP dns servers again if you want.

For anybody that comes after: Using wireguard with hostnames and forcing the OPNsense to be a DNS client to Adguard itself can be a bad idea due to race conditions during boot.


There is no selection  system - settings - general and uncheck using the ISP dns servers again if you want.

You cannot view this attachment.Do you mean untick the selection Allow DNS server list to be overridden by DHCP/PPP on WAN  then I put the empy line on DNS server 9.9.9.9 ????

and use gateway?

I upload screenshot



You can remove the checkbox "Allow DNS server list to be overridden by DHCP/PPP" and add 9.9.9.9 in one of these DNS fields, but do not select a gateway.

Also please read the helptexts and think about what you are doing, I cannot hand hold every configuration change you want to make. Try things out and try to understand the why and how. (E.g., why is the firewall a DNS client, and a DNS server, whats the difference...)
Quote from: Monviech (Cedrik) on January 04, 2026, 09:57:50 PM
Quote from: novel on January 03, 2026, 10:37:43 PM
Quote from: Monviech (Cedrik) on January 03, 2026, 09:03:03 PMI don't think I can explain it better without writing way too much.

TLDR: You don't have to change anything more. You could also input your quad dns server in system - settings - general and uncheck using the ISP dns servers again if you want.

For anybody that comes after: Using wireguard with hostnames and forcing the OPNsense to be a DNS client to Adguard itself can be a bad idea due to race conditions during boot.


There is no selection  system - settings - general and uncheck using the ISP dns servers again if you want.

You cannot view this attachment.Do you mean untick the selection Allow DNS server list to be overridden by DHCP/PPP on WAN  then I put the empy line on DNS server 9.9.9.9 ????

and use gateway?

I upload screenshot



You can remove the checkbox "Allow DNS server list to be overridden by DHCP/PPP" and add 9.9.9.9 in one of these DNS fields, but do not select a gateway.

Also please read the helptexts and think about what you are doing, I cannot hand hold every configuration change you want to make. Try things out and try to understand the why and how. (E.g., why is the firewall a DNS client, and a DNS server, whats the difference...)


Thank you very much. I appreciate your help.


1. Which is better option. with tick allow dns server.... and blank dns fields or opposite?



Sometimes I use Adguard with Unbound dns as recursive, caching DNS resolver.
2. in dns field I have to fill 127.0.0.1:5353  ?



Print
Go Up Pages 1 2 3
User actions