Wireguard requires manual start at reboot

Started by scline, February 01, 2023, 01:47:13 AM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
January 03, 2026, 02:31:28 PM #15
Golden rule of FOSS: If not everybody can reproduce, it's YOUR bug. Sorry, that's the way it is.

Various WG tunnels here, no problems with reboots for years...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 03, 2026, 03:32:00 PM #16
Quote from: chemlud on January 03, 2026, 02:31:28 PMGolden rule of FOSS: If not everybody can reproduce, it's YOUR bug. Sorry, that's the way it is.

Various WG tunnels here, no problems with reboots for years...

Same here: various tunnels across multiple locations - all starting at boot just fine. Never had a problem with WG. I moved all site to site IPsec connections where I control both ends to WG years ago.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
January 03, 2026, 06:48:15 PM #17
Quote from: Patrick M. Hausen on January 03, 2026, 12:51:23 PMDid you outline the precise steps necessary to reproduce the problem? Did you create a bug report/issue on github? No? So no bug that anybody but you knows of.

I sent to original site here. I don't have github account. I don't know how to report it.
January 03, 2026, 06:50:08 PM #18
Quote from: chemlud on January 03, 2026, 02:31:28 PMGolden rule of FOSS: If not everybody can reproduce, it's YOUR bug. Sorry, that's the way it is.

Various WG tunnels here, no problems with reboots for years...

Every day, every boot I have the below message. Please, would you like to help me to solve this problem. I have this problem over 2 years.

 /usr/local/opnsense/scripts/wireguard/wg-service-control.php: The command </usr/bin/wg syncconf 'wg1' '/usr/local/etc/wireguard/wg1.conf'> returned exit code 1 and the output was "Name does not resolve: `******.****.net:51820' Configuration parsing error"
January 03, 2026, 07:19:48 PM #19
Thats the main difference between stable and non stable wireguard setups. Hostname resolution.

Some users who configure hostnames in wireguard might have issues, since wireguard only tries to resolve the name once and then just fails. If the firewall does not have working WAN or DNS yet after boot when wireguard starts, it fails on start if it depends on resolving on hostnames.

But I dont know in which order services start and if this can be improved or not, since quite some users have highly custom DNS settings (like using adguard home with dns over tls and making the firewall use that too).
Hardware:
DEC740
January 03, 2026, 07:25:24 PM #20
Quote from: Monviech (Cedrik) on January 03, 2026, 07:19:48 PMThats the main difference between stable and non stable wireguard setups. Hostname resolution.

Some users who configure hostnames in wireguard might have issues, since wireguard only tries to resolve the name once and then just fails. If the firewall does not have working WAN or DNS yet after boot when wireguard starts, it fails on start if it depends on resolving on hostnames.

But I dont know in which order services start and if this can be improved or not, since quite some users have highly custom DNS settings (like using adguard home with dns over tls and making the firewall use that too).


So this bug have and other users. Franco says is my bug. So if someone has solve the problem , to write here and tell us the solution.
January 03, 2026, 07:30:16 PM #21
You didnt even tell what your DNS configuration is and what kind of WAN connectivity you have. Without disclosing more information there is little that can be done.

You could fix this right away though by using a static IP address as a target in wireguard. (Pragmatic since your environment is unknown)
Hardware:
DEC740
January 03, 2026, 07:39:39 PM #22
Quote from: Monviech (Cedrik) on January 03, 2026, 07:30:16 PMYou didnt even tell what your DNS configuration is and what kind of WAN connectivity you have. Without disclosing more information there is little that can be done.

You could fix this right away though by using a static IP address as a target in wireguard. (Pragmatic since your environment is unknown)

I dont have static IP. I have vdsl only IPv4 I have no-ip.com a hostname. My dns is from adguard. I use quad dns. If I use unbound dns I have the same problem. Tell me what specific information do you want from opnsense then I will give you.
January 03, 2026, 07:46:32 PM #23
So it could be two things.

- Either your PPPoE login is very slow and internet access happens after wireguard has already started (I dont know if this delays bootup of services, I dont know the boot sequence that well)
- Or DNS resolution is very slow for some reason, check what happens if you select "Allow DNS server list to be overridden by DHCP/PPP on WAN" or give it a hardcoded dns server there e.g. 1.1.1.1 (System - Settings - General)
Hardware:
DEC740
January 03, 2026, 07:55:48 PM #24 Last Edit: January 03, 2026, 07:59:01 PM by novel
Quote from: Monviech (Cedrik) on January 03, 2026, 07:46:32 PMSo it could be two things.

- Either your PPPoE login is very slow and internet access happens after wireguard has already started (I dont know if this delays bootup of services, I dont know the boot sequence that well)
- Or DNS resolution is very slow for some reason, check what happens if you select "Allow DNS server list to be overridden by DHCP/PPP on WAN" or give it a hardcoded dns server there e.g. 1.1.1.1 (System - Settings - General)

How check if PPPoe is very slow or DNS is very slow?

Some times after reboot works. Most of the times every morning that starts opnsense wireguard not work. I will try . Below Allow DNS server list to be overridden by DHCP/PPP on WAN  has the choice Exclude Interfaces. May I put 1.1.1.1 below DNs server  with none gateway?

Adguard do I have to disable ??

May I exclude some interface?
January 03, 2026, 08:01:17 PM #25
I would enable

- Allow DNS server list to be overridden by DHCP/PPP on WAN
- Exclude interfaces (dont select any)
- Do not use the local DNS service as a nameserver for this system (so adguard is not used for dns requests of the firewall itself.

these options only affect the firewall itself as dns client (eg if a service running on the firewall needs to resolve dns), not your normal clients in your networks. Your normal clients will still use adguard.
Hardware:
DEC740
January 03, 2026, 08:10:02 PM #26
Quote from: Monviech (Cedrik) on January 03, 2026, 08:01:17 PMI would enable

- Allow DNS server list to be overridden by DHCP/PPP on WAN
- Exclude interfaces (dont select any)
- Do not use the local DNS service as a nameserver for this system (so adguard is not used for dns requests of the firewall itself.

these options only affect the firewall itself as dns client (eg if a service running on the firewall needs to resolve dns), not your normal clients in your networks. Your normal clients will still use adguard.


I enabled as I said - Allow DNS server list to be overridden by DHCP/PPP on WAN.

I don't understand this.
- Do not use the local DNS service as a nameserver for this system (so adguard is not used for dns requests of the firewall itself.
What do you mean?


I have inside adguard Upstream DNS servers tls://dns.nextdns.io and tls://dns.quad9.net.

I have news for you. I reboot now then there isn't any error at wireguard log file.
January 03, 2026, 08:27:00 PM #27 Last Edit: January 03, 2026, 08:29:51 PM by Monviech (Cedrik)
The firewall is a dns client itself, just as for example a windows PC or iphone or whatever in your network.

In system - settings - general you configure how the firewall itself should resolve dns names. (e.g. where the firewall as a client should send requests to, to resolve google.com and other names for its own use.) This does not affect your other clients.

If it uses a service on localhost e.g. adguard, it depends on this service to be available to resolve names when wireguard starts. And that seems to not always be tha case.

So by giving the firewall a different dns forwarder (your isp provided ones for example) to use only for itself, it doesnt need adguard and can use the fast path without this dependency.

If it works now consistently after reboots that proves it.
Hardware:
DEC740
January 03, 2026, 08:41:35 PM #28
Quote from: Monviech (Cedrik) on January 03, 2026, 08:27:00 PMThe firewall is a dns client itself, just as for example a windows PC or iphone or whatever in your network.

In system - settings - general you configure how the firewall itself should resolve dns names. (e.g. where the firewall as a client should send requests to, to resolve google.com and other names for its own use.) This does not affect your other clients.

If it uses a service on localhost e.g. adguard, it depends on this service to be available to resolve names when wireguard starts. And that seems to not always be tha case.

So by giving the firewall a different dns forwarder (your isp provided ones for example) to use only for itself, it doesnt need adguard and can use the fast path without this dependency.

If it works now consistently after reboots that proves it.

I am not sure if I understood. I understand that opnsense is a client dns as a iphone. Do I have any change under Sytstem -> Settings -> General -> below Networking section ??



I think is fixed only with one click. Thank you very much
January 03, 2026, 09:03:03 PM #29
I don't think I can explain it better without writing way too much.

TLDR: You don't have to change anything more. You could also input your quad dns server in system - settings - general and uncheck using the ISP dns servers again if you want.

For anybody that comes after: Using wireguard with hostnames and forcing the OPNsense to be a DNS client to Adguard itself can be a bad idea due to race conditions during boot.
Hardware:
DEC740
Print
Go Up Pages 1 2 3
User actions