Wireguard periodically hangs

[CJ]

Since upgrading to 23.1.1_2(I jumped straight there from 22.7), wireguard will periodically hang.  Previously, I could go days without having to disconnect, and that included jumping from in network to outside of my network.

Now I have to turn wireguard off and then on again daily.  Unfortunately, it seems to always happen when I'm unable to check the logs to see what might be going on.

Any suggestions for what might be causing this?

[cardinal]

The same thing happens to me, too. I cant seem to find the cause of it, tho.

The wireguard app on my mobile phone shows that i am connected but i am not able to do anything like f.e. visit a website or receive messages from any kind of messenger. When i disconnect the vpn everything works again. Sometimes i am not able to directly connect to the wireguard server after i disconnected (i am not receiving any packages). I then have to wait for some time until it works again.

[CJ]

The same thing happens to me, too. I cant seem to find the cause of it, tho.

The wireguard app on my mobile phone shows that i am connected but i am not able to do anything like f.e. visit a website or receive messages from any kind of messenger. When i disconnect the vpn everything works again. Sometimes i am not able to directly connect to the wireguard server after i disconnected (i am not receiving any packages). I then have to wait for some time until it works again.

Interesting.  Connecting and immediately reconnecting works for me every time.  The mobile app will also not show any data being transmitted during the hung time.

Originally I just thought it was more of my ISP issues as they still haven't figured out their problem on their side.  But it's been a consistent issue ever since the upgrade.

[CJ]

Apparently I spoke too soon.  Now not even disconnecting and reconnecting is fixing the problem.

Additionally, it seems like I can access some things but not others.  For example, Google, Bing, and Reddit all work, but not DDG.

EDIT: Restarting the WG service seems to have fixed the issue for the time being.

[becks0815]

Also had issues: https://forum.opnsense.org/index.php?topic=32110.msg155672#msg155672

Might be related to what another user posted in the thread:

It seems that after some indeterminate period of time, wireguard-kmod forgets what interface it should be replying on and ignores the NAT Reflection rules. If I disconnect the Android client and reconnect, everything goes back to normal and it no longer tries to send traffic out the wrong interface.

My solution was to move back to 22.7 for now. I also installed wg-easy on a machine on my home network, but here I also have strange issues with my box dropping the connection. I'll keep wg-easy for now, it offers some other advantages like QR code generation I can use to create the required settings on my phone by scanning it. Much easier than the manual copy&paste multi step process on opnsense.

[edit] Just saw the thread here: https://forum.opnsense.org/index.php?topic=32347.60

Looks like IPV4 dropped the route on DHCP refresh of the WAN interface. This might be the reason for wg also dropping the connection. Fix is out in latest opnsense version, so i would try that one first.

[CJ]

Now I need to decide if I want Wireguard or vnstat to work as the latest version breaks that. :D

Thanks for the heads up.

[cardinal]

Sadly, v23.1.3 did not fix the issue for me. I still lose the connection after some unknown period of time :/

[MoonbeamFrame]

I am seeing the same behavior with Android phones.

In my case I have never needed to do anything on the OPNsense end. Resetting/restarting the phone brings the connection up again.

It seems to be more of a problem when the phone is more mobile. I have all my phones set to use cellular data for the connection (no WiFi at any time). They are also set to have the VPN always on and to route all traffic via the tunnel.

[CJ]

It was fixed in 23.1.2 but I waited to upgrade until 23.1.3 due to the vnstat bug.

[CJ]

Sadly, v23.1.3 did not fix the issue for me. I still lose the connection after some unknown period of time :/

Somehow I missed this post.  I'm seeing the same thing.  I just had it hang and I'm on 23.1.3.

I've added keepalive 25 on both sides as a temporary fix.

[cardinal]

I've added keepalive 25 on both sides as a temporary fix.

Thanks, I also added a keepalive! I will test it and hope for the best

[becks0815]

My solution in the end was to set up wg-easy on a NAS and use it as server instead of opnsense. Also had some issues, with the one causeing the most problems was to try to route all the traffic through traefik proxy first. I experienced timeouts and packet loss even while being at home. After moving the wg docker to it's own virtual network, everything is stable now. No data loss and ping is in the low single digit milliseconds all the time instead of having spikes up to 600ms.

I also moved the ddns service to the NAS, so it looks like I am ready for an upgrade to 23.1

[CJ]

Keepalive works as a bandaid until the overall issue gets fixed.

ddclient works, it just doesn't realize it works.  The fix will be in the next release of ddclient.

[tfohrer]

Any update on this?

I have a installation with DHCP on WAN interface and got regulary hangs in wireguard connection, ending in client reconnecting.

[CJ]

Any update on this?

I have a installation with DHCP on WAN interface and got regulary hangs in wireguard connection, ending in client reconnecting.

Did you add the keepalive?  Or are you talking about in general?

I haven't gone back and tested to see if it works without the keepalive.