Wireguard interface active, but Zenarmor not filtering/reporting data.

Imnot A Robot · August 16, 2023, 05:41:08 PM

I was getting reporting data with Wireguard-Go before the upgrade but not now.

The WG interface is selected in the Zenarmor Settings > Config, but the the Dashboard traffic graph just shows flatline.
Reports shows all other interfaces but not Wireguard.
Live Sessions - Can filter wg0 interface but reports nothing.

Log Message:
Engine configuration error
Cannot validate interface: netmap@wg0 line: 2, 1, netmap@wg0, netmap@wg0^, 0, 3, 4345 ,lan;netmap;routedmode

Anybody else experiencing the same and is there a fix?

OPNsense 23.7.1_3
Zenarmor 1.14.2

Taunt9930 · August 16, 2023, 09:03:31 PM

Are you definitely still using wireguard go? It's possible it has reverted to k-mod as part of the OPNSense upgrade?

Imnot A Robot · August 17, 2023, 03:15:39 AM

When I go to System > Firmware > Plugins it shows os-wireguard-go (installed) and os-wireguard is not installed.

Should I try uninstalling and reinstalling Wireguard? Will all of my tunnels and keys be preserved?

Thanks

Imnot A Robot · August 21, 2023, 04:08:57 AM

I can confirm Wireguard-Go is installed and the Wireguard interface/fFW rules are setup similar to my other two interfaces. However, those work just fine on Zenarmor.

No idea why Zenarmor sees the Wireguard interface but doesn't filteror report.

Any advice would be appreciated.

newsense · August 21, 2023, 04:38:09 AM

Uninstall wireguard-go (to be deprecated/removed in the future and to the best of my knowledge with no development prospects) and use kmod-wireguard instead.

Taunt9930 · August 21, 2023, 03:49:39 PM

Quote from: newsense on August 21, 2023, 04:38:09 AM
Uninstall wireguard-go (to be deprecated/removed in the future and to the best of my knowledge with no development prospects) and use kmod-wireguard instead.

The reason the OP is using go is because currently k-mod is not supported by filtering by Zenarmor, whereas Go was. The issue here is that it appears to have stopped working.

Whilst generally good advice to switch, it won't fix the OPs actual problem/complaint here - in fact it will guarantee Zenarmor won't filter it (until supported). As far as I know, that isn't the case yet?

Sent from my SM-S918B using Tapatalk

Imnot A Robot · August 24, 2023, 10:28:38 PM

Update:

After the recent update to OPNsense 23.7.2 and Zenarmor 1.14.4, the traffic graph in the Zenarmor Dashboard shows active Wireguard traffic but selecting the wg0 interface in Live Sessions or Reports shows nothing.

Thank you to the Devs thus far.

JasMan · August 25, 2023, 06:04:24 PM

Same issue at my OPNsense.
I can see the traffic load on the dashboard, but no connection details in the live view.
The rules don't applied to the Wireguard traffic. :(

franco · August 25, 2023, 10:16:42 PM

Is there maybe a kernel patch missing for tun that we discarded in the Netmap project? https://github.com/opnsense/src/commit/88f60d158d3b7

Because it wasn't added to 23.7 when we rewrote the branch from releng/13.2

Cheers,
Franco

JasMan · August 26, 2023, 12:04:41 PM

Uhm, is this a question to us users? I hope not ;D

Can we test it or provide logs to check this?

franco · August 26, 2023, 08:47:02 PM

Who should I talk to instead? 8)

I can add a test kernel on Monday. But ideally I'd like Zenarmor to report these issues and help test. The last we spoke of this together (when we did the Netmap improvement project) we decided to discontinue the TUN patching so that's what I did adhere to.

Cheers,
Franco

mb · August 26, 2023, 09:09:31 PM

Hey @franco,

Thanks for the heads-up. Yes, it the tun patch is not in 23.7, that must be the reason.

Looking forward to the test kernel; team will go ahead and test it.

WRT wireguad-kmod netmap support, we're working on it to see whether it would be feasible to develop/maintain. We'll reach out to the team once we have some meaningful progress.

JasMan · August 27, 2023, 12:10:46 PM

Quote from: franco on August 26, 2023, 08:47:02 PM
Who should I talk to instead? 8)

I guessed it was a question for another dev. Because I understood your presumption, but I don't know how to check if the missing patch is the reason for the issue.

Anyway, thank you guys for taking care of it.

wirefall · August 31, 2023, 04:07:38 PM

Any news regarding this issue? I also have the same here, no wireguard traffic in Zenarmour, engine stops with same alert "Cannot validate interface:..." so I always have to restart...

Opnsense 23.7.3
os-wireguard 2.0_2
os-sensei 1.14.5

Thanks a lot!

franco · August 31, 2023, 04:10:26 PM

I'll publish a test kernel tomorrow.

Cheers,
Franco

Wireguard interface active, but Zenarmor not filtering/reporting data.

Imnot A Robot

August 16, 2023, 05:41:08 PM Last Edit: August 16, 2023, 05:55:09 PM by Imnot A Robot

Taunt9930

August 16, 2023, 09:03:31 PM #1

Imnot A Robot

August 17, 2023, 03:15:39 AM #2

Imnot A Robot

August 21, 2023, 04:08:57 AM #3

newsense

August 21, 2023, 04:38:09 AM #4

Taunt9930

August 21, 2023, 03:49:39 PM #5

Imnot A Robot

August 24, 2023, 10:28:38 PM #6

JasMan

August 25, 2023, 06:04:24 PM #7

franco

August 25, 2023, 10:16:42 PM #8

JasMan

August 26, 2023, 12:04:41 PM #9

franco

August 26, 2023, 08:47:02 PM #10

mb

August 26, 2023, 09:09:31 PM #11

JasMan

August 27, 2023, 12:10:46 PM #12

wirefall

August 31, 2023, 04:07:38 PM #13

franco

August 31, 2023, 04:10:26 PM #14