Mullvad WG Tunnels Loop Detected

Started by vorago, September 13, 2023, 03:09:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 13, 2023, 03:09:08 PM Last Edit: September 13, 2023, 03:18:07 PM by vorago
I have 4 tunnels set up to mullvad with routes disabled, a gateway group set up, and used in firewall rules. For the past few months I've been getting consistent packet loss only on some of the tunnels. It used to only happen about once a day for about an hour, but now it's almost constant.

When all 4 tunnels are connected, logs in System > Log Files > General show
Code Select
Notice kernel <5>wg1: loop detected If I bring down wg1, the loop changes to wg3, if I also bring down wg3, the remaining 2 tunnels are fine.

I have set up all 4 tunnels with the same methodology, so I don't think it's something in the wireguard settings. I've attached screenshots of them just in case I'm missing something.

I am more inclined to think it's a firewall rule somewhere, but neither wg1 or wg3 are in rules by themselves. I use the WG gateway group in my rules. How can I figure out what the exact cause of this loop is?
September 13, 2023, 03:32:15 PM #1
I'll also add that I have 3 VLANs; general population, IoT, and a DMZ. I have put them with my LAN in a Firewall Group that has a few rules to apply to all the them.

They are all using my wg gateway group as the gateway for general internet access.

I'm unsure what extra I could provide that would help, so if anything else would be useful to troubleshooting this please let me know and I'll share.
September 15, 2023, 06:00:56 PM #2
Is there something else I could provide to give more insight into this that someone might have an idea for a more specific area to look?
November 07, 2023, 03:43:50 AM #3
So I completely reinstalled opnsense and things are more stable in comparison, but I still get regular (maybe once a day) issues with "loop detected". I have discovered that taking the wg gateways in the group down and bringing them back up seems to consistently resolve the issue.

Is there a way to use monit to automatically bring the gateways down and up?
November 11, 2023, 05:29:51 PM #4
Hi, I have same problem - so I use monit to solve it.

1. You need to know internal id's for wireguard interfaces
just execute :
Code Select
/usr/local/sbin/pluginctl -S wireguard
you will receive somethinh like this:
Code Select
[
    {
        "description": "Wireguard wg0",
        "configd": {
            "start": [
                "wireguard start xxxx-xx-tt-yy-uuuuuuu"
            ],
            "restart": [
                "wireguard restart xxxx-xx-tt-yy-uuuuuuu"
            ],
            "stop": [
                "wireguard stop xxxx-xx-tt-yy-uuuuuuu"
            ]
        },
        "nocheck": true,
        "id": "xxxx-xx-tt-yy-uuuuuuu",
        "name": "wireguard",
        "status": "wireguard[xxxx-xx-tt-yy-uuuuuuu] is running."
    }
]

That
Code Select
xxxx-xx-tt-yy-uuuuuuu is internal id.
2.  Configure monit
2.1 Go to Service-Monit-Settings
        tab "Service Tests Settings"
        add new ("+" button)
         name: TEST_NAME_1
         condition: content = "wg1: loop detected"
         action: Restart
  Save-Apply

2.2 tab "Service Settings"
       add new ("+" button)

        check "enabled"
        name: TEST_SERVICE_1
        type:   File
        path:  /var/log/system/latest.log
        Start: /bin/sh -c '/usr/local/sbin/pluginctl -s wireguard start xxxx-xx-tt-yy-uuuuuuu'
        Stop: /bin/sh -c '/usr/local/sbin/pluginctl -s wireguard stop xxxx-xx-tt-yy-uuuuuuu'
        TESTS:  TEST_NAME_1  (from step 2.1)
  Save-Apply

2.3 Enable monit on tab "General Settings" (if not enabled yet)
      Check monit Status page for it is up and running
   
3. If you have more than one wg interface  - repeat steps 2.1, 2.2 with appropriate id changes and wg interface name changes.



November 11, 2023, 07:07:53 PM #5
You are a lifesaver xsfpo! I was focusing on the gateways, not thinking about the interfaces themselves. Gonna apply this and hopefully not get this anymore.
November 17, 2023, 03:53:06 AM #6
Want to report back that for the past 5 days I haven't noticed any interruptions, and monit logs show the restarts. So thank you again!
January 18, 2024, 09:51:31 PM #7
Hi,

I wonder what caused this. I am running the same mullvad gateway  group setup with the following versions and packages:

pfSense-pkg-WireGuard    0.2.0_2    pfSense package WireGuard
2.7.0-RELEASE (amd64)
built on Wed Jun 28 03:53:34 UTC 2023
FreeBSD 14.0-CURRENT

However, I have tried multiple vpn providers with the same result

proton vpn
airvpn
mullvad

Gonna try to implement this monitor service solution now, whish me luck! : )
January 19, 2024, 09:31:40 AM #8
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 22, 2024, 06:12:03 AM #9
Quote from: kognitiva on January 18, 2024, 09:51:31 PM
Hi,

I wonder what caused this.

Update on my issues, I am on AT&T fiber and had their gateway in passthrough mode to my opnsense box. I've recently implemented a bypass via a ONT on a SFP stick to be able to completely cut their gateway out of the mix. Monit has not triggered once to restart my WG interfaces in the week since doing so. So, it seems possible that if you're in a similar situation that might be the cause.
Print
Go Up Pages1
User actions