23.7.3 killed wireguard (SOLVED)

Started by opn69a, September 15, 2023, 01:13:46 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 15, 2023, 01:13:46 PM Last Edit: September 15, 2023, 06:05:55 PM by opn69a
I can't seem to be able to connect to any of my tunnels. I thought it was the upgrade to 23.7.4 but looking at my logs, I had uptime the entire 24.7.3 so I never had to reboot to get the newest kernel wireguard.

EDIT: Updated to reflect findings

I get constant tx but only a one time 92 bytes rx.

Anyone else experiencing the same problem?

I can see in my live view when testing connections that the LAN connection is accepted and the NAT to translate to my wireguard is successful, but it stops there. There's no log showing WG->website.

What changes could changing to the kernel version result in the connection breaking? As in, where should I look?

My allow ips include 0.0.0.0/0 and my own custom VPN gateway with IP 192.168.0.7. Already tried to set that to dynamic and that made no difference. So kind of stuck now
September 15, 2023, 03:44:11 PM #1
Upgraded to 23.7.4 and the wireguard connection is fine.No problems.
September 15, 2023, 06:05:43 PM #2 Last Edit: September 16, 2023, 12:53:41 AM by opn69a
Alright, I figured it out. Took like 7 hours, but got it.... I had to change all my firewall rules to manually select the Wireguard Gateway, as well as add a few for things like DNS to not use the updated Gateway settings. I don't understand how changing Wireguard to the kernel version would have caused this, but it did.

So anyone else who might run into issues where you can't use Wireguard VPNs anymore, and your firewall rules are as complicated as mine might be (including port forwarding and all that), be sure to update your firewall rules that have "outbound" traffic as your Wireguard's Gateway. If you use a local DNS server on your OPNsense, but also have local LAN-to-LAN traffic, be sure to set a rule for the DNS right above that to use your Wireguard's gateway. So the order would be DNS for WG Gateway first, and then LAN-to-LAN traffic using the default gateway.

Hope this doesn't change in future updates.... Gonna have to do a major cleanup on my rules one of these days now that they're kinda scrambled from trying to fix this thing. lol

EDIT:
There's a part 2 to this... I ran into the issue again after rebooting and restarting Wireguard. Spent another many hours to find out that you have to go to the VPN connection and check the box "Disable routes". Otherwise it creates this route, which just doesn't work:

`ipv4   0.0.0.0/1   link#10   US   NaN   1420   wg1      [YOUR VPN NAME]`
September 17, 2023, 03:22:46 AM #3
Quote from: opn69a on September 15, 2023, 06:05:43 PM
be sure to update your firewall rules that have "outbound" traffic as your Wireguard's Gateway

Care to explain with a little more detail? I also have the issue, but i've already got an out firewall rule, and masquarading as the source of vpn in my setup. Thank you.
September 17, 2023, 05:28:30 AM #4
Quote from: Renegade6476 on September 17, 2023, 03:22:46 AM
Quote from: opn69a on September 15, 2023, 06:05:43 PM
be sure to update your firewall rules that have "outbound" traffic as your Wireguard's Gateway

Care to explain with a little more detail? I also have the issue, but i've already got an out firewall rule, and masquarading as the source of vpn in my setup. Thank you.

So I use Mullvad, and got the idea on doing this from their guide for pfsense+wireguard: https://mullvad.net/en/help/pfsense-with-wireguard/

The LAN interface rule that says "Default allow LAN to any" - Make sure to go into the edit menu on that and set the gateway to the VPN's gateway. This wasn't needed on the previous versions, likely due to the fact that the routing table worked with getting the firewall to automatically use the vpn as the default gateway for everything

Hope that helps.
Print
Go Up Pages1
User actions