WireGuard no Internet access unless manually restarted (and Unbound issues)

[CJ]

Yes, IIRC, this was done to avoid issues with dynamic interfaces such as wireguard not being picked up.  So instead of a default deny with allow rules added for each interface subnet, unbound was changed to a default allow.

I see, I must have missed that in the changelog. I do remember something to that effect, but not the UI changes being mentioned.

The Default Action setting doesn't work for me, though. It only affects OPNsense itself, but not the Interfaces. They continue having Unbound access regardless if set to Deny. I'm probably misunderstanding how the option should be used.

What about the missing Allow Snoop/Deny Non-local/Refuse Non-local?

No idea on the "missing" bit.  Perhaps it's just a typo in the documentation.  Since I leave Unbound as available to all interfaces the change didn't affect me and I didn't even realize the UI was different until you mentioned it.

The change from Allow to Deny probably requires a restart of either Unbound or OPNSense, but as I don't use it I haven't tested that.

I'm still a bit confused why you have a rule allowing access to all ports on the interface and then want to disable Unbound.  Why not create an alias of only the ports you want that network to access?  Or separate rules, which enables a bit more granular logging.  Either way seems more secure than what you have now.

[CJ]

I do. They don't show anything being blocked, but they do show a different outgoing address being used. Before WG service restart, pings go out to WAN from the WG interface IP. After restart, from the WAN interface IP.  NAT not working?

OPNsense fresh boot, before manual WG restart:

Code Select Expand


wan 2023-10-01T15:43:55 10.101.80.1 1.1.1.1 icmp let out anything from firewall host itself
WGxInternet 2023-10-01T15:43:55 10.101.80.1 1.1.1.1 icmp Allow WGxInternet to Internet
wan 2023-10-01T15:43:54 10.101.80.1 1.1.1.1 icmp let out anything from firewall host itself
WGxInternet 2023-10-01T15:43:54 10.101.80.1 1.1.1.1 icmp Allow WGxInternet to Internet


After manual WG restart:

Code Select Expand


wan 2023-10-01T15:44:56 192.168.61.10 1.1.1.1 icmp let out anything from firewall host itself (force gw)
WGxInternet 2023-10-01T15:44:56 10.101.80.1 1.1.1.1 icmp Allow WGxInternet to Internet
wan 2023-10-01T15:44:55 192.168.61.10 1.1.1.1 icmp let out anything from firewall host itself (force gw)
WGxInternet 2023-10-01T15:44:55 10.101.80.1 1.1.1.1 icmp Allow WGxInternet to Internet


Not sure.  My WG just works so I haven't dug too deeply into it.

[CJ]

I did a fresh installation of OPNsense on a separate machine to continue my troubleshooting with the issues I've been having with the new Wireguard kernel update to 2.0 and it looks like the 'main issue' is starting to lead to here: Wireguard doesn't establish a connection at boot.

I disabled Unbound DNS to rule that out as the culprit for the issues I've been having since updating to 23.7.3 (when Wireguard was updated to 2.0) and it looks like it wasn't related.

I backed up all my configuration _before_ doing the Wireguard setup. Can reboot, use internet, etc. nothing wrong whatsoever. But then the problem started after I setup Wireguard. Just for clariy, here's what I did:

Setup an endpoint, setup the local instance, and enable it. You get a Wireguard connection from the Firewall itself and can see this with the `wg` command. You can ping and curl and verify VPN access from the firewall. Before doing anything else - Reboot the firewall. Now go back to the Wireguard plugin, and you'll see it tries to send data, but never receives. It's completely stuck, even with the default NAT rules. Verified in an SSH session too, just to make sure. Go to the plugin, uncheck it, save, check it again, save... VPN connection is back and running. So I'm starting to think the main issue/bug I've been running into the past month or whatnot is potentially a result of this issue.

All in all, can +1 the report of WG not working unless manually restarting the plugin.

What does your config look like?  Did you change any other settings besides setting up WG?

Also, I want to clarify something.  Are you attempting to initiate traffic from the OPNSense side to the client and that's not what's working?  Or are you initiating traffic from the client side to OPNSense?

What do your WG configs look like?  Are you using IPs, domains, etc?

[Kinerg]

I've opened bug reports for the WireGuard and Unbound issues to seek additional help. Will report back here with the findings.

[opn69a]

What does your config look like?  Did you change any other settings besides setting up WG?

Also, I want to clarify something.  Are you attempting to initiate traffic from the OPNSense side to the client and that's not what's working?  Or are you initiating traffic from the client side to OPNSense?

What do your WG configs look like?  Are you using IPs, domains, etc?

Apologies, forgot to reach back out on this!

1. Made changes to nothing else except WG because I wanted to confirm it was WG and not something else
2. Neither work prior to restarting the service, both work after
3. IPs, following the guide word-for-word from the OPNsense wiki as well. Basically kept DNS out of this as much as possible.

Hoping Kinerg's bug report and next update will resolve all this though, so guess we'll see soon-ish? :D

[CJ]

Apologies, forgot to reach back out on this!

1. Made changes to nothing else except WG because I wanted to confirm it was WG and not something else
2. Neither work prior to restarting the service, both work after
3. IPs, following the guide word-for-word from the OPNsense wiki as well. Basically kept DNS out of this as much as possible.

Hoping Kinerg's bug report and next update will resolve all this though, so guess we'll see soon-ish? :D

When you say it doesn't work, what specifically?  Are you unable to ping, unable to resolve domains?  Something else?

Lastly, are you using Keepalive 25 in your configs?

I've restarted OPNSense multiple times over the course of troubleshooting my ISP issues and never had to touch WG beyond initially setting it up.