OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • WireGuard client cannot communicate anywhere after some amount of time
« previous next »
  • Print
Pages: [1]

Author Topic: WireGuard client cannot communicate anywhere after some amount of time  (Read 2234 times)

ne0_2k

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
WireGuard client cannot communicate anywhere after some amount of time
« on: October 09, 2023, 09:20:06 am »
Hello all,

I've configured Wireguard on my OpnSense following the Road Warrior Guide (https://docs.opnsense.org/manual/how-tos/wireguard-client.html). I'm able to connect and everything works but after a while (doesn't seem like a consistent period of time) I'm unable to communicate with any address (both tunnel addresses or any other address). This can be usually be resolved by disconnecting and reconnecting to the tunnel.
I've seen some posts discussing adding a KEEPALIVE to the configuration and I haven't tried that yet but to my understanding that should be used when you need to keep traffic coming in to your client which is behind a NAT and the mapping is removed from the firewall. I don't understand why that would prevent outgoing traffic from my client.

Any tips from more experienced folks would be much appreciated.

Logged

Monviech (Cedrik)

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 1599
  • Karma: 176
    • View Profile
Re: WireGuard client cannot communicate anywhere after some amount of time
« Reply #1 on: October 09, 2023, 09:34:09 am »
Wireguard uses UDP. UDP has a default session timeout of 30 Seconds in most routers.

The Keepalive should be configured in the client, like 25 seconds or so, to keep the session open. Otherwise the outbound port of the NATed Client might change and then the Wireguard Server on the OPNsense keeps sending to the wrong old port and it stops working.
« Last Edit: October 09, 2023, 09:36:53 am by Monviech »
Logged
Hardware:
DEC740

CJ

  • Hero Member
  • *****
  • Posts: 832
  • Karma: 30
    • View Profile
    • Have Answer, Will Blog
Re: WireGuard client cannot communicate anywhere after some amount of time
« Reply #2 on: October 10, 2023, 04:37:29 pm »
Quote from: Monviech on October 09, 2023, 09:34:09 am
Wireguard uses UDP. UDP has a default session timeout of 30 Seconds in most routers.

The Keepalive should be configured in the client, like 25 seconds or so, to keep the session open. Otherwise the outbound port of the NATed Client might change and then the Wireguard Server on the OPNsense keeps sending to the wrong old port and it stops working.

I just want to note that WG did not previously require keepalive.  It would automatically create and resume tunnels as needed.  But somewhere around 21-22 something got changed that caused WG to be unable to resume and required you to completely turn it off and then back on.  Keepalive 25 was added in order to prevent needing to resume as a bandaid until the root cause gets fixed.

That all said, I'm not sure if anyone has actually worked on troubleshooting the root cause of WG being unable to resume and whether it's limited to OPNSense or not.
Logged
Have Answer, Will Blog

ne0_2k

  • Newbie
  • *
  • Posts: 2
  • Karma: 0
    • View Profile
Re: WireGuard client cannot communicate anywhere after some amount of time
« Reply #3 on: October 10, 2023, 08:45:35 pm »
Thanks both for the feedback. I will try to add and see how it effects the connection.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • WireGuard client cannot communicate anywhere after some amount of time
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2