[Solved] Wireguard - Mullvad setup cannot be completed anymore

[newsense]

On a firewall using two Mullvad GWs which I set up more than a year ago one of the GWs went down this week. A deeper look revealed the server has been redeployed, same name but different IPs and WG keys.

As I've dealt with this in the past I went to update the GW configuration in all the required places, and all went fine except when trying to update the IP in Interfaces.  The error when trying to save the new IP is Cannot assign an IP configuration type to a tunnel interface

As you can see below, both opt13 and opt14 have the same settings, yet I couldn't update the IP in the GUI, so I just did it in config.xml and service was restored.

Code: [Select]

<opt13>
      <if>wg2</if>
      <descr>WAN_M0</descr>
      <enable>1</enable>
      <spoofmac/>
      <ipaddr>10.175.221.69</ipaddr>
      <subnet>32</subnet>
      <gateway>WAN_M0</gateway>
    </opt13>
    <opt14>
      <if>wg3</if>
      <descr>WAN_M1</descr>
      <enable>1</enable>
      <spoofmac/>
      <ipaddr>10.22.47.75</ipaddr>
      <subnet>32</subnet>
      <gateway>WAN_M1</gateway>
    </opt14>


I don't set up Mullvad too often which is why I cannot pinpoint the OPNsense time frame this GUI restriction b]Cannot assign an IP configuration type to a tunnel interface[/b] has been added.  It is clearly required though so I'm hoping Franco or Ad can look into it.


For reference, this is the tutorial I follow/revisit anytime I need to set up or update a WG configuration

https://schnerring.net/blog/opnsense-baseline-guide-with-vpn-guest-and-vlan-support/

[franco]

That interface page validation is quite old and proper. A VIP would work as well I suppose?


Cheers,
Franco

[newsense]

Hi Franco,

I don't think a VIP is the answer here, the WG interface needs to have a static IP, and it's the static IP field at the bottom of the page that is now throwing out the input validation error  - although it worked just fine in the past.

As mentioned, doing the IP change in the config.xml was the workaround I needed to restore the service.

[franco]

No, IPv4 and IPv6 setups of tunnels are not allowed in the interface page. It may have worked for wireguard being a plugin a while back missing the proper registration, but it's quite strange. A VIP is really the same and you can add it without setting IP modes. It also works for GIF/GRE tunnels where it is used to add different aliases if needed.

https://github.com/opnsense/core/commit/e40b8f51ac30a


Cheers,
Franco

[newsense]

Ah I see now, so i looks like the changes would go in this section in the screenshot.


Would it be possible to amend the Cannot assign an IP configuration type to a tunnel interface message with a reference to the VIP section then ? I don't know how common this practice was in the past or in how many other tutorials the static IP or a tunnel is mentioned on the interface, so having a clarification in the error message would be helpful. 


I'll ping schnerring in a PM as it looks like the tutorial needs to be updated.


Thanks again Franco.

[franco]

It looks like there is a bug now in conjunction with this mullvad way of configuring an IPv4 manually... see https://github.com/opnsense/core/issues/6934


Cheers,
Franco

[franco]

Ok it looks like the user on GitHub made the following mistake: used x.x.x.x/32 for the tunnel address, but his network was x.x.x.x/24 and prior to 23.7.6 the IPv4 could be set to x.x.x.x/24 to fix it but in reality the better fix is to not set the IPv4 and instead set the tunnel address to x.x.x.x/24 (and clear the IPv4 config in that case if used).

The similar problem probably appears for Mullvad. It might have been a limitation of wireguard-go at the time?


Cheers,
Franco

[newsense]

Hi Franco,

I was reading the evolving thread on GH, and while I cannot say or sure if there ever was a limitation on wireguard-go, I'm 99% sure I created most of he Mullvad GWs on the kmod - while I installed the moment it became available and never looked back.

Now I have two comments on this issue if you don't mind.


  - First, Ad's (?) suggestion of using a /24 may be fine for someone in control of both ends of WG, but I'm not terribly fond of the idea...should I have to set up such a thing. I also tried with a /31 before modifying config.xml and didn't work. Both GWs are running fine for more than a year on /32.


  - Secondly, while I understand the reasoning of having those tunnel settings in the VIP section I would argue that is the less fortunate from a user experience and even logical point of view.


===================
I would propose amending the Interface GUI with a hidden by default VIP section. This would allow all Interface related settings to be present on a single page - which would be great for usability.

Also, for consistency, all VIP information added on an interface would be presented as an entry in the Virtual IP section as well.
===================


  - Lastly, I did a quick search for WG tutorials from other VPN providers here and on the internet - trying to asses whether the VIP thing will be required for more than only Mullvad, and so far I haven' found another. Best written one I found is from iVPN and they don't even go anywhere near a GW in Interfaces...

https://www.ivpn.net/setup/router/opnsense-wireguard/



My proposal may hold some value from a user experience point of view, but if we're only talking Mullvad AND Wireguard - whose lack of updates are a growing concern - Virtual IP section will have to do.



Thanks again
 

[franco]

Hi there,

> First, Ad's (?) suggestion of using a /24 may be fine for someone in control of both ends of WG, but I'm not terribly fond of the idea...should I have to set up such a thing. I also tried with a /31 before modifying config.xml and didn't work. Both GWs are running fine for more than a year on /32.

/32 has the downside of telling the local end that this is a point to point setup only being able to reach the gateway. However in the thread you could see that the user wanted /24 and actually configured it in the IPv4 config likely so he could access other peers from this box. If that's not what you want you can use /32. Bottom line is if you configured both /32 and /24 it's likely /24 is configured on the ifconfig output... which is why it was added as a workaround in the first place.

> Secondly, while I understand the reasoning of having those tunnel settings in the VIP section I would argue that is the less fortunate from a user experience and even logical point of view.

The thing is you don't need this. This is what the tunnel address is for...


Cheers,
Franco

[newsense]

The thing is you don't need this. This is what the tunnel address is for...

I'll deploy a VM this weekend and test. Would be awesome to get rid of unneeded complications.

[franco]

For reference see:

https://github.com/opnsense/core/blob/master/src/opnsense/scripts/Wireguard/wg-service-control.php#L70L73

VIPs or IPv4/6 interface configuration does exactly the same.


Cheers,
Franco

[townsenk]

I am a Mulvad user that discovered my wireguard configuration no longer works. I have attempted to follow the different discussions on this but the only real answer is that I've had things configured wrong this whole time.
I have attempted to use VIPS to assign an IP to the interface and the interface and it appears to come up in the gui but no traffic is passed. Is there a solution to this? Have any guides been updated? It's just frustrating to hear that "Your configuration is incorrect" when it has worked for so long.

[townsenk]

<Solved> I was able to get it properly configured by adding the VIP addresses and including outbound/NAT entries for the WG interface. Maybe I should write a guide.

[newsense]

Thanks townsenk, interestingly enough and quite unexpectedly I hit the NAT issue as well for reasons I don't understand.


First thing, on topic, it's not pretty but it works just fine with the VIPs on 23.7.6.


================================================

Migratory birds - from Interface IP/GW to VIP - need to do the following:

   a) Go to Mullvad Interface(s) - Copy IP/32 and GW - Set IPv4 Configuration Type to None - Save - Apply

  b) Go to Interfaces: Virtual IPs: Settings - Click on the + - Mode Other - Click Advanced - Select Mullvad Interface - Add IP/32 and Gateway - Save - Apply - works but appears to be redundant. It's not needed after all as per Franco's post below, and I've been able to confirm that.

   c) Reboot OPNsense

================================================


The final straw in my case was that after migrating to the VIP, the road warrior WG instance needed the NAT on the Mullvad interface -- yet it wasn't necessary on the previous configuration.

[franco]

Still not sure why the VIP is necessary in these cases. The instance tunnel address is exactly the same setting?