[solved] PIA Wireguard Tunnel

Started by s4rs, November 24, 2023, 03:15:35 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
November 24, 2023, 03:15:35 PM Last Edit: November 28, 2023, 12:15:06 AM by s4rs
I upgraded to 23.7.9 and now my Wireguard PIA tunnel is broken. This also happened on the last upgrade but I rolled back to 23.7.7.3 which works fine. I see this generic error in the WG diag logs

Code Select
/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: Skipping gateway WG_PIA_GW due to empty 'gateway' property.

Looking at Wiregurad Diagnostics I see an active connection:
Code Select
Name Port/Endpoint Handshake SendReceived
PIA-Server xxx.xxx.xxx.xxx:1337 2023-11-24 11:28:20        1.23 KB 368.00 Bytes

Looking at Interfaces -> Overview I don't see any packets being transmitted

Code Select

Status up
MAC address 00:00:00:00:00:00 - XEROX CORPORATION
MTU                       1420
IPv4 address                 xxx.xxx.xxx.xxx/32
In/out packets         0 / 0 (0 bytes / 0 bytes)
In/out packets (pass) 0 / 0 (0 bytes / 0 bytes)
In/out packets (block) 0 / 0 (0 bytes / 0 bytes)
In/out errors                 0 / 0
Collisions                 0




What changed and how do I fix this?

November 25, 2023, 04:01:39 AM #1
I'm using os-wireguard-go instead and 23.7.9 broke it for me too. The wireguard adapters just wouldn't show up for assignment, most likely due to the new changes regarding interface assignments for wireguard devices mentioned in the changelog I'm sure. Reverting to 23.7.8_1 fixed everything for me. Even tried the kernel plugin and had the same problem as you.
So make of that what you will, I'd use the older plugin for now.
November 25, 2023, 12:20:58 PM #2
I moved away from Wireguard-Go when the kernel plugin became available. I have to test but I think my client connections into Opnsense will work. Its the PIA gateway that is failing For me the last release that PIA gateway worked was 23.7.7_3.
November 27, 2023, 05:50:40 AM #3
bump
November 27, 2023, 10:57:27 AM #4 Last Edit: November 27, 2023, 11:00:49 AM by DEC670airp414user
it takes less than 5 minutes to delete or re add an interface in WG

have you tried this and has it come back online?

os-wireguard   2.5_1   84.4KiB

os-wireguard-go   1.13_7   55.6KiB   

you can also see the version difference.  I've read you should be using os-wireguard going forward

November 27, 2023, 01:40:12 PM #5
Not only have I removed the wireguard interface, I deleted it, reinstalled it, and re-added it, and it still fails. I have been using OS-Wireguard since it became available, what ever that release was.

Code Select
os-wireguard 2.5_1 84.4KiB OPNsense BSD2CLAUSE WireGuard VPN service kernel implementation

under vpn -> wireguard -> diagnostics you can see the tunnel to PIA is up.
Code Select

wg2 <key>  PIA-Server xx.xx.xx.xx:1337 2023-11-27 07:36:12 637.04 KB 172.41 KB



There seems to be a disconnect between the tunnel and creating the interface. The interface gets created but doesn't have a traffic.

Code Select

Status up
MAC address 00:00:00:00:00:00 - XEROX CORPORATION
MTU 1420
IPv4 address xx.xx.xx.xx/32
IPv4 gateway auto-detected: xx.xx.xx.1
In/out packets 0 / 0 (0 bytes / 0 bytes)
In/out packets (pass) 0 / 0 (0 bytes / 0 bytes)
In/out packets (block) 0 / 0 (0 bytes / 0 bytes)
In/out errors 0 / 0
Collisions 0

November 27, 2023, 02:11:23 PM #6
from scratch

I setup a tunnel with my "provider"

it worked perfectly.  try 1320 for MTU in the interface for your tunnel and see if that helps?
November 27, 2023, 04:58:26 PM #7
My MTU is set for 1380 which has worked for a few years now.

Again if you look at what I posted, its not the connection to PIA that is an issue, it is building the Opnsense adapter on top of that connection that is failing.
November 27, 2023, 05:14:05 PM #8
If it works for me and does not for you

The only difference is pia.    Opnsense is working for me with wireguard and my provider

Edit. I follow Christian McDonald's YouTube videos for setup. But I do not use mullvsd, try his videos
November 27, 2023, 05:25:04 PM #9
This has worked for me since 21.x It stopped working after upgrading to 23.7.8. It works perfectly on 23.7.7_3.
November 27, 2023, 07:24:41 PM #10
If something was broken the forum would be full of wireguard issues. 

Your setup sounds like the issue
November 27, 2023, 08:36:31 PM #11
Please explain why my setup worked flawlessly on releases up to 23.7.7_3 if my setup is an issue?
November 27, 2023, 09:21:04 PM #12 Last Edit: November 27, 2023, 09:23:07 PM by DEC670airp414user
Because my setup and hundreds if not more out there are still working

Have you contacted pia or tried another server? 

Under the interface have you checked this ?
This interface does not require an intermediate system to act as a gateway

Try this
November 27, 2023, 10:11:17 PM #13 Last Edit: November 27, 2023, 10:35:44 PM by s4rs
I have a production system running 23.7.7_3 which is connected to PIA without issue. I upgraded my test system which was also working fine on 23.7.7_3 to 23.7.7.9 and the Interface associated to PIA no longer works. The system is connected to PIA but when you associate and interface to the PIA connections it doesn't pass packets. From what can tell this has nothing to do with PIA and Opnsense connecting to it. That piece seems to work. It is add the interface to the PIA tunnel that is failing.

To verify the PIA connection is working I pinged the production PIA interface from my test system and back and it worked. So the bug isn't with the PIA tunnel, the bug is how Opnsense is configuring the interface using the tunnel.
November 27, 2023, 11:46:59 PM #14
Did you use the FingerlessGlov3s script to set up your tunnel? If so, it looks like the maintainer released an update to support a change made in 23.7.8.

https://github.com/FingerlessGlov3s/OPNsensePIAWireguard/releases/tag/23.7.8-1
Print
Go Up Pages1 2
User actions