24.1.2 Wireguard does not work after updating

[H3n]

Hi together,

just updated to 24.1.2 and noticed that wireguard will stop receiving traffic after initial handshake.
Logs on Debug sadly do not spit anything specific out:

Code Select Expand

2024-02-20T18:24:59 Notice wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: entering configure using 'opt3'
2024-02-20T18:24:59 Notice wireguard wireguard instance vpn.fwh02.local (wg1) started
2024-02-20T18:24:59 Notice wireguard wireguard instance vpn.fwh02.local (wg1) stopped
2024-02-20T18:24:59 Notice wireguard wireguard instance vpn.fwh02.local (wg1) can not reconfigure without stopping it first.
2024-02-20T18:24:52 Notice wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: entering configure using 'opt3'
2024-02-20T18:24:52 Notice wireguard wireguard instance vpn.fwh02.local (wg1) started
2024-02-20T18:24:51 Notice wireguard wireguard instance vpn.fwh02.local (wg1) stopped
2024-02-20T18:24:51 Notice wireguard wireguard instance vpn.fwh02.local (wg1) can not reconfigure without stopping it first.

Looking into the system logs I see an issue with the CARP ip. Disabled and Removing this does not help:

Code Select Expand

2024-02-20T17:54:11 Error opnsense /usr/local/opnsense/scripts/interfaces/carp_set_status.php: The command '/sbin/ifconfig wg1 '10.0.1.1'/'24' alias vhid '3'' returned exit code '1', the output was 'ifconfig: SIOCGVH: Operation not supported'
2024-02-20T17:54:11 Error opnsense /usr/local/opnsense/scripts/interfaces/carp_set_status.php: The command '/sbin/ifconfig wg1 vhid '3' advskew '0' advbase '1' pass '**PASSWORD**'' returned exit code '1', the output was 'ifconfig: SIOCGVH: Operation not supported'

Does anyone face the same issue?

[gstyle]

Same here

Did not look into the log files. Wireguard is needed here urgently. Rolled back to snapshot before the upgrade.
I could the the client beeing connected in the OPNsense web gui. But no traffic went through.

[xavx]

Faced wireguard errors and not connecting.
Looks like the new code cannot handle dns resolutions and requires ip address for Endpoint address.

[gstyle]

My problem was that I could not connect to the wireguard server on the opnsense.

Client was my mobile phone.
I saw the connection in the opnsense webinterface but no data was transmitted.

I also have a tunnel to an external vpn provider for selective routing. At least the gateway of the provider showed up green in the opnsense interface. However did not try if actually data is transmitted.

[franco]

All a bit strange. Is this perhaps a kernel issue?

# opnsense-update -kr 24.1
# opnsense-shell reboot


Cheers,
Franco

[H3n]

All a bit strange. Is this perhaps a kernel issue?

# opnsense-update -kr 24.1
# opnsense-shell reboot


Cheers,
Franco

Tested this, still not working (sadly).
Within my android client i see:
"WireGuard/GoBackend/vpn: peer(hash) - Receiving keepalive packet."

Still nothing within the wireguard logs on opnsense

[newsense]

All a bit strange. Is this perhaps a kernel issue?

Assuming the only difference between between 24.1.1_14 and 24.1.2 is the if_re EEPROM patch hen I've seen no regressions and WG tunnels are working everywhere, both server/clients and clients to upstream GWs

Unsure if I'm missing something in between 24.1.1_38 and 24.1.2.

[franco]

This is very unsubstantial indeed. Could the reboot have killed it having broken the box setup without noticing some time before?

The thing is this would have turned up at least in reddit by now, but everyone is happy over there.


Cheers,
Franco

[gstyle]

I will try again tonight or tomorrow and then report here.

[mestafin]

Not problems with 24.1.2 updates

I updated 4 systems to 24.1.2, all with WireGuard site-to-site links between the systems.

Updates when smoothly and WireGuard connected without any problems

Johan

[gstyle]

I updated again and did some testing.

Outgoing Wireguard works. So selective routing to an external VPN provider.

Incoming Wireguard does not work. I see the connection in the OPNsense WebGui, but no data is transferred.

Then I disabled Wireguard and enabled it again. After this everything works normally.

When I reboot, it is broken again until I restart Wireguard.


One strange thing: I have two tunnel configurations. A full and a split tunnel.
Full tunnel allowed IPs: 0.0.0.0/0,::/0
Split tunnel allowed IPS: 10.21.0.0/16

After the reboot, the full tunnel does not work. From my Android phone and my iPad I cannot access an external site and also nothing of my private 10.21... network.
However with the split tunnel, I can access my private network.

[gstyle]

Another thing:

I rebooted a few times. It ended up with the following behaviour:

"Starting Unbound DNS" took several seconds.
If this is happening, the boot completely hangs with "Configuring Wireguard VPN..."

See attached screenshot.

I rolled back again to 24.1.1 and no problems.

[RamSense]

I was a little hesitant updating while reading about the possible wireguard problems, but with no complaints at reddit i decided to give it a shot. All went well and smooth. Everything is running, including Wireguard. thnx!

[H3n]

Analyzed further on my end and noticed that wireguard on my backup fw was still working (even after upgrading).
Inspected firewall rules and noticed that all rules for the wireguard interface went missing.

re-created the rules, now wireguard is exchanging traffic again and working.

Now only CARP for wireguard is not working.

[ksdmg]

I have issues with my wireguard side-to-side too. I cannot figure out how to debug the troubles. I found this thread: https://forum.opnsense.org/index.php?topic=14279.0 mentioning to use:

Code Select Expand

/usr/local/etc/rc.d/wireguard start
This does not seem to work under 24.1.2
How can I get the debug logs from wireguard? The Interface does not print all of the logs =(