24.1.2 Wireguard does not work after updating

[alex3003]

Does something else have to be set?
The OPNsense cannot find the remote network.

C:\Users\Alexander>tracert 192.168.45.254

Routenverfolgung zu 192.168.45.254 über maximal 30 Hops

  1     *        1 ms     1 ms  OPNsense [192.168.40.254]
  2     *        *        *     Zeitüberschreitung der Anforderung.
  3     *        *        *     Zeitüberschreitung der Anforderung.
  4     *        *        *     Zeitüberschreitung der Anforderung.
  5     *        *        *     Zeitüberschreitung der Anforderung.
  6     *        *        *     Zeitüberschreitung der Anforderung.
  7     *        *        *     Zeitüberschreitung der Anforderung.
  8     *        *        *     Zeitüberschreitung der Anforderung.
  9     *        *        *     Zeitüberschreitung der Anforderung.
10  ^C
C:\Users\Alexander>

[illum1n4ti]

Hallo every1

Same here i got issues with WireGuard. After upgrading to 24.1.3 i can not get handshake. I reinstalled 24.1 and everything works again.

I hope this issue could be fixed

[CJ]

Add me to the no problems with wireguard list.  I'm on 24.1.2_1.

(1) Do you use DNS entries as endpoint addresses?

I use a dynamic DNS entry for the server endpoint.

(2) Do you use tunnel addresses on your instances?

I have a /24 tunnel address set on my server instance and a /32 on my client.

(3) Do you have allowed IPs on your peers?

I have my clients configured as peers on the server instance and 0.0.0.0/0 for my client allowed peers.

(4) Do you have the instances assigned as interfaces?

I have my server instance assigned as an interface.

(5) If yes for (4) do you have an IPv4/IPv6 mode set in the interface?

Both IPv4 and IPv6 are set to None on my interface.  Also, I don't use IPv6 for my dynamic DNS entry.

(6) If yes for (4) do you have VIPs assigned to these interfaces?

N/A

Hope this helps, and I'm happy to try and provide more info for comparison/troubleshooting.

[valentinas]

Hi,

I also had a problem with Wireguard after the upgrade, I solved the problem:



1)

Firewall > NAT > Outbound:

Changed:    Automatic outbound NAT rule generation
(no manual rules can be used)    >>>      Hybrid outbound NAT rule generation
(automatically generated rules are applied after manual rules)

2) Added rule for Wireguard ip pool.

[Monju0525]

@Valentinas
What rule did u add to the wireguard ip pool? Can post a pic or provide details?

[illum1n4ti]

Hi,

I also had a problem with Wireguard after the upgrade, I solved the problem:



1)

Firewall > NAT > Outbound:

Changed:    Automatic outbound NAT rule generation
(no manual rules can be used)    >>>      Hybrid outbound NAT rule generation
(automatically generated rules are applied after manual rules)

2) Added rule for Wireguard ip pool.

Hallo friend

I used hybrid iin my configuration still issues after the update. My surfshark stopped creating handshake. I went back to version 24.1.

If u have any other tip please let me know

[akoskela]

Hi,

I have been running Opnsense in production about 1 week now. It has been working fine, the latest version
which is today available (i cant see the version anymore but something 24 cos I do not have opnsense anymore).

So every time when I tried to use WireGuard the opnsense goes in a state
where I am not able to fix it, only by restoring old version from snapshot without WireGuard installed.

So I am not able to use Opnsense in production untill wireguard works.
Every time when I have tried to install Wireguard, it lets me to got to point where I can make tunnel from my laptop to opnsense, so I can ping it and access the web console from my laptop browser with IP 10.0.0.2.
It works usually for awhile, but then suddenly all traffic flow stops. Websites goes down and tunnel does not work, also web console does not work. Only connection is cloud provider console straight to opnsense, but I dont have experience to fix anything there yet.

I am not sure is it a configuration problem, but this is already second time restoring Opnsense from snapshot.

Now I took it totally away from my cloud setup, cant run it anymore if wireguard is messing everything.
Maybe I will try some day some other VPN.

[zzyzx]

I've resolved my initial wireguard problems. Adding my experience to what seems like a variety of issues. Without any hard evidence, mine seems to have been related to old config information that I was able to clear out.

I upgraded to 24.1_3 from 23.7 and immediately experience wireguard problems. No connections worked, no handshake. My wireguard logs showed this entry whenever I restarted the service.

Code Select Expand

/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/route -q -n add -'inet' '/' -interface 'wg1'' returned exit code '68', the output was 'route: bad address:'

My steps to resolve, some may be related, some probably not:
- deleted and rebuilt my wg instance from scratch. This moved the interface from wg1 to wg0. No change. Same log entries.

- Realized I needed reassign the new wg0 interface in Interfaces --> Assignments. Above error log entries went away and changed to

Code Select Expand

2024-03-17T21:57:03-07:00 Notice wireguard wireguard instance main (wg0) started
2024-03-17T21:57:03-07:00 Notice wireguard /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: entering configure using 'opt7'
2024-03-17T21:57:03-07:00 Notice wireguard wireguard instance main (wg0) can not reconfigure without stopping it first.

- rebuilt all peer entries from scratch. No change. Wireguard port connections were allowed through the firewall and the handshake occurred, but no traffic, LAN or Outside.

- I've got all DNS running through PiHole and noticed all DNS traffic was being denied through the wireguard interface despite being allowed in the interface rules.

- I temporarily allowed all through the interface and traffic started flowing, including all the earlier rules. I turned off the allow all rule, and everything continues to work.

Based on the above, it seems like some conflicting/bad config info got cleared out. My setup is similar to CJ's which he noted earlier.

Add me to the no problems with wireguard list.  I'm on 24.1.2_1.

(1) Do you use DNS entries as endpoint addresses?

I use a dynamic DNS entry for the server endpoint.

(2) Do you use tunnel addresses on your instances?

I have a /24 tunnel address set on my server instance and a /32 on my client.

(3) Do you have allowed IPs on your peers?

I have my clients configured as peers on the server instance and 0.0.0.0/0 for my client allowed peers.

(4) Do you have the instances assigned as interfaces?

I have my server instance assigned as an interface.

(5) If yes for (4) do you have an IPv4/IPv6 mode set in the interface?

Both IPv4 and IPv6 are set to None on my interface.  Also, I don't use IPv6 for my dynamic DNS entry.

(6) If yes for (4) do you have VIPs assigned to these interfaces?

N/A

Hope this helps, and I'm happy to try and provide more info for comparison/troubleshooting.

[zbrozek]

I upgraded to 24.1_3 from 23.7 and immediately experience wireguard problems. No connections worked, no handshake. My wireguard logs showed this entry whenever I restarted the service.

I'm having an issue where after an update I am able to get handshakes but no traffic routes. I hadn't changed configuration, so I assume the update broke something.

It appears that wireguard traffic from opnsense to client is severely curtailed for some reason. e.g., I see 156 bytes transferred from opnsense to client, but much more (and it ticks upward) from client to opnsense. The trick from early in the thread to restart the wireguard process did not change that behavior for me.

Looking through the firewall rules, I don't see anything specifically referencing either the wireguard IP pool nor the interface, so I suspect that there was some automatically-generated rule that is no longer being automatically generated.

[zbrozek]

I solved my issue by deleting the wg0 interface, disabling wireguard, edited the configuration file to set the wireguard instance from 0 to 1, and reassigning a new wg1 interface. I think there may have been an interface group definition problem such that wg0 was not part of the group, and therefore the floating firewall rule that allowed access to/from that interface didn't properly apply.

[Peronia]

Any news here?
I upgraded from 24.1.1 to 24.1.5_3 and my wireguard got broken too.
I can made a handshake but no traffic will be routed.
After a rollback to 24.1.1 all works fine.

[chemlud]

...updated some OPNsenses to latest just now and all WG tunnels are doing just fine.

[Peronia]

I noticed that my wg0 interface was missing after the upgrade. When I created a new interface a got a new interface (wg1 in my case) but I can't set a static ip address for that...
So I rolled back and all is working (and the wg0 is found)

EDIT: I run another attempt to upgrade to 24.1.6 and it worked. My wg0 interface is still there (I have to remove the static IP). But it takes me several attempts to get the update successfull with wg0. The update process dies 2 times (in each approach) and I have a dependency problem in one of them. In one approach (that I must throw away and restore the backup) I have every time when I search for an update an exception...

[Onkel-tobi]

can someone explain what exactly needs to be done to get wireguard running fine again?
I have a site2site VPN that is not working after upgrade anymore (to mobile clients is working).
I tried a lot but don't get it solved.
Currently I am getting:

Code Select Expand

/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: The command '/sbin/ifconfig 'wg2' inet '192.168.200.1'/'24' alias ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): File exists'

Update: that was due to VIP that I tried to set as I saw something in some threads.
When I am creating a gateway and activating a route I am not getting any error but it's still not working....
If I roll back to old config I am getting:

Code Select Expand

/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: gateway IP could not be found for 192.168.200.0/24


Thanks,
Tobi

[Cipher]

I am experiencing the same issue. After updating to OPNsense 24.1.6, my WireGuard setup stopped working. I have multiple sites, and I'm concerned because some sites work, while others do not.

The error message I'm getting on both sites is:

Code Select Expand


/usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: not a valid opt3 interface