24.1.2 Wireguard does not work after updating

Started by H3n, February 20, 2024, 06:37:11 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 4 5 6
User actions
July 20, 2024, 02:05:34 AM #75
Hi all,

Running 24.1.10 and running out of hours I can spend on trying to get Wireguard to work reliably so back to the good old trusted OpenVPN it is for the time being.

I noticed that OPNsense adds this route:

0.0.0.0/1 link#39 US wg0

My intention is that nodes on the LANs can use a gateway group with the wg0 interface being one of the gateways and for that to work I need to add 0.0.0.0/0 to the AllowedIPs.

Does anyone know what the logic is for adding that 0.0.0.0/1 (ie. (only) half of the internet) route?

December 22, 2024, 10:56:32 AM #76 Last Edit: December 22, 2024, 01:56:14 PM by mistra666
OPNsense no longer works correctly with WireGuard, the most recent successful build of OPNsense with Wireguard was "23.1.11_1" (LTS EOL for me).

All new builds can not raise tunnels and work after OPNsense machines go to suspend state VM ESXi, priorities of gw, dns, firewall, nat, interfaces and other services work incorrectly and can not restart ordering/healthcheck services themselves.

And in version "23.1.11_1" I didn't even have to install KeepAlive on the tunnel WireGuard, all LAN networks (vLAN vmxnet3 / USB 3.1 Ethernet 1Gbps) worked very well.
OPNsense with WireGuard support has become a low-grade low-quality product. Maybe there is a race-condition in the new versions, I don't update releases anymore. Gradual update to the latest release for today does not give any promising results.

Normalization traffic of Bridge(between vLAN networks)/WG/vLAN(single without Bridge) strafe with MSS/MTU so that vmxnet3 packets pass optimally, interfaces are also configured with MSS/MTU. Use Manual Outbound NAT rule generation for WireGuard (I do not use assigned interfaces to WireGuard, and everything works "23.1.11_1") no leaks DNS/traffic without tunnel for LAN/bridge + DNS/DoH/DoT redirected to local path zoned DNS via Firewall rules.

+ split DNS is sorely lacking for zone splitting of networks, like this https://fedoramagazine.org/systemd-resolved-introduction-to-split-dns/
December 22, 2024, 02:09:42 PM #77
The problems are particular to your installation and configuration. I as well as numerous other people run dozens of Wireguard tunnels all over their data centers with version 24.7 and/or 24.10.

Instead of just claiming "it's broken! OPNsense bad!" what about sharing some technical detail so people can assist in finding the cause of your problems? Network diagrams, configuration (without keys), output of "wg" on the shell, routes, ... the regular things you do when you have a networking issue.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 22, 2024, 02:31:24 PM #78 Last Edit: December 22, 2024, 02:44:31 PM by mistra666
WireGuard is used as a gateway to access all clients in the WLAN/LAN (vLAN segements, USB-Ethernet LANs), Bridge. WLAN/LAN clients make DNS queries via WireGuard and take into the EDNS Client Subnet (ECS) for location-based steering, considers local split-zoned-LAN DNS TLD within the infrastructure.
- WAN works via vmxnet3 with ESXi NAT.
- vLANS ESXi PVN (Private Virtual Network)

What specific diagnostic data will be helpful? Firewall rules / pf Normalization / MSS / Wireguard / DHCP / ...?

I installed a fresh OPNsense 24.7 and configured NAT, other optimizations. On system ESXi sleep & wakeup via WOL we get that services cannot WireGuard restore even with WG keepalive 25s enabled. OPNsense is not properly able to restore services to operational state GW/DNS/FW rules state. There are issues with reordering services healthcheck recovery prioritization.
December 22, 2024, 03:24:41 PM #79
Quote from: mistra666 on December 22, 2024, 02:31:24 PMWireGuard is used as a gateway to access all clients in the WLAN/LAN (vLAN segements, USB-Ethernet LANs), Bridge. WLAN/LAN clients make DNS queries via WireGuard and take into the EDNS Client Subnet (ECS) for location-based steering, considers local split-zoned-LAN DNS TLD within the infrastructure.
- WAN works via vmxnet3 with ESXi NAT.
- vLANS ESXi PVN (Private Virtual Network)

That's impossible for me to unpack from just that paragraph without a more or less complete network diagram.
Also USB Ethernet is known to be unreliable in FreeBSD and is strongly discouraged in production use.

Quote from: mistra666 on December 22, 2024, 02:31:24 PMWhat specific diagnostic data will be helpful? Firewall rules / pf Normalization / MSS / Wireguard / DHCP / ...?

Yes? All of it, of course.

Quote from: mistra666 on December 22, 2024, 02:31:24 PMOPNsense is not properly able to restore services to operational state GW/DNS/FW rules state. There are issues with reordering services healthcheck recovery prioritization.

That also does not make much sense on its own and is something I never observed in production.

Can you isolate individual problems that could be addressed one at a time?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 25, 2024, 06:31:31 AM #80
ive been having major issues with opnsense since updating. it has become unusable as it will drop internet connection 3 times per hour and needs to be restarted to reestablish connectivity. it will also slow down the internet connection to a crawl with pings going as high as 700+ms 2 to 3 minutes after restart. hoping that the devs are aware of this as i dont see how to make a post or submit a bug.
Print
Go Up Pages 1 ... 4 5 6
User actions