Wireguard VPN no traffic on OpnSense HA Cluster in CARP backup state

Started by tomtr84, March 15, 2024, 03:30:15 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 15, 2024, 03:30:15 PM
Hello everyone,

I have a problem with an OpnSense HA cluster with Wireguard VPN server. The cluster contains two physical nodes with each NICs for WAN, LAN, DMZ & and a direct sync interface between the nodes. Everything is up and running and I can connect to Wireguard. When I try to switch the primary cluster node via CARP from master to backup I loose the Wireguard connection - only on Windows clients! I can see on Wireguard diagnostics tab a handshake for this specific clients but I'm not able to get any traffic through the tunnel. I tried the same settings on a linux client and don't have any issues at all. If I change the primary nodes CARP from backup to master everything works correct again. Are there any suggestions or did I do any mistakes in my configuration.

OpnSense Version: 24.1.3
Wireguard Win Client: latest Version (0.5.3) on Win10 (x64)

VPN -> WireGuard -> Settings -> Instances
Code Select
Wireguard Server instance: 1
Name: HomeOfficeServer
Public key: <snip>
Private key: <snip>
Listen port: 51822
Tunnel address: 192.168.144.1/22
Depend on (CARP): vhid 5
Peers: several Win & Linux clients
Disable routes: <unchecked>

VPN -> WireGuard -> Settings -> Peers
Code Select
Enabled: <checked>
Name: Q-000582_TR_Win10_Test
Public key: <snip>
Allowed IPs: 192.168.144.2/32
Instances: HomeOfficeServer
All other settings are unset

Interfaces -> WG1
Code Select
Enabled: <checked>
- no additional config

Interfaces -> Virtual IPs
Code Select
Mode: CARP
Interface: LAN
Network / Address: 192.168.144.1/22
Password: <snip>
VHID Group: 5
advbase: 1

Code Select
Mode: CARP
Interface: WAN
Network / Address: <Reverse Proxy WAN VIP Address>
Password: <snip>
VHID Group: 4
advbase: 1

Code Select
Mode: CARP
Interface: DMZ
Network / Address: 10.1.0.4/16
Password: <snip>
VHID Group: 3
advbase: 1

Code Select
Mode: CARP
Interface: WAN
Network / Address: <WAN VIP Address>
Password: <snip>
VHID Group: 2
advbase: 1

Code Select
Mode: CARP
Interface: LAN
Network / Address: 10.0.0.4/16
Password: <snip>
VHID Group: 1
advbase: 1


# The following Address/Alias is created on both nodes!
Code Select
Mode: IP Alias
Interface: LAN
Network / Address: 10.0.14.2/24


Firewall -> NAT -> Outbound NAT
Code Select

Interface: LAN
TCP/IP Version: IPv4
Protocol: any
Source address: 192.168.144.2/32
Destination address: any
Translation / target: 10.0.14.2

Firewall to and from WireGuard VPN temporarly allow anything!

Config is synced to both nodes. As mentioned above everything else works flawless.


Thank you very much & best regards
Thomas
May 29, 2024, 10:55:07 AM #1
Hi,

Did you figure it out?
I just installed an OPNsense cluster and I'd like to switch from IPSEC legacy tunnel to Wireguard tunnel.

Thanks ;)
May 29, 2024, 10:57:47 AM #2
Hi,

I guess it was because I set up the interfaces AFTER setting up the HA and wireguard config.
I have another cluster where Wireguard works perfectly through an HA failure.
May 29, 2024, 11:05:38 AM #3
Quote from: roboalex on May 29, 2024, 10:57:47 AM
I have another cluster where Wireguard works perfectly through an HA failure.

That is a very good news! Thanks for the quick feedback... now I know what to do this afternnon! ;D
June 17, 2024, 10:06:27 PM #4
Quote from: roboalex on May 29, 2024, 10:57:47 AM
I have another cluster where Wireguard works perfectly through an HA failure.

Well it's done, I have my HA setup properly working with Wireguard.
Thanks again for the feedback ;)
July 16, 2024, 03:09:57 PM #5
Hi,

how did you resolve the issue?
I've a HA pair with PPPoE.
To get wireguard working, I must disable the WAN Interface on the backup node.

thank you in advance

best regards

Martin
July 16, 2024, 03:43:22 PM #6
Quote from: MartinG on July 16, 2024, 03:09:57 PM
I've a HA pair with PPPoE.

I can't understand the sepcificity of PPPoE pon HA setup, but one of the "obvious" thing to configure is the VIP for Wireguard tunnel.
Setting name is:  Depend on (CARP)

In my setup, each Firewall has a dedicateed IP on the Internet router "LAN" which in my case is used as a transfer network only. Don't know if it is possible with PPPoE ;)
July 17, 2024, 06:58:31 AM #7
Thank you for your feedback.
Actually I've PPPoE active with a single dhcp IP. So this is the problem.
I will try to migrarte the WAN interface behind the router with private CARP IPs

best

Martin
July 17, 2024, 07:51:46 AM #8
Quote from: MartinG on July 17, 2024, 06:58:31 AM
Actually I've PPPoE active with a single dhcp IP. So this is the problem.
I will try to migrarte the WAN interface behind the router with private CARP IPs

No problem, hope you can sort it out! ;)

CARP need a single IP per interface on each FW in order to be able to create a VIP.
Here you can have an overview:
https://docs.opnsense.org/manual/how-tos/carp.html

You Wireguard tunnel will be based on VIP 172.18.0.100 in this example.
Print
Go Up Pages1
User actions