WireGuard not working ipv4 after update to opnsense 24.7.5

[RamSense]

@Taunt9930, no fqdn, just ip4 ip as endpoint. And I update opnsense almost always the same day the updates arrive

@iam: yes, the interface off and on trick does not work on 24.7.5

[RamSense]

My Wireguard has been the stable foundation for ever and kept on working with every update.....until it did not with 24.7.5...

I went through every step of the WG installation again, even configured a new one with different tunnel address and client ip's. 10.0.0.2 instead of 10.10.10.2 and fd00:2 instead of GLA ipv6, but no difference.

maybe it is dns related? what do you use for client dns setting: mine is the ipv4 and ipv6 tunnel address in the client config under "DNS Servers"

But than again, doing opnsense-revert -r 24.7.4 opnsense and reboot, wg only ipv6 showing on whatismyip, -> interface wg off save and on, save, and WG is running like it has been doing for ever with ipv4 and ipv6 showing on whatsmyip.com ...

N.B. Looking at the WG logs I see this on 24.7.5 what is not showing on 24.7.4: Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (execute task : dpinger_configure_do(,[]))    Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (,[])

Maybe that's an indication of what is wrong??

Or virtual ip related?

[RamSense]

Ok, I am almost sure it has to do with my virtual ip's.

But I do not know how to add Gateway in virtual ip. When I type the name "WAN_FTTH_PPOE" it is not accepted. When I add the current ip of the gateway it can be that after a reboot the ip of the gateway has changed from xxx.232 to xxx.233

How do I set this gateway setting?

see attachments

[DEC670airp414user]

under interfaces

click on your wireguard interface and leave everything default. other than clicking enable
last click is at the very bottom : Dynamic gateway policy.   check that.

then go back to system > gateway > configuration > edit your tunnel interface:   for the IP address and monitor IP>. put the default gatewayy of you wireguard tunnel.

once saved.   it should fix the weird bug of it showing the wrong tunnel as "Active".   and should all come back online even after a reboot

[RamSense]

@Franco sorry for the noise, it was not related to opnsense 24.7.5
@DEC670airp414user, thanks for that. 90% solved! As soon as I created it, wireguard came up with ipv4 and ipv6. This solved it for 90%. Somehow after a reboot WG still does not get ipv4, I have to go to system-setrtings-gateway and hit the [Apply] button, while no config change has been made there, and wireguard ipv4 and ipv6 are up as soon as i hit the apply button.

So somehow it is not done correctly on boot and "has to been done again after booting up" ?

Now running opnsense 24.7.5 and the same as above. any ideas on how to solve this little last part?

[DEC670airp414user]

out of curiosity what is your upstream gateway set too.  or the one that says active after the reboot.

mine is wan

if you are using gateway monitoring, and using the tunnel gateway to monitor..   do they show up after the reboot after the probe interval set to say 10 seconds has lapsed?

what you are posting is something I've found the be the case for a long time.  but I've never had a tunnel not come backup

[RamSense]

see attachment, that the info from system-gateway-configuration, [WAN_FTTH_PPPOE (active)] is my ipv4 gateway

[DEC670airp414user]

upstream gateway needs to be checked on it then

[RamSense]

Done, it shows on the gateway page: 254 (upstream)

still, after reboot, i have to go to gateways, hit apply for wg to have both ipv4 and ipv6

[DEC670airp414user]

change the priority to one.

that's all I got ramsense. 

[RamSense]

changed it to 1 (upstream), reboot. But no difference. still have to hit apply at the gateway page for WG ipv4 and ipv6. But you helped me enormously already with the WG gateway setup and being able to update to 24.7.5.

I hope someone knows how to get this last step done (otherwise I have to remember to hit apply everytime a reboot is done)

[Bob.Dig]

Maybe show some more screenshots of your Gateways and your WireGuard Config. Also why do you have to use a VIP, what does it do?

[RamSense]

Here is the current gateway settings and VIP's. I have the subnet for the mailserver and webserver and on top the wanipv4 and wanipv6 for opnsense box. I noticed in the far past that opnsense uses the above 2 for "its default ip".
Wireguard config is as the roardwarrior setup guide, with the difference that I use [Keepalive interval = 25] in the peer config for the mobile devices being able to have vpn always on. And a different wireguard port.
DNS is going through Adguard Home (plugin on opnsense).

[Bob.Dig]

I still don't get what all the VIPs do. Who is your ISP? Do you have more than one public IPv4-Address? Is it dynamic or static IPv4?


On your WG-Gateway you have a public IP, that is most probably wrong. Is this a Privacy-VPN? Please show the original config from that Privacy-VPN-Provider.

[RamSense]

That IP is the default gateway ip I see in opnsense gateway-page from the ISP connection. I typed that one in the WG gateway. When I leave that out, and I select "Disable Gateway Monitoring", and reboot. The result is the same as with this ip put in. I have to hit apply at the gateway section for it to work.

And indeed more ipv4 public ip addresses - all static