Monitor IP on wireguard

[FredFresh]

Hi,

I have a problem of randomic interruption of connection with the gateways/monitor IPs of the 3 wireguard VPNs.
These 3 vpn are used as multi-wan through a gateway group that define which one to use.

I found that the main problem is that at a certain moment, the firewall is not able to ping anymore the monitor IP and the gateway is marked as offline, but the VPN connection to the provider is still online.

My question is: how can i monitor the connections to the monitor IP in order to understand what is blocking the communication? Using the monitor IP inside the live view of the firewall shows nothing.

Additional info: sometime happens that doing a speed test online, the VPN connection parameters drop and it is marked as offline (and the second line start to be used). The problem is that the first one never come back online, in order to do so I have to perform a trace route to the monitor IP or change the monitor IP to something else (i.e 9.9.9.9 quad9), than it comes back online and I can restore the proper monitor IP.

This is the last thing it is missing to finish the opnsense configuration and it is driving me crazy as I am not finding solution since months.

Thanks

[hushcoden]

I'm running v24.1.10_8 and Mullvad, and I'm experiencing a similar issue, I wish I knew how to solve it...

[FredFresh]

Hi, it seems i found the solution. Using the vpn dns ip as minotorin ip after some time create this is (i think because of some protection function against ddos attack).
Using the internal vpn gateway ip, seems to solve the issue.

The strange thing now is that the ping results are always perfect.

[FredFresh]

Today I tried again: the first vpn connection was offline and the other two were properly working.
- setting the threshold to 100% of packet loss, allowed the ping of the first VPN connection to come back and the connection was again online (even after restoring the standard threshold);
- after having again the gateway offline, with a mix of pinging and trace route to the monitoring ip, restarted the pinging of the VPN connection and the gateway returned online.

VPN connection is still there, handshake still active, but something is not working with the pinging: does anyone knows how I can track/log the pinging signal?

I tried to activate many Log options but I never found a single record to understand what blocks it.

At the moment I think that the ping signal is routed to a different VPN connection/gateway.

Thank you

[FredFresh]

@hushcoden - from my experience, you have to set the WAN gateway with a higher priority than every VPN gateways in order to have a proper switch from the the first VPN to the second VPN (in case the first fail).
Otherwise, once the first fails, the second is not used and the internet connection doesn't work.

[FredFresh]

@hushcoden I found that my problem was related to the wrong choice of the monitoring IPs.
Chaging them to public IPs that I do not use otherise, everything is fine after almost a week. Hope this helps

[hushcoden]

@FredFresh many thanks - in my case, it seems okay using the IP addresses of Mullvad internal DNS servers as monitor IPs, but for some reason if I set the gateway group as load balancing (i.e. tier 1 both gateways), one of the two Mullvad gateways goes offline, but if I change to failover (one tier 1 and one tier 2) then I have both gateways online... 

[FredFresh]

I am using proton and I have up to 10 parallel connections, does mullvad limit them maybe?

[hushcoden]

@hushcoden I found that my problem was related to the wrong choice of the monitoring IPs.
Chaging them to public IPs that I do not use otherise, everything is fine after almost a week. Hope this helps

Are you using IP addresses of public DNS servers or what?

[FredFresh]

I can't use the dns ip of proton because is only one and i have 3 different VPNs thaat need 3 different IPS, so i opted for 3 mullvad dns IPs