general troubleshooting tips for WG?

[granute]

Howdy, folks.

So I'm having a LOT of problems getting multiple WG VPN tunnels set up to Mullvad and then doing selective routing over them. Some of it, I would say, is due to lack of observability as to the state of the tunnels. In short, I miss the old Status tab which would at least let me know I had configured the tunnel correctly before I start playing with selectively routing of traffic over them.

What advice do folks here have as to troubleshooting WG VPN (and maybe related pf configurations) from the CLI?

For reference, I have tons of experiencing doing pretty complicated gateway setup on Linux going all the way back to ipchains days. Not so much with *BSD and pf. So, I can learn is what I'm saying. :D

[mahagen]

I have menu items, status + Log File with version: 24.4.3-amd64

2024-10-10T10:47:54   Notice   wireguard   wireguard instance WG_XXXXX (wg1) started   
2024-10-10T10:47:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service
2024-10-10T10:47:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: plugins_configure monitor (,WG_XXX)   
2024-10-10T10:47:54   Notice   wireguard   /usr/local/opnsense/scripts/Wireguard/wg-service-control.php: ROUTING: keeping inet default route to

[granute]

So what I've noticed is that even in DEBUG the Wireguard Log can sometimes report that the tunnel is up but it doesn't seem to be functioning for me and I don't see routes for it at the CLI either. Entirely possible that I am able to auth to the remote VPN endpoint and then something about routing or forwarding is still goofed up.

On that theory, I've been opening 2 browsers when configuring new tunnels and comparing them step-by-step to known-good configs for working tunnels. Hasn't produced working tunnels in most cases.

[Monviech (Cedrik)]

my go to commands would be

wg

ifconfig

netstat -rn

Wireguard doesnt log much since its not stateful. If you want logs use IPsec.

[granute]

I've been trying to set some of the Outbound NAT and other firewall rules for logging but I'm not seeing much in the console. Perhaps I'm not looking in the correct place or perhaps there's a way to get at that info from the command line?

Another approach I'm planning to take is set up an internal log aggregator. I've been meaning to this for some time anyway.

[Monviech (Cedrik)]

the best tool to troubleshoot wireguard would be the good old tcpdump.

tcpdump -i wg0

1. If there are no incoming udp packets, check firewall rules, ports, etc
2. If there are pakets but no answers, check if public key matches between the peers
3. If there are request and response pakets, something should work.

[granute]

the best tool to troubleshoot wireguard would be the good old tcpdump.

tcpdump -i wg0

Well, that is a tool I've definitely spent time getting to know. Thanks for the advice.

[Patrick M. Hausen]

the best tool to troubleshoot wireguard would be the good old tcpdump.

tcpdump -i wg0

Well, that is a tool I've definitely spent time getting to know. Thanks for the advice.

If you want a deep dive, this book cannot be recommended highly enough:

https://en.wikipedia.org/wiki/TCP/IP_Illustrated

Rich Stevens uses tcpdump to show how the protocols work in action. Absolutely brilliant.

[granute]

Rich Stevens uses tcpdump to show how the protocols work in action. Absolutely brilliant.

I'm pretty comfortable with IP/UDP/TCP itself. Is there a similarly great book you're recommend on advanced networking topics with FreeBSD?