Wireguard widget saying Wireguard tunnels are down. when they are not

[DEC670airp414user]

OPNsense 24.10.2-amd64
FreeBSD 14.1-RELEASE-p7
OpenSSL 3.0.15

traffic IS passing.  and all appears to work

I believe this had to happen after that last prod update.  I have never seen this before
all gateways are online and pinging too?

anyone else seeing this or have any ideas or is this just cosmetic?


health audit:   
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense-business" at 24.10.2 has 70 dependencies to check.
Checking packages: ....................................................................... done
***DONE***

[Monviech (Cedrik)]

The widget cannot know the state of the wireguard tunnel. It assumes it by checking when the last handshake happened. Wireguard commonly does the handshake every 2 minutes, so the widget implements a little bit more wiggle room with 3 minutes.

https://github.com/opnsense/core/blob/4d7158653970b71e00484546bf8dd55b5fb1fe24/src/opnsense/www/js/widgets/Wireguard.js#L89-L90

Can you see if the handshake happens less frequently in your case?

[DEC670airp414user]

i have checked all the way down to debug and i can't see how often its handshakes.   where are you requesting/ finding this from ?

[Monviech (Cedrik)]

just use

wg

on commandline, it should show the latest handshake.

If its more than 3 minutes away from now() the widhet will show the tunnel as offline.


Example:

# wg

peer: 67dHcTQOQeClqSNN2FjqoeA3nhSSlsnKiN+o3Hxokio=
  endpoint: XXXXXX:51820
  allowed ips: 192.168.20.20/32, 192.168.2.2/32, 10.4.4.2/32
  latest handshake: 43 seconds ago
  transfer: 682.00 MiB received, 172.32 MiB sent

[DEC670airp414user]

its happening right now:   any browser. and in private/ icognitic mode:

allowed ips: 0.0.0.0/0
  latest handshake: 1 minute, 59 seconds ago
  transfer: 189.08 GiB received, 3.90 GiB sent
  persistent keepalive: every 20 seconds

2nd tunnel:
allowed ips: 0.0.0.0/0
  latest handshake: 44 seconds ago
  transfer: 396.00 GiB received, 1.84 GiB sent
  persistent keepalive: every 25 seconds

3rd tunnel:
 latest handshake: 1 minute, 22 seconds ago
  transfer: 244.01 GiB received, 8.29 GiB sent
  persistent keepalive: every 20 seconds

[DEC670airp414user]

I'm running a dec670 still on business edition
I attempted to update to 25.1 the latest community, I waited 30 minutes and  it never completed

I pulled the plug and it booted up and I ran updates  again and it still had the wire guard issue...


I restored it back to the business edition and everything is working.  I'll see if the widget says other wise

[DEC670airp414user]

still happening
I've turned off gateway monitoring.  increased keep alive in sessions by 5 seconds per tunnel.

I have no idea what has happened.  but its something from OPNsense 24.10.2-amd64 update possibly

[Monviech (Cedrik)]

Maybe your time is wrong somewhere? The widget used the current unix time to calculate. Since its calculated in your browser with javascript, maybe your client has a different time than the OPNsense.

Check the time/date on the OPNsense, and on your Client, see if they are the same.

[DEC670airp414user]

confirmed time is correct on the homepage.

I thought geoiP may have been blocking communication?  turned it off.  nope all the servers are still not reachable.    bizarre

here is what I am getting from Services: Network Time: Status

Unreach/Pending    0.opnsense.pool.ntp.org    .POOL.    16    p    -    64    0    0.000    +0.000    0.000
Unreach/Pending    1.opnsense.pool.ntp.org    .POOL.    16    p    -    64    0    0.000    +0.000    0.000
Unreach/Pending    2.opnsense.pool.ntp.org    .POOL.    16    p    -    64    0    0.000    +0.000    0.000
Unreach/Pending    3.opnsense.pool.ntp.org    .POOL.

[Patrick M. Hausen]

Did you change the interfaces setting for NTP? Leave it at "All (recommended)".

[DEC670airp414user]

Did you change the interfaces setting for NTP? Leave it at "All (recommended)".

it is set to all

[Monviech (Cedrik)]

I asked for the times of both the OPNsense and your Client that you use.

If your windows or linux or whatever has the wrong time the browser will use that.

[DEC670airp414user]

After much testing

I isolated the issue to one device. And yes absolutely the time was correct.  It is a brand new MacBook Pro m4 I just purchased this last week.    All other devices showed the tunnels online? How is that possible, I used 3 different browsers
Safari
Firefox esr
Brave

It would randomly(most of the time)  all wire guard servers offline from the console no matter what I did
I cleared arp, removed geoip, removed dnsl blocklists. I even assigned the device a new static ip on the network

I ended up wiping the drive of the brand new Mac book pro and reinstalled the os
It worked instantly in all the same browsers

I've been having this issue since I bought the new laptop :(   

[Monviech (Cedrik)]

https://github.com/opnsense/core/issues/8335

[DEC670airp414user]

https://github.com/opnsense/core/issues/8335

the issue was somehow on my devices end.    i just don't understand  how, and when i reinstalled Mac OS it fixed it.

feel free to lock or archive this.  unless you actually found a legit issue and that was why the github was opened.

appreciate the replies