can't get wireguard to work on multiple appliances after updating-resolved-

[DEC670airp414user]

i updated my business appliance. a DEC670, and i updated a minnowboard with intel nics.  and both are having the same issue.

wireguard will connect.  but traffic will not pass reliably.  i have been setting up wireguard for quite sometime, so i know i am doing it correctly.

ive regenerated all new keys.  so nothing is reused etc

i then factory reset my minnowboard to 25.1.  started from scratch, and it still have the same issue with two different "providers". with wireguard.  any suggestions are welcome

wireguard is working on the latest Business Edition with zero issues.  wiped it and went back to BE for the DEC appliance

[DEC670airp414user]

2nd pictures

[DEC670airp414user]

3rd pictures

for the firewall rule.  the wireguard IS chosen for gateway.  i had to change it to default to post these screen shots.

so the firewall rule IS in place


2nd screen shot.  i thought it was DNS..   i have DNS pushed from KEA.  and i also staticly assigned their DNS server on the wired nic card.   i still have the issue

[tessus]

wireguard is working on the latest BE with zero issues.

What does BE stand for? If you use abbreviations, please use at least the full term once for acronyms that are not immediately clear. If it stands for "build environment", it still lacks specificty. e.g. which build environment, what repo, git hash, ...

[newsense]

BE could be either boot environment in the context of snapshots, or business edition if talking about OPNsense versions

[franco]

Exactly the reason why we call snapshots "snapshots"...

Not aware of an actual WireGuard issue on 25.1. Some people always reporting issues post-upgrade, but also not able to explain what the problem is. OTOH always people saying it works fine, so suggesting a setup quirk or unstable connection.


Cheers,
Franco

[DEC670airp414user]

wireguard is working on the latest BE with zero issues.

What does BE stand for? If you use abbreviations, please use at least the full term once for acronyms that are not immediately clear. If it stands for "build environment", it still lacks specificty. e.g. which build environment, what repo, git hash, ...

HI I have seen this posted many times.    paying customers I've seen have listed BE as Business Edition.  which is what I am using on the DEC appliance and works perfectly.  I've upgraded it 3 times now to 25.1. and Wireguard fails to work reliably.

I then pulled out an old minnow board 2 Nic PC.  and upgraded it to 25.1.  attempted and had the same issue,  factory reset within the console.  started over with all new keys.    and still have the same issue.
I don't believe its my fiber line as unstable, as it works perfectly on. Business Edition on the same appliance same cables and switches and Access Points etc.
I figured I would post if anyone else was having an issue.  or any ideas.  I've spent 3 days off work trying to figure it out, and can not

per the pictures,  everything is correct... to me.  and has worked for the many months I've used Wireguard.
it shows connected.  if I visit ford.com the website doesn't load.  if I visit amd.com the website loads.  if I attempt to download anything from distrowatch.    all the files downloaded fail 1/4. way.    it seems to me a MTU issue.  but I've enabled clamping.  removed clamping. used all working MTU of 1320    and I still have the issue of constantly websites not displaying even though I CAN ping external sites.    but downloads will also never complete

[DEC670airp414user]

i think i may have found what the issue is.  i have not upgraded again to confirm but was having similar issues loading
Alma and Rocky and Debian linux on a few test boxes over the weekend.   all the boxes work normally with Ubuntu pro or PopOS loaded and have for YEARS!
the same issue would happen on Alma, rocky, debian:  during install the device would recognize the nic and get an IP address but could not download updates or load websites once on the desktop..    evening though the device had the default gateway listed as a DNS server.  and unbound IS set to listen on those interfaces.

i found the issue was actually Kea:

before i moved to kea i would statically assign DNS addresses to devices  so the gateway IP would be first, and then a another IP address would be listed for a alternate internet service provider.     i did this with Kea last year and continued to go that route

i found IF i checked i think its auto collect instead of adding the DNS servers manually to the devices.  everything worked normally.
i would then Edit the network card properties and add the DNS server on the device itself for it to work afterwards.

not sure if i will upgrade.  but i am happy at least my test boxes issue is resolved again, and can work on wireguard again

[DEC670airp414user]

i upgraded again to 25.12 4th times i believe

and my tunnels do not work again,  i changed default MTU clamping. 1300 all the way up to 1400 from 1320 as the directions

 Nothing resolves this

 i can't believe i am the only person having this issue
i plan to reupp my Business license(it literally just expired) when i get home tonight and roll back to the latest Business Edition on my DEC Appliance

[relcz]

@DEC670airp414user: I might also be facing similar issues since this week when i updated to 25.1.3, though i am on community version and not business edition. Previously wireguard (wg) was working without any issues. After upgrade, devices connected to wg gateway pointing to vpn provider is not able to reach out to any websites.

I have separate wg interface for local network access from outside and i am able to use that wg to connect and access. This shows the inbound is working and so my assumption is wg in opnsense is working.

Not sure whether this issue is specific to Opnsense gateway or vpn provider.

[DEC670airp414user]

@DEC670airp414user: I might also be facing similar issues since this week when i updated to 25.1.3, though i am on community version and not business edition. Previously wireguard (wg) was working without any issues. After upgrade, devices connected to wg gateway pointing to vpn provider is not able to reach out to any websites.

I have separate wg interface for local network access from outside and i am able to use that wg to connect and access. This shows the inbound is working and so my assumption is wg in opnsense is working.

Not sure whether this issue is specific to Opnsense gateway or vpn provider.

Azirevpn is who that tunnel is through.   who are you using, and are you using Kea?

my business license expired within the last week if this troubleshooting.   and i will always subscribe even as a home user to support the project... i even have an official appliance that is 3 years old.

i reupped at 170 dollars.  and went back to using the license and everything works.

Franco recently posted in April Business Edition will be upgraded to 25.   at that time i plan to download the latest BE and write it to a new usb drive.    and start from complete scratch on the official appliance.      i just don't have the time to do that while my entire home network is down.

i had high hopes once changing Kea to  Auto collect option data.    but its still not fully fixed.    i really don't want to try ISC again

[relcz]

I tried with proton. I am not using kea and still using isc. kea for me was buggy and so stayed with isc, as long as possible.

WG handshakes are fine and my isp gateway is working fine. I can see in firewall live logs the devices connected to wg interfaces are all allowed to go out and so firewall rules seems also not a problem. In gateway, dpinger is showing gateway down for wg gateways, tested with different monitor ips. isp gateway shows as up though when different ips are used as monitors.

I tried now with the existing config.xml in 25.1 live environment and its still the same. No internet to wg interface.

I am not able to pin point where the issue is and it only started to show up ever since upgrade to 25.3. Before that all was working fine. Any help is appreciated.

[DEC670airp414user]

I tried with proton. I am not using kea and still using isc. kea for me was buggy and so stayed with isc, as long as possible.

WG handshakes are fine and my isp gateway is working fine. I can see in firewall live logs the devices connected to wg interfaces are all allowed to go out and so firewall rules seems also not a problem. In gateway, dpinger is showing gateway down for wg gateways, tested with different monitor ips. isp gateway shows as up though when different ips are used as monitors.

I tried now with the existing config.xml in 25.1 live environment and its still the same. No internet to wg interface.

I am not able to pin point where the issue is and it only started to show up ever since upgrade to 25.3. Before that all was working fine. Any help is appreciated.

all my tunnels show up online.  the monitoring IP address is the gateway of the tunnel.
i started a thread under VPN>  about MTU.    i think part of this is MTU related.  but i am not updating a 5th time as i just reupped my business license

open the interface for the tunnel, and manually change the MTU entry to 1400 and see if it resolves the issue for you?   if not try 20 increments lower

[relcz]

I just solved my issue. Apparently after the upgrade and restart, the interface names used by Opnsense in wg (wg5, wg6) got changed to wg2, wg3. Due to this change, in the Interface->Assignments section, wg5, wg6 was mentioned as missing. I only had to select the appropriate new names, wg2 and wg3, apply changes. Now all started to work without any issues and the wg tunnels are now up and running.

[DEC670airp414user]

Updated to the latest business edition from previous business edition

Zero issues whatsoever
-shrug