25.7.9 update and WireGuard

Started by s1l3nce, December 08, 2025, 01:28:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 08, 2025, 01:28:10 PM
I have a WireGuard server running on my OPNsense firewall. After the last update (25.7.9) none of the WG clients could connect to the server. I checked the log and this is what it said:

/usr/local/opnsense/scripts/wireguard/wg-service-control.php: The command </usr/bin/wg syncconf 'wg1' '/usr/local/etc/wireguard/wg1.conf'> returned exit code 1 and the output was "Name does not resolve: `DNS_NAME:PORT' Configuration parsing error"



I censored the DNS names. I have 2 errors because I have 2 configurations/2 DNS.

Disabling and re-enabling WireGuard from the GUI fixed the problem.

To temporarily fix the issue I had to do the following:

1. Log into the firewall through ssh.

2. Create the script file:

Code Select
nano /usr/local/etc/rc.syshook.d/start/99-wireguard-restart
3. Input this text in the file:

Code Select
#!/bin/sh

# Wait for WAN + DNS (AdGuard/Unbound) to be ready

sleep 10

# Fully restart all WireGuard instances (same effect as GUI Enable/Apply)

/usr/local/bin/php /usr/local/opnsense/scripts/wireguard/wg-service-control.php -a restart

exit 0

4. Add execution rights to the file:

Code Select
chmod +x /usr/local/etc/rc.syshook.d/start/99-wireguard-restart

I suppose this issue is caused by an improper order in the execution of certain services.
December 08, 2025, 01:47:04 PM #1
The problem is / was probably present before. If you use DNS names for wireguard peers, then the daemon will only resolve them once on start and never recognizes if the peer's IP changes. There is a cron job "Renew DNS for Wireguard on stale connections" which will restart Wireguard. You can run that job every 5 minutes and it will probably fix the DNS resolution problem during startup, too (at least after 5 minutes).

This has been reported over an over, so now I appended it as point 30 here: https://forum.opnsense.org/index.php?topic=42985.0


Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
December 08, 2025, 01:53:50 PM #2 Last Edit: December 08, 2025, 05:11:12 PM by s1l3nce
Quote from: meyergru on December 08, 2025, 01:47:04 PMThe problem is / was probably present before.

Well, that's very strange. I've been using this firewall with Wireguard for a very long time without any issues after rebooting. But since the last update, every single time I've rebooted, wg clients could no longer connect, unless I disabled and re-enabled the service.

The "Renew DNS for Wireguard..." cron job didn't fix it for me (maybe I did something wrong). The script I posted works fine and it acts right after finishing the reboot process.
December 08, 2025, 09:23:02 PM #3 Last Edit: December 08, 2025, 09:24:34 PM by Monviech (Cedrik)
Every minor update there are voices thst say wireguard stopped working for them. It's almost predestined whenever a new update hits.

But historically it has never been the update, it was just the reboot and things with wireguard and DNS are always flakey.

Most people with wireguard issues also use adguard, coincidence?

The question is, did something change? Is there any entry in the version changelog you suspect?
Hardware:
DEC740
December 08, 2025, 11:01:21 PM #4
Quote from: Monviech (Cedrik) on December 08, 2025, 09:23:02 PMThe question is, did something change?

The only thing that I've changed recently was the OPNsense firmware. I've been using WireGuard + AdGuard without any issues for several months.
Print
Go Up Pages1
User actions