unbound: outgoing network interfaces not honored

[crt333]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug
I have a single WAN and two WG interfaces, and have configured unbound DoT to use the two WG interfaces as the "outgoing network interfaces" on the settings page. This has worked in all versions before 21.7.4, but in the current version WAN must be included in the outgoing interfaces or unbound stops working.

To Reproduce

Steps to reproduce the behavior:

1. Go to 'Services->Unbound DNS->General'
2. Click on 'Outgoing Network Interfaces' and deselect WAN, and select WG1 and WG2 (connections working, just not for DNS)
3. Scroll down to '....'
4. See error: no name resolution

Expected behavior

Up until 21.7.4 the DoT DNS lookups went over WG, now they don't do anything unless WAN is selected

Describe alternatives you considered

A clear and concise description of any alternative solutions or workaround you considered.

Screenshots

If applicable, add screenshots to help explain your problem.

Relevant log files

If applicable, information from log files supporting your claim.

Additional context

Add any other context about the problem here.

Environment
Quotom box

Software version used and hardware type if relevant, e.g.:

OPNsense 21.7.4-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
OpenSSL 1.1.1l 24 Aug 2021

[schnerring]

I'm experiencing the same issue on 21.7.4. What OPNsense version did you use when it worked?

I tried rolling back to 21.7.2, but the issue persists. Were the following steps correct or am I missing something?

opnsense-update -kr 21.7.2
opnsense-revert -r 21.7.2 base
opnsense-revert -r 21.7.2 opnsense

[crt333]

This has worked for years in every version of opnsense up to and including 21.7.3. I had adguard exclusively using unbound on port 5353, and unbound doing DoT over my WG tunnels. I had also used the same config before starting to use adguard on top of it.

Sorry, I don't know how to revert everything. Right now I'm still running adguard but it is using TLS directly rather than talking to unbound.

dnsleaktest always worked with this config, showing only the DoT servers being used.

[schnerring]

up to and including 21.7.3

So this would indicate that my revert didn't work.

I've been trying to get this to work for the better part of last week without success. I might try to clean install an earlier version. Maybe even 21.1.

[crt333]

I guess there's a revert problem for you, since before 21.7.4 my logs showed all queries to port 853 (DoT) where going through WG

[schnerring]

I clean installed and updated to the following version and everything works as expected.

OPNsense 21.1.9_1-amd64
OpenSSL 1.1.1k 25 Mar 2021

Might the updated versions of unbound and os-wireguard be an issue? The working version has these installed.

os-wireguard: 1.7
unbound: 1.13.1

Is there a way to selectively upgrade to 21.7 to isolate the package upgrade that's causing this bug? I'll clone the live system as is and will gladly assist in debugging this.

Is opnsense-patch the right tool for the job? 🔨

[crt333]

The situation in 21.7.5 is the same as 21.7.4, I can't specify WG outgoing interfaces for unbound, I have to specify WAN or it doesn't work.

[mimugmail]

This MIGHT be similar to https://forum.opnsense.org/index.php?topic=25327.0 (German)

76b8ae4490

Problem is you cant revert as the package was removed/replaced. Just as guess as this is the only DNS relevant change in 21.7.4.

[fichtner]

I don't see Unbound acting up for using dnspython v2 in alias resolving with regard to WireGuard as an outgoing interface. It's more likely that 6d57215 does something, but there are no relevant indicators here in this report like pf rules comparison or naming the steps for configuring wireguard for it and if any custom rules are in the way and whether WireGuard interface is assigned or not.

[schnerring]

This MIGHT be similar to https://forum.opnsense.org/index.php?topic=25327.0 (German)

76b8ae4

Problem is you cant revert as the package was removed/replaced. Just as guess as this is the only DNS relevant change in 21.7.4.

I don't think this is related.

@fichtner : no rules comparison or otherwise complex setup is needed to reproduce the issue. Here are my steps off the top of my head:

• clean install OPNsense and update to 21.7.4
• add WG remote peer
• add WG local peer with Disable Routes checked
• add the interface
• add the GW
• select interface in Unbound

With this simple setup Unbound uses the default route and not the selected interface

[fichtner]

no rules comparison or otherwise complex setup is needed to reproduce the issue. Here are my steps off the top of my head:

Sure but not doing it will not point us into the right direction.

[schnerring]

Sure but not doing it will not point us into the right direction.

Are the steps I provided enough?

I'll try to update my setup to 21.7.3 this weekend. Can I opnsense-patch 6d57215 to check whether the commit is the issue?

[fichtner]

it should unpatch, yes, otherwise use

# opnsense-revert -r 21.4.3 opnsense

to move the core package to the working release.

[schnerring]

I was running on 21.7.4 and tried to revert, but things were still broken, so I clean installed 21.1 and upgraded to 21.1.9, which is what I'm currently running.

My thinking was to upgrade to 21.7.3, the latest version where Unbound works properly. Then apply the 6d57215 patch to verify it breaks things. Or isn't that helpful to you?

[fichtner]

the good state of 21.1.9 works too I suppose. We need to compare the /tmp/rules.debug output on a good and the bad configuration.

[crt333]

This worked for me on 21.7.3, but broke with the .4 update (and .5) Thanks to both of you for your help! Chris

…

---------------------------------------- Nov 12, 2021 7:29:27 AM Michael Schnerring ***@***.***>:

I was running on 21.7.4 and tried to revert, but things were still broken, so I clean installed 21.1 and upgraded to 21.1.9, which is what I'm currently running. My thinking was to upgrade to 21.1.3, the latest version where Unbound works properly. Then apply the *6d57215* patch to verify it breaks things. Or isn't that helpful to you? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub[#5329 (comment)], or unsubscribe[https://github.com/notifications/unsubscribe-auth/ARWE2I7M4GSRQN6HKGOOIULULUJBZANCNFSM5HE4QO2A]. Triage notifications on the go with GitHub Mobile for iOS[https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675] or Android[https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub]. [data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEgAAABICAYAAABV7bNHAAAABHNCSVQICAgIfAhkiAAAACtJREFUeJztwQENAAAAwqD3T20ON6AAAAAAAAAAAAAAAAAAAAAAAAAAAD4MUUgAARy2AfAAAAAASUVORK5CYII=###24x24:true###][Tracking image][https://github.com/notifications/beacon/ARWE2I2RIJ2RKAMAHBL67XTULUJBZA5CNFSM5HE4QO2KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOHGSRAJY.gif]

[schnerring]

I clean installed 21.1.1 and performed the following steps:

• update to 21.1.9_1 via serial console
• keep wizard defaults
• install os-wireguard plugin (1.7)
• add WG remote peer
• add WG local peer
• enable WG
• add interface (WAN_VPN)
• restart WG (so interface gets IP)
• add GW (WAN_VPN_GW)
• enable manual NAT and add the following outbound rules (<source> -> <interface):
  • LAN -> WAN
  • LAN -> WAN_VPN
• select WAN_VPN interface as outgoing interface in Unbound and restart Unbound

With this config, Unbound uses the VPN tunnel.

---

Running opnsense-patch 6d57215 and rebooting changes the following part:

# [prio: 100000]
pass out log route-to ( igb1 WAN6::WAN6:WAN6:WAN6:WAN6 ) from {(igb1)} to {!(igb1:network)} keep state allow-opts label "ba70dc1769980afe65cbac8576cee233" # let out anything from firewall host itself (force gw)
pass out log route-to ( igb1 WAN.WAN.WAN.1 ) from {(igb1)} to {!(igb1:network)} keep state allow-opts label "761a166383f941c76dbf2c76c9e2f241" # let out anything from firewall host itself (force gw)
pass out log route-to ( wg0 10.108.122.176 ) from {(wg0)} to {!(wg0:network)} keep state allow-opts label "1fbb62a93d5262e897b6c0f184574cba" # let out anything from firewall host itself (force gw)

to this:

# [prio: 100000]
pass out log route-to ( igb1 WAN.WAN.WAN.1 ) from {(igb1)} to {!(igb1:network)} keep state allow-opts label "761a166383f941c76dbf2c76c9e2f241" # let out anything from firewall host itself (force gw)
pass out log route-to ( igb1 WAN6::WAN6:WAN6:WAN6:WAN6 ) from {(igb1)} to {!(igb1:network)} keep state allow-opts label "ba70dc1769980afe65cbac8576cee233" # let out anything from firewall host itself (force gw)

And indeed, Unbound then uses WAN instead of WAN_VPN.

Running opnsense-patch 6d57215 again reverts /tmp/rules.debug and everything works again (actually had to reset the FW state, even after reboot).

I'm gonna do an upgrade from 21.1.9 to the latest version and try to revert the patch to see if that works, too.

[schnerring]

Reverting the patch works on the latest version:

1. Upgraded to 21.7.5
2. Run opnsense-patch 6d57215 (reverts the patch)
3. Reboot / purge FW states / restart Unbound

Do future releases automatically re-apply reverted patches, or is that something I need to keep in mind?

[Greelan]

Great troubleshooting, well done!

[kulikov-a]

@schnerring

add GW (WAN_VPN_GW)

and what if you assign this gw as upstream gateway in WAN_VPN properties?

[schnerring]

and what if you assign this gw as upstream gateway in WAN_VPN properties?

I do that on the WG local peer. I check Disable Routes and specify the gateway IP there. I can try, but the docs say to leave the interface unconfigured. Or is that something that changed?

[kulikov-a]

I just looked at the code..it looks for gateways in interfaces properties now imho. Can you try to set upstream gateway in wan_vpn properties?(not only in wg local peer). On my test vm it starts to generate pf rules after that

…

On Saturday, November 13, 2021, Michael Schnerring ***@***.***> wrote: and what if you assign this gw as upstream gateway in WAN_VPN properties? I do that on the WG local peer. I check *Disable Routes* and specify the gateway IP there. I can try, but the docs say to leave the interface unconfigured. Or is that something that changed? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#5329 (comment)>, or unsubscribe .

[schnerring]

Yes, you're right. Statically configuring IPv4 on the interface fixes the issue. I don't really understand what's happening on a lower level when assigning the wg0 "device" to the WAN_VPN "interface". I just "learned" that before creating a WireGuard gateway after assigning wg0 to an interface that WireGuard had to be restarted, so the interface gets an IP from WireGuard:

1. Create WG peers
2. Assign interface
3. Restart WG so assigned IF gets an IP
4. Create GW (this fails if step 3 is omitted)

Ever since I've "learned" doing it this way, I assumed that WG populates the IPv4 config of the interface with the values entered in the local peer, namely the (local) tunnel address and gateway IP. So is this a bug? Or is it really required to enter duplicate information on the local peer AND on the interface?

A while back I read the following comment from @fichtner . I don't fully understand, but does it have something to do with that?

Unbound binds to addresses, not interfaces. Dynamic interfaces pose an issue then, because you would need to stop and start unbound dynamically, which causes cache loss and general dns resolution disruption. The bind interface feature is a popular request but people often forget that this has side effects that have these annoying operational effects / implementation quirks.

In this particular case I assume Unbound simply forgets to load the correct address or is not notified of it. Best to use a manual ACL with listen on any IMO.

[Greelan]

Interesting. If you leave the upstream gateway as "Auto-detect", is it still OK? I presume so since at least in my setup the WG gateway is the only one listed in the dropdown.

I agree it seems duplicative to have to include the gateway info in the WG local config as well (and also the IPs, although presumably that must be in the WG config for WG to work). Particularly as the WG config only allows for one gateway, so both IPv4 and IPv6 can't be specified (but they both work regardless).

I will update the how-to once the proper configuration has been clarified.

I wonder if this also means that I should be configuring the IPs on the interface for my WG road warrior setup as well?

[AdSchellevis]

(I haven't read all the comments, but thought to shed some light on gateways)

If we're looking at #5230, the old behaviour was more or less a bug, some time ago we added Dynamic gateway policy (https://docs.opnsense.org/manual/interfaces.html originating from dba70c0) so one can provide an upstream gateway for interfaces that doesn't necessarily need an address (like openvpn and I expect the same is the case for wireguard).

In which case one can assign a gateway for an interface which is configured by the service itself (it generates rules like ... route-to ( wg0 ) ....

Auto detect gateways are only used if there's a file provided with an address in it (which dhcp clients do) or "Dynamic gateway policy" is set, which more or less explained in https://docs.opnsense.org/manual/gateways.html#missing-dynamic-gateway

[Greelan]

I'm not sure that will work for WG as when "Disable Routes" is selected in the WG local config (which is needed to allow selective routing of hosts through the tunnel), a gateway IP is required to be specified.

[kulikov-a]

so if I understood @AdSchellevis correctly, the changes are intentional (and I also think the previous behavior was less logical). And if I see correctly, the only thing that has changed is that now an allowing rule with the route-to specified is not created by filter.lib.inc to direct traffic from the wg interface to external networks (and traffic is directed according to the let out anything from firewall host itself (w/o 'force gateway') rule through the default gateway). thus, you can force the script to create a rule by specifying the gateway in the interface settings. or (which in my opinion is more logical and clearer) just create this rule manualy (can even limit ports for DoT)

[schnerring]

Much of this goes over my head, and as an end user of an appliance, I only want to concern myself with implementation details as much as I have to. I'll sure learn things along the way, but I didn't expect having to spend so much time to get to the bottom of this. Does this come down to WG still being experimental and its integration requiring ironing out which isn't really possible before being implemented on a kernel level?

So if one of the solutions @kulikov-a mentions is the right / "logical" one, we should at least update the WG docs.

[crt333]

I agree with @schnerring and I have no useful input as to what the right way is, but instructions in the documentation and perhaps removal of "outgoing network interfaces" in the unbound config would be good, since it seems to add confusion. I'm happy with whatever the "best" way is, and thank everyone involved.

[Greelan]

no clue, you will have to inspect top if it stays high.

Ah - ntopng!

With the risk of asking very dumb questions, can't you offer the client something a bit larger than a single address? I've seen some strangeness with IPsec VTI tunnels in the past as well, although pf(4) shouldn't care too much in this case.

Well, Mullvad gives a /32 and a /128 for the tunnel, and that is what I configure in WG. In theory I could specify a larger netmask, I suppose (and in fact I do for IPv6 since otherwise I can't configure a gateway, since Far Gateways aren't a thing for IPv6). But I am not sure it would make any difference?

[schnerring]

With static config:

wg0: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
        options=80000<LINKSTATE>
        capabilities=80000<LINKSTATE>
        inet 10.107.58.245 netmask 0xffffffff
        inet6 fc00:bbbb:bbbb:bb01::2c:3af4 prefixlen 128
        groups: wg wireguard
        nd6 options=103<PERFORMNUD,ACCEPT_RTADV,NO_DAD>

Without static config:

wg0: flags=80c1<UP,RUNNING,NOARP,MULTICAST> metric 0 mtu 1420
        options=80000<LINKSTATE>
        capabilities=80000<LINKSTATE>
        inet 10.107.58.245 netmask 0xffffffff
        inet6 fc00:bbbb:bbbb:bb01::2c:3af4 prefixlen 128
        groups: wg wireguard
        nd6 options=103<PERFORMNUD,ACCEPT_RTADV,NO_DAD>

Btw, I'm using wireguard-kmod. Might this be an issue?

[AdSchellevis]

@schnerring could be the case, it doesn't really make sense that setting the same address again magically changes the routing. If that's the case, it should be easy to validate by manually setting only an address on wg0 and see if it makes a difference.

ifconfig wg0 10.107.58.245 netmask 255.255.255.255

[schnerring]

So things work when I just add the floating rule that's also added by statically configuring the WG interface.

I'd expect the user-defined floating rule to effectively override the auto-generated rule from the static WG interface configuration. But this only partially happens. Requests from Unbound still trigger the let out anything from firewall itself (force gw) rule.

What's odd is that Unbound requests display WAN as interface, despite showing the wg0 IP as source.

I remember having read somewhere that this is just a display error, but I don't remember where.

edit: "yoy" is the custom floating rule that replicates the auto-generated rule from static IP configuration

[AdSchellevis]

So things work when I just add the floating rule that's also added by statically configuring the WG interface.

If that's the case we can safely ignore my previous comment, wireguard-kmod isn't doing anything weird then.

I'd expect the user-defined floating rule to effectively override the auto-generated rule from the static WG interface configuration. But this only partially happens. Requests from Unbound still trigger the let out anything from firewall itself (force gw) rule.

If both match I would expect the same indeed.

What's odd is that Unbound requests display WAN as interface, despite showing the wg0 IP as source.

Doesn't ring an immediate bell on my end, if responses do go out using the correct interface, it might be possible that traffic is matched twice in some way, but that's guessing from my end.

[schnerring]

I'm going to factory reset and re-create a minimal setup just to rule out that this is caused by any other configuration on the system. 😫 It feels like that this is an issue between WireGuard and Unbound.

[AdSchellevis]

@schnerring not sure if I understood your previous comment correctly, but reading it again I think you mean if you add the same rule as the floating rule (without an interface) it works, but not if you stick it to an interface, which would indicate that we are constructing the wrong rule here.

Going back in the comments, the generated rules don't stick to an interface (so are floating without interfaces choosen).

pass out log route-to ( wg1 10.105.96.109 ) from {(wg1)} to {!(wg1:network)} keep state allow-opts label "c8bbe7226cc73d39b1ff03e1afc48087" # let out anything from firewall host itself (force gw)

Which would also explain the log on wan (it is leaving there, but with the rule in place you physically reallocate it to another interface). I assume Unbound puts the packet on the line using a source address, which would logically go out on wan (destination routing), if unbound would force the packet on the interface, the route-to on the interface would make more sense.

So long story short, @kulikov-a's rule (#5329 (comment)) should work, removing the validation (b567ddb) in this case shouldn't make a difference as the packet never enters wg0.

[kulikov-a]

@schnerring @AdSchellevis sorry, if i missed something. unbound binds to ip (not to interface). so imho the question is whether is wg interface acualy have address at the unbound start (and what address unbound binds to if its not. quick test shows that it binds to 0.0.0.0 in case wg interface is dynamic and not up. so any wg0 rules will not be triggered even after wg is up)?

[schnerring]

not sure if I understood your previous comment correctly, but reading it again I think you mean if you add the same rule as the floating rule (without an interface) it works, but not if you stick it to an interface, which would indicate that we are constructing the wrong rule here.

I'm sorry about that, you're right. I was sticking the rule to the wg0 interface. To clarify more:

1. Static WG interface configuration works
2. Static WG interface configuration + floating rule sticked to WG interface (still) works
3. Dynamic WG interface configuration + floating rule sticked to WG interface doesn't work
4. Dynamic WG interface configuration + floating rule not sticked to WG interface works

1, 2, and 3 are the configurations I tested. 3 is also what @Greelan implemented in his PR (https://github.com/opnsense/docs/pull/365/files) and what I configured in my original comment (#5329 (comment)) when trying to reconstruct the rule.

So long story short, @kulikov-a's rule (#5329 (comment)) should work, removing the validation (b567ddb) in this case shouldn't make a difference as the packet never enters wg0.

So yes, @kulikov-a meant 4. Such a small detail 🔬 ... I think this is resolved then?

[AdSchellevis]

@schnerring only issue that could remain if I understand @kulikov-a correctly is that there might be race condition in unbound startup (if the address is not yet there), but if @Greelan adds [4] in his how-to, at least the interface and firewall sections are functional.

I would close the ticket with @Greelan's documentation PR, sounds like we managed to find a solution indeed.

[schnerring]

In regards to the race condition, I quoted @fichtner in an earlier comment (#5329 (comment)), but didn't understand at the time. It's basically what @kulikov-a said.

And now I think I understand why the help text of the Outgoing Interfaces setting says this:

Utilize different network interfaces that Unbound will use to send queries to authoritative servers and receive their replies. By default all interfaces are used. Note that setting explicit outgoing interfaces only works when they are statically configured.

It seems to me that statically configuring the WG interface seems to be the better option? Unless the race condition issue is something that needs to be addressed (I couldn't find an open issue).

[AdSchellevis]

I don't think you can't fix the race by setting a static address on the interface as it's simply not there, but you should be able to add a loopback on use the same trickery to send it out on wg0 when it comes available.

The quickest "fix" would be to assign the same address using an alias to lo0 (loopback), in which case it can safely bind on startup (and I expect the tunnel won't mind that much, although I haven't tried). A more clean option would be to assign another unique address to loopback (either a new loopback interface or an alias) and use source nat to make sure the correct source is used (more work, but cleaner).

[Greelan]

So yes, @kulikov-a meant 4. Such a small detail 🔬 ... I think this is resolved then?

If I am following correctly, I should simply change the floating rule in the PR so that no interface is selected?

I am still quite curious why the static IP and gateway assignment on the interface is not the preferred solution, if it creates the same routing and appears simpler from a user perspective?

BTW, @schnerring, your earlier post shows a /128 netmask with the IPv6 address. How did you create a gateway in that case? OPNsense wouldn't let me when I tried because the gateway IP necessarily wasn't in the same subnet as the interface address. Hence I use a /127.

[schnerring]

BTW, @schnerring, your earlier post shows a /128 netmask with the IPv6 address. How did you create a gateway in that case? OPNsense wouldn't let me when I tried because the gateway IP necessarily wasn't in the same subnet as the interface address. Hence I use a /127.

I didn't configure a GW for IPv6 because I don't use IPv6 (yet). However, for Mullvad interfaces I went ahead and already added the IPv6 addresses.

[AdSchellevis]

If I am following correctly, I should simply change the floating rule in the PR so that no interface is selected?

It sounds like it, yes.

I am still quite curious why the static IP and gateway assignment on the interface is not the preferred solution, if it creates the same routing and appears simpler from a user perspective?

In my humble opinion the risk of doing so is that you're going to reconfigure an already configured (or missing) device with a configuration that might be different than the one chosen by the process responsible for it. Not all interface types will like this and in some cases it may lead to an unconfigured interface after the fact.

An option might be to show the gateway on interfaces when there's no explicit type chosen so you are allowed to force one for devices configured elsewhere, but I'm not sure that's worth the trouble.

[Greelan]

If I am following correctly, I should simply change the floating rule in the PR so that no interface is selected?

It sounds like it, yes.

Weirdly, I now tried the floating rule with no interface selected (and with no static configuration on the interface itself), and now my gateways tell me they are offline with 100% packet loss...

EDIT: Scratch that, they are back. Seems something else was the issue.

I am still quite curious why the static IP and gateway assignment on the interface is not the preferred solution, if it creates the same routing and appears simpler from a user perspective?

In my humble opinion the risk of doing so is that you're going to reconfigure an already configured (or missing) device with a configuration that might be different than the one chosen by the process responsible for it. Not all interface types will like this and in some cases it may lead to an unconfigured interface after the fact.

But I'd consider that just a user configuration error, and not a design issue. But just my view.

An option might be to show the gateway on interfaces when there's no explicit type chosen so you are allowed to force one for devices configured elsewhere, but I'm not sure that's worth the trouble.

I like the sound of that. And removing the need in the WG config to specify a gateway IP if Disable Routes is enabled. It seems some more general thinking on how interfaces and gateways are handled with WG in OPNsense might be needed?

[kulikov-a]

If I am following correctly, I should simply change the floating rule in the PR so that no interface is selected?

hm. like:
pass out log route-to (wg0 10.108.122.176) inet from (self:4) to ! (wg0:network:1) flags S/SA keep state allow-opts ?
so we route all traffic from all local interfaces to wg channel. is it really what we want?

UPD. sorry. misunderstood. the comment is irrelevant

[schnerring]

What @Greelan means is using the following rule (which is what @kulikov-a suggested):

Action	Pass
Quick	unchecked
Interface	don't select any
Direction	out
Source	WAN_VPN0 address
Destination / Invert	checked
Destination	WAN_VPN0 net
Description	WAN_VPN0 gateway selection
Gateway	WAN_VPN0
allow options	checked

The don't select any part is where we got it wrong before. We selected WAN_VPN0 for Interface and thus sticked the rule to the WG interface. Which didn't work for Unbound.

[Greelan]

Correct, @schnerring, which generates:

pass out route-to ( wg1 10.105.96.109 ) inet from {(wg1)} to {!(wg1:network)} keep state allow-opts label "2cf0578908ee95d679a61fada33b7f70" # : let out anything from firewall host itself (force gw)
pass out route-to ( wg1 fc00:bbbb:bbbb:bb01::2a:606c ) inet6 from {(wg1)} to {!(wg1:network)} keep state allow-opts label "6072c24f2cbf1434e71ef94f7ce40ad9" # : let out anything from firewall host itself (force gw)

(The rule descriptions are mine.)

My bad for not reading @kulikov-a's original screenshot correctly.

[schnerring]

I like the sound of that. And removing the need in the WG config to specify a gateway IP if Disable Routes is enabled. It seems some more general thinking on how interfaces and gateways are handled with WG in OPNsense might be needed?

My understanding is that the floating rule basically duplicates what the Gateway IP setting should do, right?

It feels like this was way too hard to get right. I mean from an end-user perspective it would be nice if the Gateway IP setting on the WG local peer was a dropdown menu where one could select a gateway which generates the above rule. We'd also need an additional dropdown to select an IPv6 GW.

[Greelan]

It feels like this was way too hard to get right. I mean from an end-user perspective it would be nice if the Gateway IP setting on the WG local peer was a dropdown menu where one could select a gateway and implicitly generate the above rule. Plus an additional dropdown allowing to select a IPv6 GW.

I'd be fine with that too. I agree wholeheartedly that this fiddling under the hood shouldn't be necessary, and some simpler solution to achieve the desired outcome and behaviour is needed. Hopefully something that the plugin maintainer can look at.

[mimugmail]

I have no idea how this should be done right. The gateway field was introduced in times where there was no init script of wireguard itself and at times where also the dynamic gateway checkbox wasn't there in interface configuration. With all this I'm not really sure if it's even required to still use the gateway field in wireguard. Currently it adds more complexity and might multiply failure reports, but removing it or changing the default will break most setups when used with Mullvad or Azire or PIA or similar.

[AdSchellevis]

My understanding is that the floating rule basically duplicates what the Gateway IP setting should do, right?

@schnerring right, if it knows the gateway, by default it will generate an outbound rule.

It feels like this was way too hard to get right. I mean from an end-user perspective it would be nice if the Gateway IP setting on the WG local peer was a dropdown menu where one could select a gateway which generates the above rule. We'd also need an additional dropdown to select an IPv6 GW.

@schnerring I see what you mean, but unfortunately we have to know with certainty what the intend was. It can be fixed from the plugins perspective (adding a gateway file https://docs.opnsense.org/manual/gateways.html#missing-dynamic-gateway) when the interface is available.

We could opt from detaching the gateway[v4/v6] setting in the interface so one could explicitly set an upstream for dynamic gateways too, but I'm not sure if this is worth the effort to be honest.

I have no idea how this should be done right. The gateway field was introduced in times where there was no init script of wireguard itself and at times where also the dynamic gateway checkbox wasn't there in interface configuration. With all this I'm not really sure if it's even required to still use the gateway field in wireguard. Currently it adds more complexity and might multiply failure reports, but removing it or changing the default will break most setups when used with Mullvad or Azire or PIA or similar.

@mimugmail I assume you mean this part https://github.com/opnsense/plugins/blob/ff0e665a868a7ff7ec3ef5a516339b037b38b727/net/wireguard/src/opnsense/service/templates/OPNsense/Wireguard/wireguard-server.conf#L24 , in which case it should be possible to also create/remove the required gateway file after which I suppose the gateway will be automatically added as well. (same process as described above)

[schnerring]

So I did some more testing and ran into another issue.

I also use WireGuard to connect from from the outside to my homelab. I use Mullvad port forwarding to connect through a WireGuard tunnel to OPNsense with WireGuard (so a tunnel inside a tunnel - I hope that's clear). I need to define two rules to make this work.

1. Inbound rule on WAN_VPN0 allowing the randomly generated port from Mullvad
2. Port forward rule redirecting traffic from the random port to the WireGuard local peer

Using static IPv4 configuration on the WG interface works. But as soon as I remove the static IPv4 configuration from the interface it stops working. Also, the "tunnel inside a tunnel" configuration only seems to work with wireguard-kmod.

[metronidazole]

What @Greelan means is using the following rule (which is what @kulikov-a suggested):

Wouldn't that break some configurations? I have two VPNs setup (site to site, and another for WAN purposes) and I think that would cause issues.

edit: nevermind

[Greelan]

Wouldn't that break some configurations? I have two VPNs setup (site to site, and another for WAN purposes) and I think that would cause issues.

Not sure why it would. Your two VPNs would be using separate wgX devices and therefore a rule for one should not affect the other?

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.