New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WireGuard endpoints no Internet access unless service manually restarted (NAT not being applied) #6909
Comments
Could be a state issue, assuming between restarts of Wireguard nothing changes in the ruleset itself (you can check that by comparing the contents of /tmp/rules.debug before and after the reload). If you kill the state (icmp 10.101.80.1 --> 1.1.1.1) and restart the ping, does that lead to the same result? |
I've compared the contents of /tmp/rules.debug before and after the reload. These four lines are added after reload and that is the only change:
Killing the states had no effect. |
ok, thanks, that might be a race condition then. For openvpn we construct the [tun] devices in an earlier stage if I'm not mistaken. Is your problem also fixed by restarting the filter using |
Yes, restarting the filter fixes the issue. |
ok, thanks, that offers some direction on where to look. |
…reguard_devices() plugin system. This should make sure services and components, such as the firewall, are able to use the device before being setup. closes #6909 A minor modification was needed in wg-service-control.php to make sure a configure would be executed if wgX exists without configuration
this opnsense/plugins@a7a94cc should fix the issue. |
Great! Should I run |
@Kinerg I think you need to select the plugins in the command (it's not part of core yet), something like the following likely does the trick:
(but I haven't tried it on my end) |
Then I'll wait till the patch gets integrated. Thank you for the quick support! |
opnsense-patch is risk free in this regard. If not you can always use opnsense-revert. |
I've tried and got the following:
|
Ok, I think the CARP VHID feature is interfering. But as I said it’s risk free as it simply won’t modify files in that case. |
I am experiencing the same issue on latest opnsense |
@TheekshanaA you can either wait for the next update or build the plugin locally. Reporting what we already know (there's something to fix) when it has already been pushed to git is rather unproductive. |
I've put together a janky but lightweight workaround here. The workaround essentially attempts to reload all rules after a minute has passed, and works rather well on my environment. |
@AdSchellevis @fichtner
Restarting WireGuard service fixes the issue. |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
After OPNsense boot, WireGuard endpoints don't have Internet access. Traffic passes through OPNsense out to WAN interface and nothing appears to be blocked, but it seems NAT is not being applied so nothing comes back from the Internet. Last known working OPNsense version was 23.1.11_2. Updated to 23.7.5 and noticed the issue.
Forum topic about the issue. At least one other user reported what appears to be the same issue.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
WireGuard clients should have Internet access after OPNsense boot.
Relevant log files
OPNsense fresh boot, before manual WG restart:
After manual WG restart:
10.101.80.1 -> WireGuard endpoint IP
192.168.61.10 -> WAN interface IP (upstream gateway 192.168.61.1)
Additional context
Communication between WireGuard endpoints and OPNsense works without issue. It is only when WG traffic has to go out through the WAN interface that the issue occurs.
Environment
OPNsense 23.7.5-amd64
FreeBSD 13.2-RELEASE-p3
OpenSSL 1.1.1w 11 Sep 2023
The text was updated successfully, but these errors were encountered: