New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/wireguard: 'vpn' configure plugin hook missing #3565
Comments
I know why this happens...spotted it this week doing a review for upcoming wireguard changes. |
Wasn't the dnsreresolve action not intended for these kind of issues? plugins/net/wireguard/src/opnsense/service/conf/actions.d/actions_wireguard.conf Lines 25 to 30 in dc06d58
ref: https://github.com/WireGuard/wireguard-tools/tree/master/contrib/reresolve-dns |
I think this was meant for cron job use to unbreak. what I mean is adding the vpn hook like OpenVPN and IPsec do on core which is called by newwanip which is called by PPPoE eventually. |
To clarify this is pre os-wireguard 2.0. The problem always existed. Flaky DNS during boot is a main driver for this issue. Most people don't even realise that until it happens. |
@AdSchellevis looks like you are right... does this work for you then? d6df03a56 |
Same problem with wireguard tunnel, here. Worked reliably in previous versions.
|
„Name does not resolve“ is a pretty basic support issue, not a technical problem. Nothing we do here will solve it. |
Sorry for opening this up, again. Problem persists with OPNsense 23.7.4 I know that "Name does not resolve" is a basic error, but the endpoint domain name is correct and CAN be resolved. The problem with this is, that the DNS does not resolve upon opnsense startup, but does resolve later on.
Manual intervention is needed: restarting wireguard service via gui -> DNS now resolves -> tunnel is successfully established. Possible solution: |
I’m not sure it makes too much sense. It might not be a wireguard issue. It’s trying to restart all the time on dynamic changes. Maybe the root issue is the WAN configuration and DNS setup. |
From my point of view, wireguard is started too early upon opnsense bootup. From the attached excepts of various log files you can see, the following sequence of events:
It seems that the statup sequence does not account for the possibility, WAN is not attached to the first available interface. (It will probably also not account for temporary DNS server failures) Best regards, Walter
|
Linkup starting igc3 is suspicious. The only reason for this is probably netmap being used. I’d rather like to see the system log. |
Unfortunately it doesn't. If the config is not loaded during initial wg startup, the "wireguard renew" action fails. System log pulled from /var/logs: see syslog.log Thank you for your efforts! |
It is probably not necessary to review the logs (see above). You're assuming that your plugin hook restarts wireguard on any type of change, but it doesn't. If the config is not loaded during initial wg startup, the "wireguard renew" action fails. Here is what happens from wireguard side of view: This is what "wg show all" displays after initial startup with failed DNS request. Interface seems to exist, but with no configuration at all.
This is what happens after your "renew" (what you consider a restart) action (/usr/bin/wg set wg1 peer XXXX endpoint xxx.mooo.com:12345) with successful DNS resolution. Please note: Allowed ips and preshared key are empty/missing. `interface: wg1 peer: XXXX This is what a successfully established tunnel looks like: `interface: wg1 peer: XXX Reassigning the config file in reresolve-dns.py (wireguard renew) seems necessary ("wg setconf wg1 /usr/local/etc/wireguard/wg1.conf"). Another (in my oppinion rather bad fix) would be: start wg with dummy static endpoint ip (so that it loads config), then assign correct endpoint IP oder DNS name later (using your renew action). |
The We might consider calling configure on interface event, but it likely needs some additional checks in the existing script (maybe required for future CARP changes anyway) The root cause however might be something different as DNS should be available at that point in time and the link event looks rather suspicious (in which case forcing a resolve for a functional tunnel should be all it needs) |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
Since 23.7 opnsense randomly fails to init wireguard interfaces at boot if DNS lookup fails.
I used a host name as Endpoint Address which needs a DNS lookup. It seems that the
PPPoE session hasn't started yet, thus DNS query fails, causing the whole wireguard interfaces the Endpoint is attached to being unavailable.
Expected behavior
wireguard interface is brought up even if DNS is used as endpoint address
Describe alternatives you considered
Switching to static IP adress solves the issue for me.
Relevant log files
See attachement
fail.log
The text was updated successfully, but these errors were encountered: