Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Notes on using WireGuard with OSPFv2 of pfSense flavour

    Scheduled Pinned Locked Moved FRR
    2 Posts 2 Posters 714 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Soyokaze
      last edited by

      Only one peer per WG server, because you can't have 0/0 route for multiple clients per WG server
      OSPF interface (on WG interface) should be set to point-to-multipoint ie multicast, that avoids the need to configure OSPF neighbours
      As of pfSense 2.7.2 (probably 2.7.0 is also affected) the FRR process starts earlier than WireGuard and after the system renames the wg interface (why even?) it loses the track of that interface
      Workaround 1 is to somehow stall the FRR launch
      Workaround 2 is to manually/automatically restart the FRR process after the launch after some timeout
      Workaround 3 is to throw the fancy webgui and use the manual frr.conf in which the section regarding any WG interface should be doubled up without "tun_" prefix, ie:

      interface tun_wg0
 ip ospf network point-to-multipoint
 ip ospf area 0.0.0.0
!

      should be accompanied by the similar section but with a name without "tun_":

      interface wg0
 ip ospf network point-to-multipoint
 ip ospf area 0.0.0.0
!

      This way FRR would catch up the interface before the rename and would use it fine, but if for some reason the FRR processes would be restarted it would use the new, "tun-" prefixed one.

      PRO: you can skip [pfSense] interface assignment for the WG interface and all these shenanigans
      CONS: you need to be proficient in FRR config without WebGUI

      An example of a working FRR configuration with two routers:

      !
frr defaults traditional
hostname gw7-8.testlab.arpa
password 1
log syslog
service integrated-vtysh-config
!
ip router-id 5.6.7.8
!
interface vmx1
 ip ospf area 0.0.0.0
!
interface tun_wg0
 ip ospf network point-to-multipoint
 ip ospf area 0.0.0.0
!
interface wg0
 ip ospf network point-to-multipoint
 ip ospf area 0.0.0.0
!
router ospf
 ospf router-id 5.6.7.8
 log-adjacency-changes detail
 passive-interface vmx1
 area 0.0.0.0 shortcut default
!
line vty
!

      Need full pfSense in a cloud? PM for details!

      T 1 Reply Last reply Reply Quote 2
      • T
        Trey @Soyokaze
        last edited by

        @Soyokaze Hi,

        we are facing the same problem. At the moment we restart FRR after each reboot or power failure to get it recognizing the wireguard interface.

        Sometimes it is also necessary after applying settings in the wireguard section.

        That really really annoys everyone.

        Thanks for your summery

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.