Wireguard Gateway/Static Route Issues on Reboot

asayler

I'm currently testing out the latest experimental Wireguard package (0.1.1) on an Netgate XG-7100 running pfSense 21.05. The other endpoint is the same device model and versions. For the most part, it seems to be working well, but I'm consistently running into an issue where one endpoint fails to create the correct static routes across the Wireguard tunnel when pfSense reboots.

Both devices have interfaces assigned to the Wiregaurd tunnel on a /30 subnet: 192.168.50.1 and 192.168.50.2. Both devices also have gateways configured pointing to the interface IP of the other device (e.g. 192.168.50.1 has a gateway entry for 192.168.50.2 and vice versa). The Wiregarud peer config on both devices sets "0.0.0.0/0" for Allowed IPs, and I have set up static routes on both devices pointing to a couple of /24 subnets reachable via the other device. For example, the 192.168.50.1 device has a static route for 192.168.70.0/24 using the 192.168.50.2 gateway. When initially configured, everything works correctly: all the static routes show up in the routing table on each device and traffic is properly routed across the Wiregaurd tunnel.

The issue crops up when I reboot the 192.168.50.1 device. After a reboot, the Wireguard tunnel connects, and eventually the 192.168.50.2 gateway stabilizes and shows as "Online". But for some reason, the static routes using that config never get added to the routing table. Strangely enough, I never seem to have this issue on the second device (192.168.50.2). On each reboot, that device seems to always add the correct static routes. The only real difference between the two device is that the 192.168.50.1 device has two other gateways configured as a failover gateway group for its WAN connection, while the second device has just a single default gateway for WAN.

I can always resolve the issue by opening the 192.168.50.2 gateway settings on the 192.168.50.1 device and re-saving them after a reboot. This seems to kick a reset of the routing system after which the routing table is correctly populated with the static routes. But since this requires manual intervention on each reboot, it's not the ideal workaround.

I'm not sure if pfSense removes static routes using a a given gateway when a gateway goes offline by default or not, but I went ahead and set the "Disable Gateway Monitoring Action" on both gateways just in case that would help. Unfortunately, it seems to have had no impact.

Anyone have any thoughts on what might be going on here? It's also possible this issue has nothing to do with Wireguard and is a more general Gateway/static route problem, but I figured I'd start here. Thanks in advance!

ProperCactus

I am also seeing this issue in 2.5.2-RC amd64

I had to manually create the gateway and assign static routes to send the traffic across the tunnel. It works like a charm except when the router is rebooted, it totally ignores the routes.

I have to go in and save the routes again (they are still there but I have to open them and click save again) to get pfsense to start using them again.

ddbnj

@asayler

I think I am seeing the same problem.

pfsense plus 21.05 release wireguard 0.1.1

After reboot, the wireguard gateway is reported down. I had site to site configured using /30 tunnels with gateways pointed to each interface. It worked on initial setup but on a reboot, gateway is down and although wireguard has a successful handshake, the gateway won't come back up. I cannot ping across the wireguard gateway from the firewall itself.

-Devan

ProperCactus

@ddbnj said in Wireguard Gateway/Static Route Issues on Reboot:

Known bug according to @theonemcdonald

ProperCactus

@ddbnj said in Wireguard Gateway/Static Route Issues on Reboot:

I cannot ping across the wireguard gateway from the firewall itself.

Yea but you'll find if you go to your static routes, don't change them just click save, then they will come good and it will work again.

@ddbnj said in Wireguard Gateway/Static Route Issues on Reboot:

I cannot ping across the wireguard gateway from the firewall itself.

Yea but you'll find if you go to your static routes, don't change them just click save, then they will come good and it will work again.

ddbnj

@propercactus

It was a pain in the ass last night since I don't use any static routes. I want to keep the IOT stuff out without creating specific firewall block rules. I basically tore down the tunnel and rebuilt it. At some point it came up.

The weird addition was adding the tunnel address themselves to the peers allowed IPs. Once I added 10.3.102.1/32 and 10.3.102.2/32 respectively, it came up. I didn't have to do than on the original configuration.

ProperCactus

@ddbnj said in Wireguard Gateway/Static Route Issues on Reboot:

el and rebuilt it. At some point it came up.
The weird addition was adding the tun

If you don't add the static routes you can't ping across to the far side network as it doesn't know to send the packets through the WG tunnel

nlibby

Has anyone found a suitable workaround to this? I am having the same issue and would like some way to even temporally fix it.

Also is this the bug report for this issue? https://redmine.pfsense.org/issues/11892

ProperCactus

@nlibby probably not what you want to hear, my work around was to switch to IPSec. At least I'm making use of AES-NI now I guess.

nlibby

@propercactus with how stable Wireguard and pfsense has been, I'll stick with it and if what I saw in the bug report is right (if I interpreted it right) I'm just going to stick with Wireguard. Its at most a minor inconvenience if I have to login on the off chance I have a crash or have to reboot my system.