WireGuard lives!

volkerg

Installed it in Version 2.5.1

works great - thank you for yor work

regards

dersch

Upgrade to 0.1.1 worked great! Thanks.

But i'm encountering high errors out on the tun_wg interface:

WG_DSHOME Interface (opt3, tun_wg0)
Status up 
IPv4 Address 192.168.166.1 
Subnet mask IPv4 255.255.255.240 
IPv6 Address fdac:ce55::1 
Subnet mask IPv6 64 
MTU 1420 
In/out packets
2287708/3201934 (486.02 MiB/555.38 MiB) 
In/out packets (pass)
2287708/3201934 (486.02 MiB/555.38 MiB) 
In/out packets (block)
1444/0 (208 KiB/0 B) 
In/out errors
0/3512 
Collisions
0

i have no idea why and what could be the cause. Any idea or hint what could produce that errors?

vajonam

@dersch

Not really sure why that happens. I am running this with very few errors maybe 1 or 0. I will keep an eye on it. Just a thought maybe try adjusting the MTU depending on your WAN uplink.

dersch

@vajonam Its pretty strange. but i'm not using the wan for peers. So it shouldn't be related?

vajonam

@dersch, sorry I just assumed it was over a WAN link. then I am out of ideas sorry.

psp

Just upgraded to 2.6.0.a.20210524.0100-DEV:

Crash report details:

PHP Errors:
[24-May-2021 18:48:49 Europe/Rome] PHP Warning: flock() expects parameter 1 to be resource, null given in /usr/local/pkg/wireguard/wg_service.inc on line 324
[24-May-2021 18:48:49 Europe/Rome] PHP Warning: fclose() expects parameter 1 to be resource, null given in /usr/local/pkg/wireguard/wg_service.inc on line 327

Installed pfSense v2.6.0-DEV from scratch and configured WG by hand (i.e. no import from old config.xml) after added pkg.

WG is properly working though.

cmcdonald

@psp I caught this a few days ago. Fix will be in the next release. It is cosmetic.

brians

Does this currently, or in future, work on official Netgate hardware eg. SG-5100?

gabacho4

@brians update to Pfsense version 21.05 RC and you will have access to the package. Unfortunately it's version 0.0.8 instead of the more current 0.1.1. Unsure why that is.

gabacho4

@gabacho4 just manually removed the older package versions and manually reinstalled and all is well. Not as convenient as having a package to select in the package manager, but easy enough still and nice to be on current.

brians

@gabacho4 Thanks, I will just wait until official release. Was just curious because the different version numbers with PfSense + and CE.
Having said that, wonder if will support the ARM devices eg. SG3100.

vajonam

@brians yup it should support ARM devices, assuming NG will build the WireGuard Kmods for all architectures. the WG pfsense package (ui) really has no dependency on architecture.

brians

Wow, I upgraded SG5100 to 21.05 last night, this morning I manually installed WireGuard 0.1.2.
Took me a few minutes of fiddling with my iPhone, and memories of how I setup before. There is a few differences in assigning interface etc. but it very simple and I had no problems except forgetting to add firewall rule on the interface which is probably very common LOL.

Later will setup a 2nd SG5100 and do site to site test.

Let's hope this gets updated into official packages in GUI because its still at 0.0.8. I did notice package no longer shows up as available in GUI on my pfSense if I have installed manually, which is a good thing I suppose!

cmcdonald

@brians said in WireGuard lives!:

except forgetting to add firewall rule on the interface which is probably very common LOL.

This might be a good argument for adding associated pass rule creation as a feature when creating a tunnel, similar to what is done for port forwarding

tquade

@theonemcdonald I ran into a similar issue and stronly support your thoughts. In my view a good model to follow is that set out for IPSec and openVPN particularly with regard to outbound NAT rules when setting up a server.

Ted Quade

brians

@theonemcdonald

But is it possible to even make a rule before the interface is assigned? Don't you still have to go and select/assign it after making the tunnel?

brians

What is the purpose of Interface addresses?
When I assign to an interface I assign the IP address to the interface and the values entered here previously disappear and are not used. If I un-assign they re-appear.

cmcdonald

@brians said in WireGuard lives!:

What is the purpose of Interface addresses?
When I assign to an interface I assign the IP address to the interface and the values entered here previously disappear and are not used. If I un-assign they re-appear.

This is for configuring WireGuard tunnels that are not assigned to a pfSense interface. Yea that is a bit confusing. But basically you can have two different types of WireGuard tunnels, which sort of depend on what you intend to do with them. It is possible to build WireGuard tunnels that aren't associated with a specific pfSense interface. These WireGuard tunnels are filtered using the "WireGuard" interface group. The addresses for unassigned tunnels are configured through the WireGuard UI. However, once you assign a WireGuard tunnel to a pfSense interface, pfSense takes over the address assignment, so the WireGaurd UI changes to reflect that...and instead you're left with a link to the native pfSense UI for configuring addresses:

We do this because we don't want to step on pfSense's toes when it comes to things that it should be handling.

brians

@theonemcdonald ok thanks, can you give me an example of your first tunnel named Remote Access?

I have my iPhone setup with an actual interface, is there a way to make it simpler without assigning an interface like this?

cmcdonald

@brians