wireguard policy routing broken after 25.07
-
I posted the original, in the wrong forum.
My setup was working since wireguard was first introduced.
I have wireguard as primary and openvpn as failover VPNs, as default routes on a number of bridged vlans.Everything was working fine until either 25.07.01 (i believe it was then when it started).
- wireguard tunnel and handshake are up
- you can ping from pfsense through wg
- for client, ping hangs and ssl returns SSL error.
In the post below, you can see
- pings leave wg but come back via the wan
- changing the gateway to openvpn, everything works
the observable behaviour changes;
- previously the wg interface was 10.2.0.2/32 and gateway none
- routing / gateway defined as 10.2.0.1
- now, if you edit the gateway, it doesn't allow you to save. it reports the gateway is not in the network
(unless you change the mask to 30) - the other consequence seems to be, whenever editing a gateway/interface, the wireguard connection goes down.
it has to be restarted by switch the default gateway and then switching back, which causes wg to come back
https://forum.netgate.com/topic/199299/wireguard-protonvpn-policy-routing-broken-since-25.07.01
-
@4o4rh said in wireguard policy routing broken after 25.07:
https://forum.netgate.com/topic/199299/wireguard-protonvpn-policy-routing-broken-since-25.07.01
Working perfectly fine here. To set a gateway, in general it has to be in range of the network, nothing new here. And policy routing is not specific to WireGuard. If it is working for OpenVPN, it does for WireGuard as well.
-
@Bob.Dig - GW is not the issue. I deleted the GW, Interfaces, etc. and recreated.
For the gateway I forget to tick the advanced option "Use non-local gateway through interface specific route."
But doesn't make any difference, traffic is still going out wg, but coming back via wan.
I also tried changing the NAT Outbound rules to use actual network range/addresses rather than the inbuilt alias (per another comment about alias not working) - No effect.It is definitely wireguard related.
I have tried a raw interface not part of a bridge or vlan and it also doesn't work, but if the gateway is switch to openvpn it works -
@4o4rh said in wireguard policy routing broken after 25.07:
It is definitely wireguard related.
You might have a misconfiguration of WireGuard. Also WireGuard in pfSense doesn't work that good with some Privacy-VPN-Providers. I would start without using a Gateway Group and only one WG-Tunnel configured. And post some more pictures in you original thread. As a start, MTU and MSS on the WireGuard-Interface in pfSense should be set to 1420 unless you also use IPv6 to connect to endpoints and are using PPPoE at the same time, then it should be set to 1412 for both.
-
@Bob.Dig
did you not see the beginning of the post.
I have been using this setup with protonvpn since wireguard was first in pfsense.
it suddenly broke after the 25.07.01 upgrade
I deleted and re-created the settings in case it was a corruption in the xml.
but that didn't help.
The initial symptoms was the ssl errors on the clients. I originally thought it was an mtu/mss but have discounted that.
at the moment, I have trying to get it working again, on a single eth wan (mtu1420) and using only the direct gateway. -
@4o4rh I am using Proton too and it does work but only one tunnel. The rest I do with OpenWRT...
Here is a screenshot of that interface. I don't use the Proton DNS-Servers.
-
@Bob.Dig why is your upstream gateway the same as the interface address. all of the docs on setting up for protonvpn have 10.2.0.2/32 as the address and 10.2.0.1 as the gateway. which is the way it was working for me
-
@4o4rh Give it a try, as long as you don't use their DNS-Servers. And try that with the second tunnel as well. But again, there are problems with ProtonVPN and more tunnels. But that is not a general policy routing problem, it is specific to some Privacy-VPNs, I am with you on that.
