Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Routes for enabled Wireguard peers are created irrespective of their connection status. #8071

Open
2 tasks done
einalex opened this issue Nov 19, 2024 · 0 comments
Open
2 tasks done

Routes for enabled Wireguard peers are created irrespective of their connection status. #8071

einalex opened this issue Nov 19, 2024 · 0 comments
Labels
support Community support

Comments

@einalex
Copy link

einalex commented Nov 19, 2024
edited
Loading

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug

When adding and enabling wireguard peers, upon applying changes, routes to all enabled wireguard peers are created. This includes routes to unconnected wireguard peers, i.e. it includes erroneous routes.

This means, that connections to temporarily not directly connected peers fail, even if there is a connection possible via a forwarding proxy peer (with the vpn subnet as allowed ip).

If such a not-directly connected peer is either disabled (which removes the erroneous route) or directly connected (which makes the erroneous route correct), it can be reached again.

To Reproduce

Steps to reproduce the behavior:

  1. open a shell to opnsense
  2. run 'route monitor'
  3. in the web ui, create a wireguard instance
  4. save your work
  5. create a peer entry, keep it disabled, do NOT actually set up another wireguard instance somewhere for that peer, apply
  6. see that for this peer no direct route shows up in monitoring, which is correct
  7. now enable the peer, apply
  8. see that now, a route is created for the peer, although it is offline, which is incorrect.

Expected behavior
Create routes for peers when they connect, and remove those routes when they disconnect.

Describe alternatives you considered

Running wireguard outside opnsense, but that leaves the problem for everyone else.

Additional context

Wireguard on linux (wg-quick) adds routes upon peer connection and removes routes upon peer disconnection, as should be the sane approach to route creation. It does not create routes to peers' vpn addresses as far as I can tell, which opnsense wireguard seems to do...

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 24.7.8-amd64
@AdSchellevis AdSchellevis added the support Community support label Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
support Community support
Milestone
No milestone
Development

No branches or pull requests
2 participants
@einalex @AdSchellevis