Hi there
• Paul B. Henson [2024-03-20 05:40]:
We're using wireguard to set up VPN connections from various systems
deployed on-prem at customer sites to central openbsd boxes to route
internal traffic between the remote boxes and the internal network.
After a fresh reboot with a given configuration, everything works great.
The problem we have is when we later add or remove a remote system and
try to reconfigure the wireguard interface on the central servers.
Sometimes the new system just won't work, or oddly the new system works
fine but an existing system that was working breaks 8-/. When that
happens, we generally have to reboot it, at which point everything
works.
I've seen some issues too, but has not identified a reproducible
pattern. What I've seen, however, is that WG packets start flowing when
the other end of the connection pings back, so in my setup with a
central VPN server I make it ping all the peers' WG IP adress periodically:
#!/bin/sh
ifconfig wg1 | \
grep wgaip | \
awk '{print $2} ' | \
grep /32$ | \
sed 's/\/32//' | \
sort | while read x; do
ping -w 1 -c 1 $x 2>&1
done
and then each peer also pings the server's WG IP periodically.
Occasionally ifconfig on the wg interface just wedges completely. When
that happens, it won't reboot cleaning, we have to hard reset it.
I've seen lockups upon destroying wg interface, but not during normal
operations (i.e. leaving wg alone).
Has anyone else seen this type of behavior? I'm not sure how common it
is to have regular ongoing changes to wireguard like we are doing, so it
might not pop up often.
Thanks much...
