search

opnsense / tools

OPNsense release engineering toolkit
https://opnsense.org/
BSD 2-Clause "Simplified" License
260 stars 187 forks source link

kernel: disable WireGuard support to bring back wireguard-go use #376

Closed kuya1284 closed 10 months ago

kuya1284 commented 11 months ago

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug After upgrading to OPNsense 23.7, any UDP Broadcast Relay that includes a WireGuard interface will no longer start. Prior to this release, there were issues with including a WireGuard interface with the kmod version. The workaround was to use the go version instead, as mentioned in the comments in opnsense/plugins#3303. Unfortunately, os-wireguard-go is no longer a viable workaround because it results in the following error:

ioctl(SIOCGIFBRDADDR): Invalid argument

To Reproduce Steps to reproduce the behavior:

  1. If they aren't already installed, install both the os-wireguard-go and os-udpbroadcastrelay plugins
  2. Ensure that a WireGuard interface is configured (i.e. following the Road Warrior Guide)
  3. Go to Services > UDP Broadcast Relay
  4. Add a new relay or edit an existing relay. The following is an example (assuming the WireGuard interface is called WG1):
Enabled Checked
Relay Port 1900
Relay Interfaces LAN, WG1
Broadcast Address 239.255.255.250
Instance ID 1
Description Test
  1. Click Save, then confirm that the row highlights in yellow
  2. Alternatively, SSH to the firewall
  3. Execute the following command:
$ ifconfig

# Take note of the name of the WireGuard interface. For this example, wg1 will be assumed.

$ sudo /usr/local/sbin/udpbroadcastrelay -f --id 1 --port 1900 --multicast 239.255.255.250 --dev wg1
  1. The following error will appear:

ioctl(SIOCGIFBRDADDR): Invalid argument

Expected behavior When starting the relay from the GUI, the row must highlight in green to confirm that the relay was configured properly and that the service started. When attempting to start the relay via command-line, it must execute without an error message appearing.

Screenshots See opnsense/plugins#3303 for examples.

Relevant log files Available upon request.

Additional context N/A

Environment

OPNsense 23.7.1_3 (amd64) UDP Broadcast Relay 1.0_3 Intel Celeron J4125

fichtner commented 11 months ago

To be frank this needs to stop. If WireGuard maintainers don't consider WireGuard to be a broadcast-capable interface you simply cannot run a broadcast daemon on it.

kuya1284 commented 11 months ago

One observation that I just noticed is that /var/run/wireguard/wg1.sock is no longer getting created once the process starts. This could be relevant.

oli-h commented 10 months ago

@kuya1284

To be frank this needs to stop. If WireGuard maintainers don't consider WireGuard to be a broadcast-capable interface you simply cannot run a broadcast daemon on it.

As already explained: os-udpbroadcastrelay worked with os-wireguard-go in OpnSense versions <23.7. So this does not look to be a problem like "WireGuard is not broadcast-capable"

fichtner commented 10 months ago

The issue here is that FreeBSD 13.2 added WireGuard to the kernel and wg-quick will use it:

https://github.com/WireGuard/wireguard-tools/blob/master/src/wg-quick/freebsd.bash#L117-L129

Maybe we have to remove WireGuard from the kernel then to get this fixed. I prefer the wireguard-kmod package anyway.