Skip to content

wireguard-s2s-howto: Keepalive interval requirement #691

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

wireguard-s2s-howto: Keepalive interval requirement #691

wants to merge 1 commit into from

Conversation

philtlp
Copy link

@philtlp philtlp commented Apr 5, 2025

Added a note emphasizing the importance of configuring the Keepalive interval for at least one peer when setting up a wireguard Site-to-Site VPN with two OPNsense firewalls. Without this configuration, the connection will not be initiated, and the VPN will fail to establish.

docs: clarify Keepalive interval requirement for wireguard Site-to-Si…
28c4176 
…te VPN

Added a note emphasizing the importance of configuring the **Keepalive interval** for at least one peer when setting up a wireguard Site-to-Site VPN with two OPNsense firewalls. Without this configuration, the connection will not be initiated, and the VPN will fail to establish.
@Monviech
Copy link
Member

Monviech commented Apr 7, 2025

Is that really true? As soon as there is an peer with an endpoint configured, wireguard should send handshakes to the peer as soon as there is matching traffic to be sent.

The keepalive interval is to mitigate NAT traversal issues.

https://www.wireguard.com/quickstart/

  • NAT and Firewall Traversal Persistence (section)

I think you did not have any matching traffic and thus the tunnel did not come up because it did not need to come up. The keepalive thus forces the tunnel to come up as it initiates traffic through the tunnel.

@philtlp
Copy link
Author

philtlp commented Apr 7, 2025
edited
Loading

I followed the tutorial from the docs multiple times and did not get it to work.
After i came across a post which was mentioning this option, the tunnel worked the second i set this option.

Edit: It is true that i had no matching traffic during the setup phase. I did not know that a packet has to match in order for the tunnel to come up. It is quite hard to troubleshoot, debug a wireguard session as there are very little logs. It is not mentioned anywhere that for the tunnel to come up a packet has to match. (With the Keepalive interval option the tunnel does come up with not packet matching)

@Monviech
Copy link
Member

Monviech commented Apr 7, 2025

I'm interested about the following:

  • Was either OPNsense behind a NAT itself?
  • Were there missing inbound firewall rules? (The keepalives on both sides might have created states for the return traffic)
  • Did you try initiating a ping from both sides at the same time to a target on the other side, and see if it had the same effect as setting the keepalives?

I have created quite a lot of wireguard tunnels between firewalls and having the keepalive as requirement if no NAT traversal or states must be first established is curious.

@Monviech
Copy link
Member

Monviech commented Apr 7, 2025

Oh I missed your first edit.

Wireguard in itself is not a "session", as a session happens with TCP. Wireguard is UDP and stateless, thus it is quite like "throw packets in a direction and hope they reach their target, and if not then shrugs"

It's why IPsec is still a good choice. Well I'm glad we could figure this out. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@philtlp @Monviech