Existing, foreign (non-managed) WireGuard interfaces get configured on OPNsense

[simonherbert]

Since upgrading to Defguard 2.x, on OPNsense while a second WireGuard VPN is present outside of DefGuard (created using built-in OPNsense functionality), the firewall rules DefGuard creates are applied to the foreign WireGuard interface, not just its own.
Besides that, the routes created per WireGuard peer from the traditional WireGuard interface, disappear. (OPNsense GUI System -> Routes -> Status).

Running pfctl -a '*' -sr on OPNsense shows these rules being created (anonymized and shortened):

anchor "defguard/*" quick all {
  anchor "wg0" all {
    block drop in log on wg0 all flags S/SA
    pass in log quick on wg0 inet proto tcp from 10.0.10.8/31 to 10.0.6.0/24 port = ssh flags S/SA keep state label "RULE 14 - My-Team, DESTINATION 9 - Something ALLOW"
    block drop in log quick on wg0 inet from any to 10.0.0.0/24 flags S/SA label "RULE 9 - All, DESTINATION 4 - Some-Net DENY"
  }
  anchor "wg1" all {
    block drop in log on wg1 all flags S/SA
    (...regular rules here)
  }
}

(wg0 is the OPNsense-native interface, wg1 is the one DefGuard is configured to manage)
I wouldn't expect wg0 to appear in the defguard block at all.

To Reproduce
Steps to reproduce the behavior:

1. Create a traditional WireGuard VPN in OPNsense GUI (VPN -> WireGuard -> Instances) and assign that wg0 with a setup to verify you can use the VPN (reach the internet or whatever)
2. Install and set up Defguard 2.0.1 gateway on the same OPNsense instance for interface wg1
3. Create firewall rules in Defguard
4. You should now be able to observe those rules also being applied to wg0
5. If you look into OPNsense GUI System -> Routes -> Status you might be able to see the previously created routes for wg0 peers disappear (this issue seems to happen after rule changes in defguard, and fixes itself when wg0 vpn is restarted through OPNsense GUI VPN -> Wireguard -> Instances -> uncheck "Enable wireguard", apply, then re-enable it and apply again)

Expected behavior
The existing wireguard interfaces are left alone. Defguard should only manage the wireguard interfaces it is configured to do.

Version information

• Defguard Core version: 2.0.0
• Defguard Gateway version: 2.0.1
• Operating system and version running the gateway: OPNsense 26.1.8_5-amd64 on FreeBSD 14.3-RELEASE-p12.

[moubctez]

@simonherbert This is probably due to the fact that Gateway doesn't clean up after itself on quit. Didn't you change the network interface name in Gateway configuration? I guess, so. If you reboot the machine, the rules should be correct.

We'll try to address the problem with the cleanup. Thanks for reporting the issue.

[simonherbert]

@simonherbert This is probably due to the fact that Gateway doesn't clean up after itself on quit. Didn't you change the network interface name in Gateway configuration? I guess, so. If you reboot the machine, the rules should be correct.

We'll try to address the problem with the cleanup. Thanks for reporting the issue.

Thanks for the reply. I don't remember switching the network interface name, the Gateway was always configured on wg1 on my system. Also, I did restart the Gateway quite often while troubleshooting this issue, and the snippet I posted was after all those restarts, so I don't think this is a one-off thing that happened after upgrading to 2.x or would happen when switching the interface to configure. But I can actually reboot the machine instead of just restarting the gateway this weekend and see if that helps.