Hello all, I’m experiencing a strange problem with wireguard. I have a sys-vpn appVM which I use to, well, set up VPN connections. This appVM is directly connected to sys-firewall and all appVMs that need to pass through a VPN are connected to it.
This setup ran fine until recently, when I switched my router for a pfsense box. I set up wireguard on my appVM as follows:
[Interface]
PrivateKey=sys-vpnPrivateKey
Address=10.21.10.2/24
DNS=****
[Peer]
PublicKey=pfSensePubKey
PreSharedKey=****
AllowedIPs=10.10.0.0/16,10.20.0.0/16,10.30.0.0/16,10.40.0.0/16,10.50.0.0/16,10.60.0.0/16,10.21.10.0/24,10.21.20.0/24
Endpoint=VPNAddress:51820
PersistentKeepalive=25
As you can see, this is nothing fancy. The stuff in AllowedIPs is because I need to access a whole lot of other subnets when I use the VPN.
My problem is the following: everything works ok, until I start the VPN. At that point, I start losing packets, e.g. by pinging random addresses I start losing pretty much immediately up to 50% of the pings, and latency goes up from 20ms to well over 1.5s.
Notably, this is also true if I ping addresses outside the AllowedIPs range, such as 8.8.8.8 or 1.1.1.1.
Even more notably, after I turn off the VPN the problem persists, and the only way I found to have internet back again is by killing the appVM and starting it again.
I configured other peers to use the wireguard VPN on PfSense (e.g. android devices) and I had no problems, so this seems to be Qubes specific. I have no clue as for what could be causing this. Any ideas?