core icon indicating copy to clipboard operation
core copied to clipboard
verified publisher icon opnsense

wireguard peer status: confusing status icon

Open daudo opened this issue 8 months ago • 11 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

If at all, this is less of a technical bug but more an usuability issue.

Since 25.x, the wireguard status page is using icons instead of text to indicate the status of a peer connection, which is generally a nice idea.

However, I recently spent hours looking for a non-existent connection problem because the icon indicating that no data traffic had been exchanged between the peers was a “red X.” In my experience, a circular “red X” usually means that something is broken or misconfigured.

In my case again, this led me to spend hours troubleshooting a non-existent problem with a new peer, as the “red X” made me think that something was configured incorrectly (wireguard, firewall rules, routing...). Ultimately, however, it turned out that the icon changed from a red X to a green check mark as soon as I sent data to the peer.

To Reproduce

To reproduce my issue create a new wg peer, and check the status page. You'll find the icon to be a "red x"

Expected behavior

Choosing a better icon would be a very good thing, maybe even using the black ? icon used for "stale" connections?

Screenshots

Image

Environment

OPNsense 25.1.6

daudo avatar May 18 '25 09:05 daudo

It means disconnected, whatever that may mean in stateless UPD. If you have a better suggestion that’s fine. It’s going to stay red though.

fichtner avatar May 18 '25 12:05 fichtner

In my opinion it only makes sense to mark "offline" when the peer has a "Keepalive interval" in which case handshakes are predictable, otherwise one can only assume when someone exchanges data if I'm not mistaken.

AdSchellevis avatar May 18 '25 12:05 AdSchellevis

Right now its:

  • There was no handshake ever = red disconnected
  • There was a handshake at leas once but its more than 5 minutes in the past = gray stale
  • There was a handshake recently = green online

I think these assumptions are reasonable right now.

Monviech avatar May 18 '25 12:05 Monviech

For reference: https://github.com/opnsense/core/pull/8337

Monviech avatar May 18 '25 13:05 Monviech

What made it difficult for me to understand what was going on was the fact that I had configuration issues initially. And so it was obvious for me that the red x translates to "connection couldn't be established" for whatever reason.

Thinking about it, I think it should be 4 states:

  1. no connection has been attempted so far (I don't know, maybe a yellow ?)
  2. connection has been successfully established, ie traffic has passed through (green tick mark)
  3. connection is broken (red x)
  4. connection is stale after 5 minutes without traffic (black ?)

Just my 2 cents 😎

daudo avatar May 18 '25 19:05 daudo

My proposal is to change the tooltips to reflect what the icons mean on mousover more clearly. I dont want to introduce more status since the current statuses are already assumptions.

Monviech avatar May 19 '25 07:05 Monviech

To be frank the confusion here arises from the fact that UDP is stateless and that's exactly what we've discussed and try to avoid in ambiguity while staying anchored in reality. 4 states for UDP is not useful, 3 states we have because people asked for similar support previously. UDP only really has 2.

Cheers, Franco

fichtner avatar May 19 '25 07:05 fichtner

Yes, can't argue about UDP being a stateless protocol and thus it being difficult to show the current state of a connection.

Maybe it is just misconception, but - generally speaking - causing as little confusion as possible is a good thing for any user interface. If it is impossible to show the correct status of a connection on the WireGuard Status(!) page, then the users should be made aware of that somehow.

I think much of my confusion stems from the "red x" icon, which traditionally is a sign that something is broken (and initially it was, in my case). So maybe even just replacing this with another icon (and updating the tooltip accordingly) would also suffice. But I've learned my lesson anyway, so I won't complain if that's not possible 😃

daudo avatar May 19 '25 07:05 daudo

Looking at the historic approaches in our code base a red color would indicate a stopped service or client for OpenVPN for example. Disconnecting clients also using an "x". I don't recall much issues about this. But point taken that we can improve this further. Should always be possible.

Cheers, Franco

fichtner avatar May 19 '25 08:05 fichtner

I thought about this but right now I do not have any good idea how to change this for the better. It also works reliably and I did not read much other feedback.

On the forum was a thread where somebody complained about stale wireguard peers, but it actually helped them to find issues with their vpn provider.

So it looks like essentially it all does its job to highlight issues.

Monviech avatar Jun 02 '25 14:06 Monviech

Lets solve this one via documentation:

https://github.com/opnsense/docs/issues/741

Monviech avatar Jun 02 '25 14:06 Monviech

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Nov 14 '25 09:11 OPNsense-bot