@LaUs3r ,Hi yes, I followed the Surfshark WireGuard guide and now it’s working. Earlier, the guide steps were too superficial so I kept missing things, but in the end the Surfshark WireGuard guide worked. However, the default gateway issues still remain WireGuard is not working as the default gateway only when WANDHCP is default gateway the handshake is formed Anyway i switch to openvpn, the setup i was working on it is to make nested multi hop vpn the built now looks like this: pfSense#1 → [Veepn OpenVPN1 UDP → (lan segment of pfsense #1 connted to pfSense#2) → pfSense#2 OpenVPN2 UDP] → (lan segment of pfsense #2 connected to windwos vmware) → vmware windwos Internet • pfSense#1 has my Local ISP WAN Connected • There is no WAN connected to pfSense#2 only lan segment of pfsense #1 connected I’m using OpenVPN UDP on both pfSense firewalls, each with a different VPN provider the first one is VeePN and the second one is Surfshark. For the whole setup, I followed Lawrence Systems’ guide.

Great. Thanks for the info.

@tinfoilmatt Thanks! I have done that and it worked when forcing just her TV out the Centurylink.. My problem is my local box here. Im missing something because I can not get it to pass traffic from the WAN to the Wireguard tunnel. Ive got some time today so will chip away on my lab setup to see if I can finally accomplish it here first.

Hi @patient0, Already fixed :) reset and preformed a full new installation. The peer can connect and performed a successful Handshake, and ping pfsense, wireguard and lan servers. However psfsense and my Lan servers can't ping this peer even with the handshake performed. I know that ping can be misleading but don't now what else.

@patient0 said in The service show not running but client can connect to wireguard server.: Oh, I see, I didn't realize that the same issue existed on CE. I would like to say, CE user stumbled at first about the issue... (to check above)

@RNM-0 Thanks for your comment and sharing your fix. Unfortunately I don't want to take down pfsense and downgrade versions. I'm currently fine at the moment since I'm using Tailscale and that works. I also fixed the other crash I was having with pfblocker by changing a line code that wasn't pushed out under this version. Hopefully the stable release won't take too long to release but it appears there's still some open bugs that need to be fixed before that happens, and ironically, both the pfblocker and wireguard issues aren't on that list of bug fixes.

@chpalmer okay so here is the update. I was able to get all my wireguard servers handshaking, my two personal tunnels and my one nord. I have full access to to my lan with my personal tunnels but I now dont have nord routing any traffic through its tunnel. I try to make a lan rule route one ip through nord and make one NAT rule and nothing. I lose internet on my one ip when I try and make a rule to use the nordvpn gateway

Found a solution: When using the desired outbound address in the outbound nat rule for translation directly, instead of using an alias ip, it seems to work as desired.

Yeah, I'm dumb. The tunnel CID was /29. I just read that only 6 IPs are possible with /29. After I changed the tunnel network to /28, everything works as desired. Well, maybe it will help someone else. Gosh, I'm so embarrassed. XD

@Bronko Thank you very much. I tried adding a route to the device server - unfortunately it wont let me set static routes on tunnel interfaces - but I contacted the manufacturer here and hope he has a solution. I will keep this thread updated and let you know of the outcome

@Bronko The command output of pfctl -vvsr | grep 100000101 is: @2 block drop in log inet all label "Default deny rule IPv4" ridentifier 1000000101 But as I have a rule above saying allow any, this shouldn't happen!

@Bob.Dig I will work on some pics but it's been in a state of evolution as a test network running another scenario at the moment - but when I can switch it back to this I was looking for some things to focus on and try. I used an interface group for NAT rules because one of the tutorials I read showed to do that and said create a group or do rules for every one. Seemed like a group would be best practice then for larger numbers - but you you recommend to just do a NAT entry for each instead?

@hfederau good manual to recheck setup -> https://www.wundertech.net/how-to-set-up-tailscale-on-pfsense/

@powerguy42 how?

resolved! Issue was the following I corrected a few things on your config: Your Outbound NAT configuration was malformed. I corrected it to utilize Hybrid mode and configured a single Outbound NAT for your Wireguard connection, which should be much cleaner. I updated your routing table to be Automatic and switched to Policy-based routing within the firewall rules under Firewall --> Rules --> LAN I updated the name of the interface for the Wireguard tunnel to be called TORGUARD and set the MSS clamping to 1350. This can probably be bumped back up to 1400, but I wanted to make sure the clamping was small enough to avoid fragmentation. I cleaned up some redundant firewall rules and a few other "odds and ends".

@HFADmin If it is no Site2Site-VPN then you don't need any gateways in the first place... If that is true but you want to monitor the connection then you could create dummy-gateways just to ping the remote ip-addresses.