OpenVPN isn't necessarily "constant" in that way, it occasionally has to renegotiate as well.

WireGuard does not work the way you imply. It is for all intents and purposes connectionless. There may be a handshake but it's completely transparent. The VPN is always "active" and any packet that tries to use it will handle that negotiation in the background if it hasn't had a recent handshake and so on.

There isn't any sense of it being "disconnected" where traffic would take some other path.

Ok, it's working now, I forgot to add a rule on the appropriate LAN interface to allow connections on the Wireguard port.

I'm sorry about that.

@knightzhang625 gfw blocked wireguard

@thondwe said in Wireguard Firewall Rules:

Assume the benefit of assigning would come into play with multiple tunnels with a need for different rules then? e.g. Test + Production? Or when using a site-to-site setup??

Exactly. And how often do you have multiple remote access tunnels on the same system? Usually one would just make one RA tunnel with a big enough subnet for however many users they would need. So no real need for an interface.
But site to sites definitely benefit from the separate rules.

@sprout0002 the same thing is occuring with me trying to set it up with NordVPN. Wireguard generates the wrong public key for the private key I'm entering. Did you find a fix or way to enter your public key from proton?

@reza-mnp - settings / enable wireguard - that is it done.

@koenh No problem.
Glad you got it fixed and believe me, the Wireguard wording is confusing at best!

@jarhead i will not have access for the next 5 days. I will take a look again afterwards.

I've set up Wireguard on a Linux laptop running Ubuntu 22.04. I've tethered it through my phone's mobile data service, and then started the Wireguard connection on the laptop. That seems to be working fine — I can access the pfSense web admin page; I can download large test files from my test device; I can upload large files via SSH.

So, that indicates the problem is really with the Android Wireguard app, while the pfSense Wireguard implementation is fine.

@michmoor I Do have multiple WAN connections. I have the wireguard only using one WAN connection though.

@keyser Reboot of the netgear router will be the first thing i try the next time this issue occurs. I had never thought about the possibility of the issue being on the netgear router before, so ill be testing and verifying that next time.

@jarhead Thanks for clarifying that. I guess it's not possible with WireGuard. I know I can do it with OpenVPN, but throughput is not that great.

@bob-dig Thank you very much! I will try that.

@bob-dig the reason I suspect the Realtek LAN driver is tied to WG is due to the fact I didn't change ANY settings other than swapping the interfaces between LAN and WAN. Wireguard tunnels, routing and firewall rules all remained exactly the same as before (when I changed things, I always tried to change 1 thing at a time so I know what each change's effects were).

Due to this experience, I just bought another M.2->LAN adapter with Intel chipset this time for my Intel Nuc. I will swap my Realtek adapter (currently running as WAN) and try a few more experiments to see if it had something to do with the m.2->LAN issue or not.

FYI, this issue seems to be resolved in pfSense Plus - I tested it today, after upgrading. So it's "broken" in CE (only)?

Thanks!