I forgot to mention that I used https://dnsleaktest.com to test for DNS leaks and configured the browser to use my default resolver.

@emnul I don’t know if this was a typing mistake but I see form your post that your WG_TEST tunnel is listening to port 52821 and your iOS device is trying to connect to 51821. These should match for both Tunnel and Peer

VPN Wireguard Tunnels:
tun_wg1
Address / Assignment: WG_TEST
Listen port: 52821

And your peer is:
[Peer]
pubKey = MY_PUB_KEY (i've confirmed it matches config in pfSense)
Endpoint = MY_IP:51821
AllowedIPs = 0.0.0.0/0

You MUST have your WG_TEST (tun_wg1) Interface /24 and your Peers as /32.

Based on the info you provided on your first post, this is how your WireGuard and Peer SHOULD look like:

Tunnel Setup:

VPN > WireGuard > Tunnels > Edit tun_wg1 Description: WG_TEST Listen Port: 51821 Interface Keys: [Auto-generated]

Interface Setup:

Interfaces > WG_TEST IPv4 Configuration Type: Static IPv4 IPv4 Address: 172.26.2.1/24 MTU: 1420

WAN Firewall Rules:

Firewall > Rules > WAN Action: Pass Protocol: UDP Source: Any Destination: WAN Address Port: 51821 Firewall > Rules > WG_TEST Action: Pass Protocol: Any Source: WG_TEST Destination: Any

Outbound (Hybrid Mode) Setup:

Firewall > NAT > Outbound Interface: WAN Source Network: 172.26.2.0/24 Destination: Any Translation: WAN Address

For Peer Config (in WireGuard):

VPN > WireGuard > Peers Description: iOS Device Tunnel: WG_TEST Allowed IPs: 172.26.2.2/32 Endpoint: Dynamic

On your iOS WireGuard App:

[Interface] PrivateKey = [Auto Generated] Address = 172.26.2.2/24 DNS = 9.9.9.9 MTU = 1420 [Peer] PublicKey = [Auto Generated] PresharedKey = [Auto Generated] AllowedIPs = 0.0.0.0/0 Endpoint = WAN IP:51821

If you are still having an issue:

This is the YouTube video I used to setup my WireGuard and it's been working flawlessly for 2+ years.

How to Install WireGuard on pfSense (Tutorial)

Follow it from start to finish in its entirety and set up as in the video. Made the mistake of cutting the video short thinking I was done but my WG was refusing to connect.

I suggest you configuring all of the IPs as in the video to get an undertsanding and a working config, then modify as you like (with your desired 172.26.2.0/24 IPs).

@pfsenserich said in Wireguard 0.2.9 - pfSense 24.11 - service issues since upgrade from 24.03:

I have confirmed if you reboot with wireguard up it crashes after reboot.

have you tried stopping the wireguard service then rebooting and seeing if it comes up without errors?

am not overjoyed at the fact I had to disable the daily cron reboots to stop this issue, but it is what it is.

whats more troubling is the lack of replies to this thread.

Will be opening a support ticket on this one eventually, just for Sh... an G.....

I tried it. I stopped the WG service and restarted the PF Sense. But even so, I can only get the service to work again by reinstalling the Wiregard package.

@gguglielmi said in pfSense CE Wireguard Throughput:

Does anybody knows if there's a difference between Plus and CE for Wireguard?

Hardware encryption support is different

@oddussiben-3161 The apparent lack of anything else (host route). I attempted to set up this configuration on an Ubuntu machine using Wireguard.

@LaUs3r When
I check logs (status > system logs > firewall) and see nothing relevant. I edit names and all personnal info (giving names can lead to security breach. in my opinion)

@LaUs3r the static route is shown in the 3rd screenshot

@Bob-Dig Allowed ips are 0.0.0.0/0 on both sides.

@Bob-Dig

EDIT:

Changing the default gateway under the "Routing" tab again caused the remote site to be inaccessible via the S2S VPN.

@Bob-Dig
Wonderful ! Much easier than I thought !
I just followed a tutorial which told me to do so.

Thank you very much !

@BNetworker said in Wireguard Package re-install failing:

I updated to 24.11. That resolved it. So, it appears the wireguard 0.2.9 package is incompatible with 24.03?

This worked for me. would be nice if it warned, or did not let you update the package that isn't supported :(

Ohhh i forgot the gateway.

Its working now.

thank you so much.

ok, maybe let's take a step back. You wrote that it works once you disable IPv6 in your WAN interface.

Are you using IPv6 at all? If yes, have you configure IPv6 for your wireguard tunnel?

Maybe it's worth checking out the video from Chris McDonald: https://www.youtube.com/watch?v=wYe7FzZ_0X8
Chris is the maintainer of the wireguard package for pfSense. In this video he shows the config for a wireguard tunnel for IPv4 AND IPv6

https://forum.netgate.com/topic/151871/solution-for-multicast-over-tunnel

@jmdomini , I shared some days ago my experience with wireguard in a step-by-step guide in this forum. Maybe that helps you.
And please share some more info if it does not. screenshots are quite helpful