Posted on the Redmine:
https://redmine.pfsense.org/issues/14200

The problem is well known
There is no solution I know of.

https://forum.netgate.com/post/1081694

https://forum.netgate.com/topic/177255/wireguard-site-to-site-gateways-disabled-after-reboot-service-not-starting/7

@edjusted Sorry, I never found anything. I had to setup the tunnel fron scratch.

@bob-dig said in Strange login from another country:

@pastic said in Strange login from another country:

I realise something as I write this: are there 'two levels' involved here? The wireguard rule will let everyone through the firewall on the specified port, but having passed the firewall block then the wireguard service will still refuse everyone that does not have the configured keys?

Yes. Hard to believe that this is news to you, you are setting up a graylog server, which is advanced stuff in my book.

Let's call it a blind spot. :-) I don't work with networks, it's just a hobby. And until this Wireguard 'project' I always had pfsense blocking everything from the outside.
And yes, I did struggle a bit setting up graylog, but it was fun.
Thanks!

I have two internet connections on my pfsense.
I also noticed sometimes the VPN connection stays up but it stops routing data over the wireguard link till i restart the wireguard service.

@jarhead said in wireguard server,how to change the MTU?:

@msibyte said in wireguard server,how to change the MTU?:

@jarhead In which section to change this?

wg.png

ScreenShot_20230318014317.png enabling LAN - disables access to the website via an external IP

https://www.cyberciti.biz/faq/how-to-generate-wireguard-qr-code-on-linux-for-mobile/ this seems like a quick-win for easy QR-code generation

hey guys, i guess it isn't a common problem. i think i fixed it by changing the MSS and MTU to 1420 on the Wireguard interface. hope this may help someone in the future.

@bob-dig I will use wireguard as the primary with failover to openvpn and setup a setup openvpn to deal with the country exception. shame, seems wireguard does perform better on the same h/w are access

@vjizzle
Well i have this problem long time ago, i moved from 2.6 to 22.01 22.05 and now 23. I had always pppoe connection and it did work in the past but after last updates to wg i start to have problems. I might try to use openvpn just to see because that was working years without any problems and now i see posts about openvpn also with similar problems.
I don't expect bugs free, it is just that the bug was reported and they close saying that wg work as it should be.

Ok - disregard the above post. If I could delete it, I would. It it turns out what I am trying to achieve works flawlessly. I had another problem in my wg config (with the firewall rules) that was causing my icmp pings to not return, which I assumed was a wg issue.

@jarhead that did it. added the RoadWarrior tunnel ip to the allowed ip on parents peers. thanks man, that was easy!!

Replied in the other thread.

@keyser said in Wireguard Site-to-Site Setup - Errors on Interface:

@tman222 Just out of curriosity: What boxes are on either end of that tunnel? I’m looking for what throughput can be expected for the SG-2100 ARM based boxes, but no-one seems to know :-)
(With 900mbps+ I know you are not 😂)

Hi @keyser - hardware on both sides fairly powerful (at least as far as firewalls concerned): System on one side is driven by a Xeon D-1518 CPU, System on the other side has a Intel Core i3 10100 CPU. Bear in mind that those results are from a single stream iperf3 test using default settings (i.e. large 1500 byte packets) and that the site to site latency is only a few milliseconds.

The service has nothing to do with the contents of the firewall state table.

Look over all the links in my previous reply, it's all explained there. It's not a WireGuard issue it's a fundamental aspect of stateful firewall behavior.

@nomad0 said in State of Wireguard package?:

I would love to know what the projected timeline for making this a production-worthy package is.

pfSense package experimental do not mean underlying WireGuard is experimental.
Please correct me someone if I'm wrong.

OpenVPN isn't necessarily "constant" in that way, it occasionally has to renegotiate as well.

WireGuard does not work the way you imply. It is for all intents and purposes connectionless. There may be a handshake but it's completely transparent. The VPN is always "active" and any packet that tries to use it will handle that negotiation in the background if it hasn't had a recent handshake and so on.

There isn't any sense of it being "disconnected" where traffic would take some other path.

Ok, it's working now, I forgot to add a rule on the appropriate LAN interface to allow connections on the Wireguard port.

I'm sorry about that.

@knightzhang625 gfw blocked wireguard

@thondwe said in Wireguard Firewall Rules:

Assume the benefit of assigning would come into play with multiple tunnels with a need for different rules then? e.g. Test + Production? Or when using a site-to-site setup??

Exactly. And how often do you have multiple remote access tunnels on the same system? Usually one would just make one RA tunnel with a big enough subnet for however many users they would need. So no real need for an interface.
But site to sites definitely benefit from the separate rules.

@sprout0002 the same thing is occuring with me trying to set it up with NordVPN. Wireguard generates the wrong public key for the private key I'm entering. Did you find a fix or way to enter your public key from proton?

@reza-mnp - settings / enable wireguard - that is it done.

@koenh No problem.
Glad you got it fixed and believe me, the Wireguard wording is confusing at best!

@jarhead i will not have access for the next 5 days. I will take a look again afterwards.

I've set up Wireguard on a Linux laptop running Ubuntu 22.04. I've tethered it through my phone's mobile data service, and then started the Wireguard connection on the laptop. That seems to be working fine — I can access the pfSense web admin page; I can download large test files from my test device; I can upload large files via SSH.

So, that indicates the problem is really with the Android Wireguard app, while the pfSense Wireguard implementation is fine.

@michmoor I Do have multiple WAN connections. I have the wireguard only using one WAN connection though.