@cmcdonald Wireguard ignores my static routes, even after a reboot. It seems to always use the default route. Might be a bug? Btw, thanks for your work with Wireguard.

@joshhboss I localise my problem. Problem wasnt wireguard or pfsense, but my configuration. I didnt setup monitoring of wireguard gateway. After reboot it automaticaly try setup routes, but in time, when GW wasnt ready. After enabling GW monitoring, and setup static routes properly, everything works perfectly now.

@joshhboss the mtu matches on both sides btw

@joshhboss Im seeing that also from behind the pfsense on the 192.168.2.0/24 network i cant even ping the wireguard interface of the edge router

Thought I’d mention that this pfsense is 1 of 2 routers on my network. But either way my computer has set the pfsense router as its gateway. I would imagine that it should make it work. I’m noticing more that this post is lacking a bunch of info. I’ll draw a diagram and provide screen shots in a little bit

Hi,
Here the solution:
https://www.reddit.com/r/PFSENSE/comments/m0989o/nordvpn_wireguard_setup_works/
Yann.

@whiteout541 It’s not official, but possible. Here is how to create the Wireguard config files for Surfshark https://github.com/yazdan/openwrt-surfshark-wireguard

Got this working by enabling split tunnel in p1 settings and adding a second tunnel entry with the Wireguard subnet as remote. Not sure if this is the best way but it works. If anyone knows a better way please let me know.

Thanks

Upgrade to 2.6 or delete WG, setup the right Branche and install WG again.

SOLVED
All I had to do at the remote site was change the allowed IP's to 0.0.0.0/0 in the peer, then change the LAN "allow all" rule to the gateway to the wireguard vpn.

Problem solved.
Due to WireGuard tunnel closing down.
Remote ovpn does not re-active it.
I made the wireguard tunnel persistent and the routing works.

Well. I reply myself.

As @cmcdonald (developer of the wireguard package so someone to listen to) says in a reply to another post (https://forum.netgate.com/topic/164360/wireguard-site-to-site-issues/13):

The only way to force WireGuard out a particular interface currently is to create a static host route (i.e. a /32 or /128 route pointing at the remote WireGuard peer endpoint IP) out a particular gateway.

I stick my hope on the word 'currently': Even this being the actual state of the product it would be great if there were some way to manually bind a WG VPN to a given interface. There are cases where setting up a route to achieve that automatic binding is not possible (like my case where the remote endpoint is the same for both tunnels). This is already allowed both in openVPN and IPSec VPNs so it should also be a good thing that WG also had the option.

So I beg the developers, if they are monitoring this forum, to add this GREAT enhancement to an other way outstanding product.

Thanks for your time and effort.

@jdangjohnny

I am going to get myself a $50.00 beer. It was my mistake... On the TUNNEL settings, I need to do a /24 and /not 32 and voila.. Hasta LaVista Baby? It is all working now. I made the right decision to come back with PFSENSE. Now, more tunnels to test it.

@sensewolf Have you tried doing a packet capture on the server from pfsense (Diagnostics/Packet Capture)? Ping the server while the capture is running. What does the capture show? Is the ping getting to the server? Is the server responding to the ping? If so what IP address is it sending its response to?

Do you see any states created between your client and the server?

You'd probably get better help posting on an OpenWRT forum about your issue. This is a support forum for pfSense.

@swemattias
Yes, multiple peers with the same goal / security rules = 1 tunnel, x peers

I shall advise multiple tunnels only when you have different populations of peers (let's say internal users, external users or customers, etc.)

Have a nice day !

@packetpirate Thanks for the reply. I use the DNS resolver with Unbound. I looked further into the issue I have and it turns out that one wg connection seems to work just fine but as soon as I configure the loadbalanced mode I have the dns issues. I have no idea why this happens but I'm not willing to put more time in this. I switched to opnsense right now with pretty much the same configuration from the same guy that also posted about the solution to Mullvad's dns hijacking issues and it works completely fine so I'll stick with it for a while.