@mooncaptain Answering my own question:

All devices that use DHCP have No leaks. In windows I check the connection details with ipconfig/all and that shows that the Mallvad DNS servers are pulled in. My problem was with a statically configured workstation. For that I have to manually spec the DNS servers.

All is good - so far - since I am going to start messing around with the configuration to test fail over.

@gertjan
In the US, data is dollars and sold to the highest bidder.
Governance optional.

@mooncaptain and @dma_pf

Thank you !!
After reading your previous reply, ( and after having removed the WireGuard package, with the option not to save the previous configurations ). I reinstalled the package, and the first thing I did was, as mentioned by @mooncaptain, I went to the 'Settings' tab on the package, and enable it. I tried to do that on the previous attempt but was unable to do that.
After doing that, I created the tunnel and checked to see if it appears on the selection on the interface, and this time it did !.
I must have done something right when removing the package, without any previous settings.
BTW, I didn't reboot the FW, as I have an offsite backup running that cannot be interrupted at this time.
So this time I can select and assign the interface!
Thank for the video, I'm going to watch it before I continue with this setup.
I'll update this after that finishes.
Thanks again.
JG

Ok,I got it.I will upgrade it.

@xxgbhxx Just thought I'd do a very quick update.

It happened to me again today and I've finally nailed EXACTLY what the issue was/is and it turns out it was an already known issue with VMWare/PfSense (gee thanks Netgate).

The issue is with VMWares allocation of NIC's. In VMware when you add new nics they number them vmx0 vmx1 vmx2 and so on. When you add a new card for some completely inexplicable reason, VMWare numbers the NEW card vmx0 and then bumps up the interface numbers of all the other cards (so what WAS vmx0 becomes vmx1). This immediately breaks pfSense and pretty much means you have to re-do all your interfaces and firewalls.

SO

The moral here is add as many interfaces from day one as you ever expect to use and if you DO decide to any later on, make sure you fully prep for the impact (because remembering interface names/locations from 9 months ago is not easy!)

Thought I'd leave this here in case anyone has the same issue.

@jwt is/was this reply intended for someone else?

Ahhh! This explains so much!

I had tried to copy my existing rules across from IPSEC tunnels to Wireguard and it just wasn't working like I expected.

I hadn't considered the gateway interface was doing NAT - make sense I guess when you think about it. Switching to Manual Outbound NAT and then disabling the WireGuard interface fixed it.

This really gets pretty messy when you're doing multiple site to site IPSEC migrations to wireguard (I was having poor performance using IPSEC / Starlink for what ever reason - Wireguard just seemed to work)

Can anyone recommend a pfsense / Wireguard guru that would we available to look over a proposed setup and provide best practice? Happy to pay - Id rather do it once correctly than introduce unnecessary workarounds and fixes to get it going. approx 20 sites, DC, Azure (pfsense)

I had the same issue. I configured the wireguard interface as an actual IP interface and the issue cleared up.

I've hit a roadblock here. Is there somebody who can offer a bit of advice?

@fyobl

Cloud ? VPN ? Is there a place for 'pfSense' in your question ?

pfSense has no lists with IP's 'to pass' or 'to block'. pfSense is a firewall/router and routs all traffic - no exceptions - from a LAN interface to the outside world, the gateway, over the WAN interface.

@bigsy

I think it'd be useful if WG behaves as OpenVPN does and allow to use the same configuration concurrently IMHO :)

@bigsy Thank you!

I restored one connection but still struggling with another.
But WG works on iOS15, it's more like a pilot problem (copying all keys correctly etc.)

What is not clear to me is why WG does not have "a la" VPN client export config ability. I tried to download the tunnel configuration, but it seems to be requiring some editing, and couldn't make it work. Maybe I am not using it correctly?