@mikebflyer You bridge the interfaces. I've never done it in pfSense so I can't tell you the details other than: Interfaces >> Bridges >> Add When you bridge them, they act as one interface so they have the same IP and are connected to the same subnet. Here's how to do it to an OVPN interface (it will be the same for a WG interface): https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-bridged.html

@mooncaptain I had the same problem. HERE was my fix- https://forum.netgate.com/topic/181857/solved-wireguard-interfaces-ping-but-can-t-get-actual-data-through

@Neosmith20 Lastly, if you look in: Status >> System Logs >> System >> General And filter on "ireguard" (and then filter again on "WG0" (or whatever you named your interface)), you will see some of the logs. (My personal experience has been that those log entries have been pretty useless)

Well i think that i might solved the problem after reboot. If someone can test and see if its working, i did several reboots and now my wg is coming up without the error for unknown gateway. What i did is check the box Disable Negate rules under System/Advanced/Firewall & NAT. But i still have the problem if my wan goes offline when it is coming back my wg connection will remain offline until i reboot the box. This is a clean 2.7 install without restoring backup just to discard any errors.

@tweek negative. I wrote the package and can confirm it has always been kernel driver.

@keyser okidok, thx anyway ;-)

solved at reference...

@viragomann AHA! I figured it out now! So, that client (10.247.1.13) used to have my wireguard server running on it, and I never uninstalled it. So I THINK that ubuntu server had static routes set up for traffic on the 10.66.66.1/24 subnet, and was sending traffic to those subnets into the void. After uninstalling wireguard on the server, pings are now working between my windows machine connected via wireguard and the server at 10.247.1.13. Still can't ping windows to windows, but I'm guessing that's a firewall issue and I can look at that in my own time. Thanks for the help folks! I think we can consider this resolved now.

@Betahelix WireGuard tunnels only operate at Layer 3. If you need to transport L2 traffic you need to utilize a tap mode (layer 2) VPN driver.

@Bob-Dig So I reverted to manual (did a restore) since hybrid and automatic were not working, and it is broken now.

@tibere86 that doesnt help if they are using DoH which works over 443. Also DoT works over port 853 which is easier to block.

Just here to report that enabling IPsec-MB on 23.05 has reduced the CPU usage quite a bit on my 5100 when using Wireguard.

@Bob-Dig ok I will go this way, maybe my fault but still not clear what traffic should not go through the VPN....local I suppose. I have taken this guide as the failover to wan scenario is a good approach to me. IVPN is reliable but not guaranteed it could not drop for some reason and the setup guide on their web site is apparently oriented to just a kill switch scenario. Thank you