@Betahelix WireGuard tunnels only operate at Layer 3. If you need to transport L2 traffic you need to utilize a tap mode (layer 2) VPN driver.

@Bob-Dig So I reverted to manual (did a restore) since hybrid and automatic were not working, and it is broken now.

@tibere86 that doesnt help if they are using DoH which works over 443. Also DoT works over port 853 which is easier to block.

Just here to report that enabling IPsec-MB on 23.05 has reduced the CPU usage quite a bit on my 5100 when using Wireguard.

@Bob-Dig ok I will go this way, maybe my fault but still not clear what traffic should not go through the VPN....local I suppose. I have taken this guide as the failover to wan scenario is a good approach to me. IVPN is reliable but not guaranteed it could not drop for some reason and the setup guide on their web site is apparently oriented to just a kill switch scenario.
Thank you

@Bob-Dig I'm sure it's no misconfiguration. The packet loss are short 1min Windows. They made their wireguard server very stable lately. So it's more like 2-3 times a week now. With my OpenVPN backup I never notice the the packet loss at all. Only my monitoring notices.

I get the picture now wrt WG configs with this or that VPN provider. ProtonVPN has their WG configs but no pfsense setup docs. I haven't used Windows in years and as a 'Linux for Dummies' kind of user I sometimes have a clue. 😊

Being a Netgate Minnow w/ 2C Intel Atom (AES-NI) I get about 12MBs (Mega Bytes) sustained but that pushes CPU usage into 50-60% range. That's with OpenVPN, WG may not be feasible.

This newish Pfsense/WG howto peeks my interest: link text

We'll see.

Thanks,

Onecut

@Bob-Dig
Don't works. The firewall don't knows the dns names, so i normaly use the AD server as DNS server, so all internal hosts could be resolved. But WireGuard works not this way.
I made now 2 host overrides in the DNS Forwarder and now the hosts will be recogniced. But I think it also should go the other way round.

@s0m3f00l NP. It's always good to check before upgrading.

@jimp Thank you! Sorry I didn't run across this in my reviews of other forums. That was EXACTLY what I was looking for!

@q54e3w If it's a config error, why would it have connected for a couple days without ANY issues? That's scary in itself then!

@misterb

for me a cron job @reboot with this command works:
sleep 30 && /usr/local/sbin/pfSsh.php playback svc restart dpinger

I do have service watchdog running for Wireguard.
Only tested twice. Your mileage may vary.

Our documentation has a few recipes:

https://docs.netgate.com/pfsense/en/latest/recipes/index.html#id1

@Bob-Dig Thanks for replying. Here are screenshots of the config. Let me know if you need any more.
WG1.png WG2.png WG3.png WG4.png WG5.png