solved at reference...

@viragomann AHA! I figured it out now! So, that client (10.247.1.13) used to have my wireguard server running on it, and I never uninstalled it. So I THINK that ubuntu server had static routes set up for traffic on the 10.66.66.1/24 subnet, and was sending traffic to those subnets into the void. After uninstalling wireguard on the server, pings are now working between my windows machine connected via wireguard and the server at 10.247.1.13. Still can't ping windows to windows, but I'm guessing that's a firewall issue and I can look at that in my own time. Thanks for the help folks! I think we can consider this resolved now.

@Betahelix WireGuard tunnels only operate at Layer 3. If you need to transport L2 traffic you need to utilize a tap mode (layer 2) VPN driver.

@Bob-Dig So I reverted to manual (did a restore) since hybrid and automatic were not working, and it is broken now.

@tibere86 that doesnt help if they are using DoH which works over 443. Also DoT works over port 853 which is easier to block.

Just here to report that enabling IPsec-MB on 23.05 has reduced the CPU usage quite a bit on my 5100 when using Wireguard.

@Bob-Dig ok I will go this way, maybe my fault but still not clear what traffic should not go through the VPN....local I suppose. I have taken this guide as the failover to wan scenario is a good approach to me. IVPN is reliable but not guaranteed it could not drop for some reason and the setup guide on their web site is apparently oriented to just a kill switch scenario. Thank you

@Bob-Dig I'm sure it's no misconfiguration. The packet loss are short 1min Windows. They made their wireguard server very stable lately. So it's more like 2-3 times a week now. With my OpenVPN backup I never notice the the packet loss at all. Only my monitoring notices.

I get the picture now wrt WG configs with this or that VPN provider. ProtonVPN has their WG configs but no pfsense setup docs. I haven't used Windows in years and as a 'Linux for Dummies' kind of user I sometimes have a clue. Being a Netgate Minnow w/ 2C Intel Atom (AES-NI) I get about 12MBs (Mega Bytes) sustained but that pushes CPU usage into 50-60% range. That's with OpenVPN, WG may not be feasible. This newish Pfsense/WG howto peeks my interest: link text We'll see. Thanks, Onecut

@Bob-Dig Don't works. The firewall don't knows the dns names, so i normaly use the AD server as DNS server, so all internal hosts could be resolved. But WireGuard works not this way. I made now 2 host overrides in the DNS Forwarder and now the hosts will be recogniced. But I think it also should go the other way round.

@s0m3f00l NP. It's always good to check before upgrading.

@jimp Thank you! Sorry I didn't run across this in my reviews of other forums. That was EXACTLY what I was looking for!

@q54e3w If it's a config error, why would it have connected for a couple days without ANY issues? That's scary in itself then!