Solved by watching a video from Christian McDonald. The change was to the settings in the peer (client) app. I set the DNS address to the tunnel address (192.168.85.1) rather than my pfSense address.

Yes that's how I do it also. I'm experimenting with FRR now to dynamically discover the routes instead of having to manually define them.

@crowfather said What does the WG config file look like? (Redacting private information obviously) [image: 1651596131433-img_3487.png]

@ofloo Figured it out, bgp raw configuration was overwriting the configuration. So basically never got updated kept running old config. Must of updated configuration and hit save at some point in the past.

I figured it out. I had State Killing on Gateway Failure enabled under System/Advanced/Miscellaneous. Disabling it resolved my issue

@skippythemagnificent This could be a hosted vpn with many clients and allowing client2client communications.

@cmcdonald Wireguard ignores my static routes, even after a reboot. It seems to always use the default route. Might be a bug? Btw, thanks for your work with Wireguard.

@joshhboss I localise my problem. Problem wasnt wireguard or pfsense, but my configuration. I didnt setup monitoring of wireguard gateway. After reboot it automaticaly try setup routes, but in time, when GW wasnt ready. After enabling GW monitoring, and setup static routes properly, everything works perfectly now.

@joshhboss the mtu matches on both sides btw

@joshhboss Im seeing that also from behind the pfsense on the 192.168.2.0/24 network i cant even ping the wireguard interface of the edge router

Thought I’d mention that this pfsense is 1 of 2 routers on my network. But either way my computer has set the pfsense router as its gateway. I would imagine that it should make it work. I’m noticing more that this post is lacking a bunch of info. I’ll draw a diagram and provide screen shots in a little bit

Hi, Here the solution: https://www.reddit.com/r/PFSENSE/comments/m0989o/nordvpn_wireguard_setup_works/ Yann.

@whiteout541 It’s not official, but possible. Here is how to create the Wireguard config files for Surfshark https://github.com/yazdan/openwrt-surfshark-wireguard