I figured it out. I had State Killing on Gateway Failure enabled under System/Advanced/Miscellaneous. Disabling it resolved my issue

@skippythemagnificent This could be a hosted vpn with many clients and allowing client2client communications.

@cmcdonald Wireguard ignores my static routes, even after a reboot. It seems to always use the default route. Might be a bug? Btw, thanks for your work with Wireguard.

@joshhboss I localise my problem. Problem wasnt wireguard or pfsense, but my configuration. I didnt setup monitoring of wireguard gateway. After reboot it automaticaly try setup routes, but in time, when GW wasnt ready. After enabling GW monitoring, and setup static routes properly, everything works perfectly now.

@joshhboss the mtu matches on both sides btw

@joshhboss Im seeing that also from behind the pfsense on the 192.168.2.0/24 network i cant even ping the wireguard interface of the edge router

Thought I’d mention that this pfsense is 1 of 2 routers on my network. But either way my computer has set the pfsense router as its gateway. I would imagine that it should make it work. I’m noticing more that this post is lacking a bunch of info. I’ll draw a diagram and provide screen shots in a little bit

Hi, Here the solution: https://www.reddit.com/r/PFSENSE/comments/m0989o/nordvpn_wireguard_setup_works/ Yann.

@whiteout541 It’s not official, but possible. Here is how to create the Wireguard config files for Surfshark https://github.com/yazdan/openwrt-surfshark-wireguard

Got this working by enabling split tunnel in p1 settings and adding a second tunnel entry with the Wireguard subnet as remote. Not sure if this is the best way but it works. If anyone knows a better way please let me know. Thanks

Upgrade to 2.6 or delete WG, setup the right Branche and install WG again.

SOLVED All I had to do at the remote site was change the allowed IP's to 0.0.0.0/0 in the peer, then change the LAN "allow all" rule to the gateway to the wireguard vpn.

Problem solved. Due to WireGuard tunnel closing down. Remote ovpn does not re-active it. I made the wireguard tunnel persistent and the routing works.

Well. I reply myself. As @cmcdonald (developer of the wireguard package so someone to listen to) says in a reply to another post (https://forum.netgate.com/topic/164360/wireguard-site-to-site-issues/13): The only way to force WireGuard out a particular interface currently is to create a static host route (i.e. a /32 or /128 route pointing at the remote WireGuard peer endpoint IP) out a particular gateway. I stick my hope on the word 'currently': Even this being the actual state of the product it would be great if there were some way to manually bind a WG VPN to a given interface. There are cases where setting up a route to achieve that automatic binding is not possible (like my case where the remote endpoint is the same for both tunnels). This is already allowed both in openVPN and IPSec VPNs so it should also be a good thing that WG also had the option. So I beg the developers, if they are monitoring this forum, to add this GREAT enhancement to an other way outstanding product. Thanks for your time and effort.