I solved this by adding an additional interface directive in the DNS Resolver advanced options box. I confirmed that the running unbound config didn't include the wg interfaces and that's why it wasn't responding.

There's no "wireguard" in the Network Interfaces box of the DNS Resolver screen unless you create a Firewall interface based on the wg interface. I don't use ALL because I do not want some of my interfaces to have the option of using pfsense's unbound. Interestingly enough, the proper access-control directives did exist in the config already.

I added these lines and created a firewall rule allowing the wg subnet to access DNS on this IP.

@80scyborgninja said in WG - Full tunnel problematic:

Definitely very strange.

Definitely a mystery here 👻 , but I am glad you got it working. And thanks for the feedback.

@bartkowski Yep but as I said, they seem to share a single keypair and IP across all your devices, so you can only establish one tunnel.

My problems are gone now with the change to OpenVPN. Disabled WireGuard and all problems are gone for now. No crashes anymore....

@dem would be a good option like Ovpn does with the parameter mtu-test, regards!!!

SOLVED. Had to remove an IPSec Tunnel to make this work

@jimp Thanks!

I finally got it working. I wanted a road warrior config between my home pfSense and work. It took me awhile to realize that, while you don't need to define an interface on the work (server) side, you do on the home (client) side plus the usual firewall rule and outbound NAT rule to direct the traffic out the wireguard interface.

@periko my ISP using several routers behind my firewall. So all sites are dynamic, only my central is static.

Thanks for the info guys. I didn't realize how different WG is compared to the more traditional vpn.

No, that is not possible.

https://redmine.pfsense.org/issues/11600

@madnet I change MTU values to 1500 on my Site to Site VPN as the default value of 1420 was affecting google services (no youtube, no gmail, not maps nothing that had to do with google worked and I also had issues with Apple email servers that did not worked with MTU set to 1420) but as soon as the MTU value was changed to 1500 all worked fine
only issue that I see is that the MTU values will revert back to 1420 after sometime by itself inside Pfsense but if I change it again and save it will set it back to 1500 and all work good but it will be good to know if there is a way to hard set the MTU to 1500)

@dennis_s Sure! Opened bug #11618.

@jimp Thanks for that - I must have screenshot the wrong thing. I've actually played around some more, and it turns out that I had a problem with the protocol. I had not realized that I set it up with TCP rather than UDP.

For those who might experience this, please note carefully, that for the Firewall | Rules | WANS, make sure the protocol is UDP:

e23c68db-45cc-4517-bc99-a8820426ca19-image.png

This is different to Firewall | Rules | Wireguard, in which the protocol is Any:

d5d7bf63-a23f-48c5-9aed-56ed5087d8c1-image.png

@tigs this seems to me like the issue I'm currently facing. Unfortunately I haven't found a solution yet. 😩 Neither did @xxgbhxx's idea work for me. I suspect in-depth knowledge of the inner-workings of pfSense/FreeBSD/the WireGuard module(?) is required to figure out what's going on. On my installation the DNS resolver would even use the WAN interface when it is not even selected as one of the "Outgoing Network Interfaces", which seems odd to me.

@dma_pf @jimp

Interesting... Thx

I never assigned an interface to OpenVPN.

Is it incorrect ? When would you vs won't you assign it ?

@chudak said in iPhone via WG tunnel - help validate my setup:

@dma_pf

When I set Allowed IPs and Peer WireGuard Address as suggested in the video to 10.0.0.6/32 I get 100% loss on WG0_XX Gateway seeing in the dashboard. Have you tried this ?

I'm seeing the same result. In my case I have been testing this with my android phone. It's the only peer I have set up at the moment. It's using the native Wireguard app. The only time I'm seeing the 100% packet loss on the dashboard is after I get home, shut off wireguard and turn and connect it to my WiFi which is connected to pfSense.

I haven't really looked into why it's showing the loss. But I just looked at the System/Gateways log and saw that there were entries showing the packet logs on the tunnel interface. I just noticed that the gateway in pfsense had the Gateway Monitor enabled. I just shut it off to see what happens. I'll let you know.

@chudak, guessed as much thanks for confirming!