Wireguard suddenly refuses to handshake
-
This post is deleted! -
Routes were added for the marked Wireguard interface and i also configured the interface using the right IPv4 static IP (10.0.41.1, peer is 10.0.41.2). (no screenshot)
Unfortunatly i had to switched back to IPSec, so that's why everything is deactivated. -
@woodsomeister You have to add the tunnel as an allowed IP.
Did this ever work? -
@jarhead For several weeks. In the other side is also a Opnsense under my control. Everything was working as expected, but after a restart some days ago i went into this problem.
-
@xxgbhxx I tried the version 0.0.20210606_1 solution and now wireguard crashes and I get crash reports. I tried uninstalling wireguard and installing but now the WG service won't stay running.
What's my next step? -
DO NOT DO THIS.
Changing the wireguard-kmod package will cause kernel panics and take down your pfSense box.
I have the same problem with WireGuard not handshaking, but this solution DOES NOT fix it. FYI.
-
@itheadquarters Same thing happened to me. You need to SSH into your box, run 'pkg install wireguard-kmod'. This will put your package back to wireguard-kmod-0.0.20211105. This doesn't fix the handshake problem, but it will stop the kernel panics.
You can check your version numbers with 'pkg info -l wireguard-kmod'
-
@itheadquarters Sorry no notifications you'd replied to me. That wasn't my suggestion by the way.
I've given up with pfSense' implementation of Wireguard. I find it unstable and flakey as hell.
I purposely don't touch it once it's working and pray it's going to keep working. I've had a few unexplained random drops since I posted this and I just bypass the vpn until it comes back up which might be minutes, hours or days.
To illustrate this I have relatively recently set up a new connection to one of the VPN providers I've set the connection up to before. The settings are identical (obviously not they key's). Everything I can see is set up exactly the same as the working one and it has NEVER worked.
I've deleted and re-built that VPN 10+ times and it will never connect. In anger I set up and configured a brand new Opnsense VM using the exact same keys and settings and it worked instantly first time. It's never dropped. Not even once.
I can only go by what I find. If you're lucky, you get no issues but I have found, with my setup, Wireguard is just broken.
As soon as I get a few days free I'm going to be converting over to Opnsense full time not elast as its fairly clear to me that Netgate have walked away from the community version of PFSense.
-
@xxgbhxx Does Opnsense have a variant of PFBlockerNG?
-
@xxgbhxx I may have too also. I can't keep wrestling with this. I've wasted endless time trying to find out what's wrong, only to find out it's a bad implementation of the WireGuard package. I was running myself crazy, wondering if it was some problem with my ISP, or some arcane config setting. Unbelievable.
-
@n3ivi0 guess that's why it is marked EXPERIMENTAL :-)
-
This post is deleted! -
@sly1337 Wireguard on FreeBSD has been an unmitigated disaster but at least it's going to be kernel native for v14 and written in conjunction with JD.
But we need to remember the absolutely dire implementation that led to that situation that had been funded by Netgate and then grossly mismanaged. So much so it led to a very public argument between the author of Wireshark and Netgate.
We shouldn't be surprised almost 2 years later it's still in a shambles really.
-
This post is deleted! -
@xxgbhxx v14 of which? FreeBSD, got it.
-
@sly1337 Yeah. But more experimental in the "breaks out of the dungeon in your mountain lair, rampages through the village" kind of experimental. I just wish it worked. My pfSense box is configured perfect. I'd hate to have to go to Opnsense just to get a working implementation of Wireguard.
-
I think I found the solution for 0.1.6_2. Once your tunnel is setup with peers, you have your tun_wg0 Interface, and the Mullvad Gateway has been created, you have to temporarily switch Default Gateway over to the WAN. If you do this, the handshake will complete. I don't know why this works. I have tried switching to multiple peers. Each time, set Default Gateway to WAN, let the handshake complete, then switch it back to Mullvad Gateway and you're good to go. If anybody has any notion of what is causing this, speak up. I have a basic setup, like the Netgate website recommends. Nothing fancy. Basic firewall outbound NAT and rules.
-
@n3ivi0 said in Wireguard suddenly refuses to handshake:
Each time, set Default Gateway to WAN, let the handshake complete, then switch it back to Mullvad Gateway and you're good to go.
It is warned about almost everywhere that you shouldn't make WG the default gateway, never. Make your WAN the default gateway and then use policy based routing for actually routing stuff to the WG gateway.
-
@bob-dig Thank you. That was indeed the problem. I got some bad guidance from another guide. I went back and doublechecked the Mullvad guide for pfSense: https://mullvad.net/en/help/pfsense-with-wireguard/
It has recently been updated. And that's what they recommended to do. Fixed my firewall, and I'm back in black.
Thanks again for the tip.
-
Went months without issue then would drop the connection and wouldn't reconnect. I rebooted the pfSense and the MT-1300 and no luck. I rebuilt the VPN's on both sides, changed keys and no luck. Sometimes I'd wait a couple hours and it would connect again for a few hours or as long as 20 hours.
I changed the port to 51281 on both sides and it's been up for 2 days.
