Wireguard Site-to-Site Gateways disabled after reboot - service not starting

Bob.Dig

@buzz2912 I use s2s without NAT, probably many people are using it after that great video Christian McDonald did is my guess. But I only connect my pfSense to a windows server, not another Sense.
Still I think you should really show you config and let others have a look at it. "It is not working" is not doing anything.

buzz2912

Here you go:
Installation was on 2.5. Initially with NAT, than without.
3 different site-to-site connections. All to pfsense 2.6.0
Update to 2.6.0, no problems. I am running this in production.
22.01 plus update, no problems
22.05. plus update:
First reboot, everything fine and up.
reboot, gateways hidden, service ist not starting, not even on click.
Reinstall package wireguard, everything up and running, reboot: dead again.
If I manually activate the gateways and after that start the service, it runs.
Gateway monitoring does not make a difference.
2.7.0 same behavior as on 22.05

Internet connection:
When the problem occurred for the first time, I had two connections in Failover mode (cable+PPPOE). At the moment I have only one PPPOE connection.

I did a fresh install and did a config restore. Same problems.
I gave up and used 2.6.0 since the 22.05 release without any problem.
I had hoped that this will be relsolved with the 2.7.0 release, but it seems not to.

Config:

Interface:

Gateway:

Route:

Bob.Dig

@buzz2912 So this screenshot is not 22.05 I guess.
And all other pfSense are 2.6.0... so this is not my setup.

But no one had yet replied to your thread here. I would recreate all the tunnels from scratch. Or wait if someone else has the same problem and you find the cause together.
Make sure that the default gateways are not set to automatic but to your WAN or WAN failover group is some common error with WG.

buzz2912

@bob-dig
This is my current 2.6.0 config prior the update.
Standard gateway is (and was) set correctly.

buzz2912

Here is my upgrade to 22.05 for the screenshot and logs.
After the first boot 2/3 were marked online, one pending. In reality all remote networks were reachable.
wireguard service marked as down

service watchdog was trying every minute to start the service. No success.

I removed the package wireguard. After that I did a config restore.
After reboot, wireguard was reinstalled and started successfully. All tunnels und gateways up, service running.

My config seems alright. How could this work otherwise?

And here we go again:
reboot of the running 22.05 system (all tunnels up before reboot)

all gateways down

service down

and here is the system log

buzz2912

upgrade to 23.01 beta

after the first boot:
All gateways hidden
wireguard service dead

additional message:

reinstall wireguard package
all site to site connections and gateways up and running.

reboot 23.01 beta (with running connections). Here we go again:

same entries in system log

lcbbcl

@buzz2912 I have the same problem after reboot i get error of unknow gateway and is disabled.
Without adding gateway wireguard start.

buzz2912

I have not found a solution.
I am using opnense now. It just works.

lcbbcl

@buzz2912
This is hilarious again after restart i got the GW disabled and i manually enabled the gateway, this made my tunnel work but the wireguard is not running.
But still on others threads they claim that is working as it should.
Well i will give a try also to open.

buzz2912

I do not understand what we do different.

lcbbcl

@buzz2912
We don't do nothing different , i did try everything. 1/10 reboots wg is working as it should so it is clear to me that is not how i set up. Its is something different, pppoe could be a coincidence or not. without adding a gw to the tunnel wg is coming up.

vjizzle

Hi,

I have the same problem with wireguard tunnels. I am on 22.05 and there this problem also exists. Every reboot it’s a 50-50% chance my wireguard tunnels will come up.

I was briefly on 23.01 and there 100% of the time my wireguard tunnels would not come back after a reboot. Reinstalling the wireguard package did fix it for the next reboot after reinstalling the package but every following reboot would turn up the same problem. Gateways disabled and wireguard tunnels and service both down and not way of enabling or starting them. Definitely a bug. I have pppoe as well on WAN.

I returned to 22.05 because of a bug with igmp and for now this is ok. Hopefully some fixes will come for the next release. I read somewhere that on the other *sense firewall this problem does not exist. Wondering how they solved it 🧐

lcbbcl

@vjizzle
Well i have this problem long time ago, i moved from 2.6 to 22.01 22.05 and now 23. I had always pppoe connection and it did work in the past but after last updates to wg i start to have problems. I might try to use openvpn just to see because that was working years without any problems and now i see posts about openvpn also with similar problems.
I don't expect bugs free, it is just that the bug was reported and they close saying that wg work as it should be.

buzz2912

Here is a workaround:

Install package cron
Add cron job

Minute: @reboot
user: root
Command:
sleep 60 && /usr/local/sbin/pkg install -f -y pfsense-pkg-WireGuard

After reboot the wireguard pkg is force reinstalled. After that the service and the tunnels and the gateways come up. Takes some time.

Hope that helps, Sebastian

Misterb

I've had this same problem since almost the start of the 2.7.0 dev releases appearing. The wireguard tunnel always comes up but the gateway reports as down and the wireguard service says it's down. I can return things to normal by going to Status->Services and restarting dpinger followed by starting wireguard. The service starts and the gateway on the front page comes back online.

buzz2912

@misterb
do you have a cron command for that?

I can not understand why this is not fixed after all this time.
It seems, that no one cares.

Sebastian

moelassus

@buzz2912 Ugh, this is a good solution to a bad problem. It's a shame that Wireguard behaves like this. I didn't know I was experiencing this until I rebooted prior to upgrading and my peer would not handshake. I rebooted again and it came back. I thought I was out of the woods so I upgraded to 22.05 and Wireguard hasn't worked since. I just tried the uninstall reinstall and it did eventually work. It took awhile for the peer to handshake but it eventually did. I hadn't rebooted since the last update so hopefully I won't run into this again for a long time.

Gektor

Have same issue on pfSense + 23.05, after Save + Apply WG Gateways, it's start wotking.

Seeking Sense

@Gektor are you referring to the WireGuard INTERFACE that you created for your WireGuard tunnel found in the pfSense Interfaces list?

If so then I have also found that to be my only solution to reestablish my WireGuard tunnel.

I am required to DISABLE, SAVE and APPLY and then ENABLE, SAVE and APPLY the WireGuard Interface to reestablish my WireGuard tunnel.

Is there a fix for this?

Has anyone written a script to check if a WireGuard Gateway is down, offline, etc... to DISABLE and then ENABLE its associated interface?

michmoor

@Seeking-Sense I would say to open a redmine if you believe this is a bug or a regression but the odds of that getting actioned by a dev are extremely low.
Have you tried disabling gateway monitoring?