Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    no wireguard handshake with mullvad?

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 4 Posters 877 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      lostnetworker
      last edited by

      Hello peoples

      I'm struggling to get a wireguard handshake with mullvad. I have followed the documentation from mullvad, https://mullvad.net/en/help/pfsense-with-wireguard and Christians YT video (https://m.youtube.com/watch?v=wYe7FzZ_0X8) but can't see handshake.

      My private key is correct in the tunnel, it resolves to the public key listed in mullvad.net/end/account/wireguard-config

      My peer has the correct public wireguard key from the config I downloaded from mullvad. Endpoint IP is correct.

      N 1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        Do you see states open to the remote IP? Do you see two way traffic on those states?

        L 1 Reply Last reply Reply Quote 0
        • L Offline
          lostnetworker @stephenw10
          last edited by lostnetworker

          @stephenw10 Bit baffled on what you're asking for mate, I'm lost in this networking world.

          Heres a screenshot of my tunnel and peer using the supplied details from Mullvadpfsense.png

          These are my steps:

          1. Generate Wireguard .txt config on Mullvad site
          2. Make Wireguard tunnel > plug my private key, interface IP key and port 51820 in
          3. Assign tunnel to peer > plug public key, endpoint IP and 51820 port in
          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            I mean go to Diag > States. Filter by the remote endpoint IP. You should see at least one open state to it and it should show packets both ways.

            1 Reply Last reply Reply Quote 0
            • N Offline
              nimrod @lostnetworker
              last edited by

              @lostnetworker

              I had same situation. I setup a wg tunnel with mullvad, and there is no handshake until you actually start requesting traffic via that tunnel. As soon as the traffic starts to flow, i can see the handshake.

              Is this what you are trying to say @stephenw10 ?

              1 Reply Last reply Reply Quote 1
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                When the tunnel is up I expect to see a state for it with traffic on it both ways. Even if it's only a few packets.

                If there's no state at all then there some problem locally preventing it trying to connect.

                If there is no reply traffic on the state then the server isn't responding so probably some config issue.

                Bob.DigB L 2 Replies Last reply Reply Quote 0
                • Bob.DigB Offline
                  Bob.Dig LAYER 8 @stephenw10
                  last edited by Bob.Dig

                  @stephenw10 said in no wireguard handshake with mullvad?:

                  When the tunnel is up I expect to see a state for it with traffic on it both ways. Even if it's only a few packets.

                  I don't think so. If you don't have a gateway setup in pfSense with its monitoring, there is nothing using this tunnel and with that no handshake. That is why I prefer to set keep alive for new WG-Tunnels in general, at least in the beginning, to see if everything went well.

                  N 2 Replies Last reply Reply Quote 1
                  • N Offline
                    nimrod @Bob.Dig
                    last edited by

                    This post is deleted!
                    1 Reply Last reply Reply Quote 0
                    • N Offline
                      nimrod @Bob.Dig
                      last edited by

                      @Bob-Dig said in no wireguard handshake with mullvad?:

                      @stephenw10 said in no wireguard handshake with mullvad?:

                      When the tunnel is up I expect to see a state for it with traffic on it both ways. Even if it's only a few packets.

                      I don't think so. If you don't have a gateway setup in pfSense with its monitoring, there is nothing using this tunnel and with that no handshake. That is why I prefer to set keep alive for new WG-Tunnels in general, at least in the beginning, to see if everything went well.

                      This makes sense.

                      1 Reply Last reply Reply Quote 0
                      • L Offline
                        lostnetworker @stephenw10
                        last edited by

                        @stephenw10 @nimrod

                        Thanks for the advice guys. I have been so busy but managed to get free to look into this. I nuked my pFsense and this time I set a keep alive 25 seconds on the peer, now I get handshakes.

                        I followed every step in the Mullvad guide, looks like I've got a Mullvad IP assigned and no DNS leaks so I guess it worked.

                        Only issue I noticed is that if I reboot my Protectli, there is still a handshake between the peer and tunnel but I can't get internet access. I had to nuke my install again and follow the guide again for Mullvad wireguard to work.

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.