Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard Tunnels - Gateway Recovery Behaviour intermitent

    Scheduled Pinned Locked Moved WireGuard
    3 Posts 3 Posters 439 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      crucialguy
      last edited by crucialguy

      Hi All,

      I wonder if anyone else has experienced this. For the life of me, I cannot 'consistently' get my Wireguard tunnels to re-establish on my primary gateway whenever I have a gateway failback event. The tunnels remain stuck on the backup gateway until I cycle that. I get it to work maybe once out of every 10, but that's luck of the draw.

      I utilise the new settings in pfsense plus for the Gateway Recovery, which is set to kill states on all lower priority gateways on recovery. I watch the pftop state table at the time of a fail back and it does kill the states, specifically I watch the states for the wireguard tunnels drop - but they all re-establish back on my backup connection, even though the primary is back online.

      The gateway recovery works fine in all other scenarios, but Wireguard tunnels are incredibly flaky - in the main they rarely fail back.

      Just as an aside, these are privacy VPN Wireguard tunnels via Mullvad, so I have no control over the remote end. I thought this was the best place for this post as the gateway recovery in the main works fine, it's just the Wireguard tunnels not really playing ball.

      Just to confirm my config, within Advanced > Misc -

      State Killing on Gateway Recovery = Kill ALL states for lower-priority gateways

      State Killing on Gateway Failure = Kill states for all gateways which are down.

      1 Reply Last reply Reply Quote 1
      • G Offline
        gtrovato
        last edited by

        Hi!

        I've the same on my pfSense-to-pfSense Wireguard tunnel.
        When I've a gateway fallback on one side I need to reboot the remote side to have it up again.
        Very, very annoying!

        Thank you!

        1 Reply Last reply Reply Quote 0
        • M Offline
          mreardon
          last edited by

          This is still an issue as of 2.8.0 / 25.07, and it drives me crazy.

          Gateway failure works as expected, the wireguard tunnels will fail over to the backup gateway and continue on as normal, but will never recover once the failed gateway comes back online.

          While a reboot will (usually) fix it, I usually just go into my routing settings and mark the secondary gateway as down, forcing it to revert back to the primary... the users tend to dislike it when I reboot the firewall in the middle of the day 😅

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.