Wireguard Tunnels - Gateway Recovery Behaviour intermitent
-
Hi All,
I wonder if anyone else has experienced this. For the life of me, I cannot 'consistently' get my Wireguard tunnels to re-establish on my primary gateway whenever I have a gateway failback event. The tunnels remain stuck on the backup gateway until I cycle that. I get it to work maybe once out of every 10, but that's luck of the draw.
I utilise the new settings in pfsense plus for the Gateway Recovery, which is set to kill states on all lower priority gateways on recovery. I watch the pftop state table at the time of a fail back and it does kill the states, specifically I watch the states for the wireguard tunnels drop - but they all re-establish back on my backup connection, even though the primary is back online.
The gateway recovery works fine in all other scenarios, but Wireguard tunnels are incredibly flaky - in the main they rarely fail back.
Just as an aside, these are privacy VPN Wireguard tunnels via Mullvad, so I have no control over the remote end. I thought this was the best place for this post as the gateway recovery in the main works fine, it's just the Wireguard tunnels not really playing ball.
Just to confirm my config, within Advanced > Misc -
State Killing on Gateway Recovery = Kill ALL states for lower-priority gateways
State Killing on Gateway Failure = Kill states for all gateways which are down.
-
Hi!
I've the same on my pfSense-to-pfSense Wireguard tunnel.
When I've a gateway fallback on one side I need to reboot the remote side to have it up again.
Very, very annoying!Thank you!
-
This is still an issue as of 2.8.0 / 25.07, and it drives me crazy.
Gateway failure works as expected, the wireguard tunnels will fail over to the backup gateway and continue on as normal, but will never recover once the failed gateway comes back online.
While a reboot will (usually) fix it, I usually just go into my routing settings and mark the secondary gateway as down, forcing it to revert back to the primary... the users tend to dislike it when I reboot the firewall in the middle of the day
-
@mreardon said in Wireguard Tunnels - Gateway Recovery Behaviour intermitent:
This is still an issue as of 2.8.0 / 25.07, and it drives me crazy.
Gateway failure works as expected, the wireguard tunnels will fail over to the backup gateway and continue on as normal, but will never recover once the failed gateway comes back online.
While a reboot will (usually) fix it, I usually just go into my routing settings and mark the secondary gateway as down, forcing it to revert back to the primary... the users tend to dislike it when I reboot the firewall in the middle of the day
Thanks for adding to the post - genuinely seems to be an issue, unsure if it's a Wireguard implementation problem or a pfSense issue at this stage though.
I don't know if anyone else has noticed, but it seems even worse on 25.07. I've got my Wireguard VPN's set as tiered, but pfsense is now pretty much ignoring those tiers in the failover group and firing traffic over whatever one it fancies.
Nothing has changed in my setup. Same failover group, same rules pointing traffic at the failover group with the appropriate tiers set - but the tiers don't seem to make any odds. I've recreated the failover group too.
I've gone back to 24.11 and it works fine there, so I'll stick on this one for a while I think.