Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard fails after reboot (2.8.0)

    Scheduled Pinned Locked Moved General pfSense Questions
    40 Posts 4 Posters 6.0k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      It feels more like some sort of race condition at boot. Like Wireguard tries to start on an interface that hasn't been setup yet, maybe a VPN or other tunnel type. That GIF tunnel perhaps? Can you try disabling that as a test?

      B 2 Replies Last reply Reply Quote 0
      • B Offline
        Buffalo0207 @stephenw10
        last edited by

        This post is deleted!
        1 Reply Last reply Reply Quote 0
        • B Offline
          Buffalo0207 @stephenw10
          last edited by Buffalo0207

          @stephenw10 I think we are getting somewhere and maybe to the route of the issue.

          I disabled the GIF tunnel (Hurricane Electric) as you suggested, rebooted, and the wireguard gateways and wireguard service status were stopped. However, when i started the GIF tunnel again, the wireguard gateways and wireguard service status automatically started up.

          There is a secondary issue however - once the wireguard service starts, the GIF Tunnel changes to 'Offline, Packetloss'. If I then restart the GIF tunnel, it remains 'Offline, Packetloss'.

          There definitely seems to be a link between the wireguard service and the GIF tunnel.

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            Hmm, is there some IP/subnet conflict between the GIF and Wireguard tunnels?

            B 3 Replies Last reply Reply Quote 0
            • B Offline
              Buffalo0207 @stephenw10
              last edited by

              @stephenw10 Not that I can see. The GIF tunnel (Hurricane Electric) is using 216.66.80.26 and the two wireguard tunnels use 10.102.1.114 and 10.102.100.206.

              1 Reply Last reply Reply Quote 0
              • B Offline
                Buffalo0207 @stephenw10
                last edited by Buffalo0207

                This post is deleted!
                1 Reply Last reply Reply Quote 1
                • B Offline
                  Buffalo0207 @stephenw10
                  last edited by Buffalo0207

                  @stephenw10 @stephenw10 I decided to consult chatgpt and have it write a bash script that runs immediately after boot in /usr/local/etc/rc.d/restart_gateways.sh. The wireguard tunnels now start automatically without any manual intervention. It seems that it was just a timing issue all along. The bash script works perfectly by first stopping and then restarting dpinger, and then waiting 20 secs to give the wireguard tunnels time to fully enable, before starting the wireguard service.

                  I did try to use the shellcmd package, but it didn't work as a delay is needed between making sure the wireguard gateways have fully started, before enabling the wireguard service.

                  #!/bin/sh
#
# Restart dpinger 5 sec after boot, then delay starting WireGuard by 20 secs
#

case "$1" in
    start)
        # Wait 5 secs before stopping dpinger
        /bin/sleep 5
        /usr/local/sbin/pfSsh.php playback svc stop dpinger
        /usr/local/sbin/pfSsh.php playback svc start dpinger

        # Wait 20 secs before starting WireGuard
        /bin/sleep 20
        /usr/local/sbin/pfSsh.php playback svc start wireguard
        ;;
    stop)
        # Nothing special on stop
        ;;
    restart)
        $0 stop
        $0 start
        ;;
esac

                  I haven't had any issues with the GIF tunnel (Hurricane Electric) since - i think it was just an anomally, as I have tested this script many times and it has started online every time since.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    You could try an afterfilterchange shellcmd to trigger a script. That would be triggered when any tunnel comes up.

                    B 2 Replies Last reply Reply Quote 0
                    • B Offline
                      Buffalo0207 @stephenw10
                      last edited by

                      This post is deleted!
                      1 Reply Last reply Reply Quote 0
                      • B Offline
                        Buffalo0207 @stephenw10
                        last edited by Buffalo0207

                        This post is deleted!
                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.