Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard suddenly refuses to handshake

    Scheduled Pinned Locked Moved WireGuard
    45 Posts 11 Posters 28.3k Views 11 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      robearded
      last edited by

      After I had to restart my modem (so the WAN went down for some minutes on the pfsense) this problem happened to me again. I can't seem to be able to initiate the handshake whatever I do. I also checked "Disable Gateway Monitoring Action" checkbox for the wireguard gateway, however it's still not working

      X R 2 Replies Last reply Reply Quote 0
      • X Offline
        xxGBHxx @robearded
        last edited by

        @robearded So as of 3h ago my other WG connection has gone down for no reason again and now I can't get either of the tunnels up.

        This is so infuriating :(

        I can't believe it's just a handful of us.

        G

        cmcdonaldC 1 Reply Last reply Reply Quote 0
        • cmcdonaldC Offline
          cmcdonald Netgate Developer @xxGBHxx
          last edited by cmcdonald

          Hey all,

          Sorry you guys are having issues with handshakes.

          I do have an idea that might help illuminate where the problem lies, basically creating the tunnel from barebones at the shell and bypassing the GUI.

          Here are the steps (adjust addresses, names, etc. as necessary for your situation):

          1. Disable "WireGuard" in WireGuard > Settings. This keeps the daemon from starting. This is important because we are going to build the tunnel up manually at the shell. Though you can still create your tunnel and peer config as normal, just don't start the service.
          2. Login to pfSense shell via SSH or console cable.
          3. Use these commands to create the interface, assign addresses, add to interface group (if necessary) and sync WireGuard conf:

          This command creates a interface of type wg with name tun_wg0:

          $ ifconfig wg create name tun_wg0
          

          This command assigns an IPv4 inet address of 10.11.12.1/24 on tun_wg0:

          $ ifconfig tun_wg0 inet 10.11.12.1/24
          

          This command assigns tun_wg0 to interface group WireGuard:

          $ ifconfig tun_wg0 group WireGuard
          

          This command syncs tun_wg0 configuration using WireGuard userland tools wg :

          $ wg syncconf tun_wg0 /usr/local/etc/wireguard/tun_wg0.conf
          

          Note: /usr/local/etc/wireguard/tun_wg0.conf can be generated by the package, just keep the service disabled for the time-being.


          This command brings up tun_wg0 administratively:

          $ ifconfig tun_wg0 up
          

          At this point you should have a WireGuard tunnel interface built manually. You can now proceed with assigning it to pfSense, etc.

          This test is useful because it bypasses all WireGuard package semantics and only uses pfSense core logic...useful for isolating potential issues.

          Need help fast? https://www.netgate.com/support

          cmcdonaldC 1 Reply Last reply Reply Quote 1
          • cmcdonaldC Offline
            cmcdonald Netgate Developer @cmcdonald
            last edited by cmcdonald

            Youtube Video

            This video walks through several scenarios that should be applicable here, hopefully this helps!

            This video is more aimed at discussing the various ways I test and live with WireGuard on a daily basis, but I walk through the setup and configuration of each scenario.

            Need help fast? https://www.netgate.com/support

            1 Reply Last reply Reply Quote 2
            • R Offline
              robearded @robearded
              last edited by

              @robearded said in Wireguard suddenly refuses to handshake:

              After I had to restart my modem (so the WAN went down for some minutes on the pfsense) this problem happened to me again. I can't seem to be able to initiate the handshake whatever I do. I also checked "Disable Gateway Monitoring Action" checkbox for the wireguard gateway, however it's still not working

              It turns out this happened because of a change I did on the wireguard server without realizing it will break stuff. I'm not however sure if I did this change before the first occurrence of this problem, from what I remember it is after, but it is definitely possible to be before.
              I had some DNAT iptables rules in the PostUp and PostDown config of wireguard to forward some ports to pfsense, so I can use the public IP of the wg server as a public IP for the server running pfsense. I figured out that it would be easier to DNAT all ports (except SSH) and just do the firewalling inside pfsense, so I don't have to log in to the wg server everything I want to forward another port, and I can do it all from pfsense. Well, the problem is, that I didn't realized I also forwarded the port WG was listening on.

              1 Reply Last reply Reply Quote 0
              • W Offline
                Woodsomeister
                last edited by

                Hello,

                i'm facing the same problem with the error status of

                /usr/local/pkg/wireguard/includes/wg_service.inc: Static Routes: Gateway IP could not be found ...

                No handshake seems to happen anymore. Reinstalled the wireguard package several times, and also tried a new version of the kmod implementation. No success.

                J 1 Reply Last reply Reply Quote 0
                • J Offline
                  Jarhead @Woodsomeister
                  last edited by

                  @woodsomeister Post pictures of your wireguard tunnel, peers, interface and routes/gateway.

                  W 1 Reply Last reply Reply Quote 0
                  • W Offline
                    Woodsomeister @Jarhead
                    last edited by Woodsomeister

                    This post is deleted!
                    1 Reply Last reply Reply Quote 0
                    • W Offline
                      Woodsomeister
                      last edited by

                      @jarhead

                      db075573-511b-40b1-80d6-521308b7b695-grafik.png

                      78b38520-dbd0-4520-8cc7-a94f3e4e379d-grafik.png

                      1851e669-35d4-41b5-b2cb-ccdd98e4d295-grafik.png

                      Routes were added for the marked Wireguard interface and i also configured the interface using the right IPv4 static IP (10.0.41.1, peer is 10.0.41.2). (no screenshot)
                      Unfortunatly i had to switched back to IPSec, so that's why everything is deactivated.

                      J 1 Reply Last reply Reply Quote 0
                      • J Offline
                        Jarhead @Woodsomeister
                        last edited by

                        @woodsomeister You have to add the tunnel as an allowed IP.
                        Did this ever work?

                        W 1 Reply Last reply Reply Quote 0
                        • W Offline
                          Woodsomeister @Jarhead
                          last edited by

                          @jarhead For several weeks. In the other side is also a Opnsense under my control. Everything was working as expected, but after a restart some days ago i went into this problem.

                          1 Reply Last reply Reply Quote 0
                          • itheadquartersI Offline
                            itheadquarters @xxGBHxx
                            last edited by

                            @xxgbhxx I tried the version 0.0.20210606_1 solution and now wireguard crashes and I get crash reports. I tried uninstalling wireguard and installing but now the WG service won't stay running.
                            What's my next step?

                            N X 2 Replies Last reply Reply Quote 0
                            • N Offline
                              n3IVI0
                              last edited by

                              DO NOT DO THIS.

                              Changing the wireguard-kmod package will cause kernel panics and take down your pfSense box.

                              I have the same problem with WireGuard not handshaking, but this solution DOES NOT fix it. FYI.

                              1 Reply Last reply Reply Quote 0
                              • N Offline
                                n3IVI0 @itheadquarters
                                last edited by n3IVI0

                                @itheadquarters Same thing happened to me. You need to SSH into your box, run 'pkg install wireguard-kmod'. This will put your package back to wireguard-kmod-0.0.20211105. This doesn't fix the handshake problem, but it will stop the kernel panics.

                                You can check your version numbers with 'pkg info -l wireguard-kmod'

                                1 Reply Last reply Reply Quote 0
                                • X Offline
                                  xxGBHxx @itheadquarters
                                  last edited by

                                  @itheadquarters Sorry no notifications you'd replied to me. That wasn't my suggestion by the way.

                                  I've given up with pfSense' implementation of Wireguard. I find it unstable and flakey as hell.

                                  I purposely don't touch it once it's working and pray it's going to keep working. I've had a few unexplained random drops since I posted this and I just bypass the vpn until it comes back up which might be minutes, hours or days.

                                  To illustrate this I have relatively recently set up a new connection to one of the VPN providers I've set the connection up to before. The settings are identical (obviously not they key's). Everything I can see is set up exactly the same as the working one and it has NEVER worked.

                                  I've deleted and re-built that VPN 10+ times and it will never connect. In anger I set up and configured a brand new Opnsense VM using the exact same keys and settings and it worked instantly first time. It's never dropped. Not even once.

                                  I can only go by what I find. If you're lucky, you get no issues but I have found, with my setup, Wireguard is just broken.

                                  As soon as I get a few days free I'm going to be converting over to Opnsense full time not elast as its fairly clear to me that Netgate have walked away from the community version of PFSense.

                                  N 3 Replies Last reply Reply Quote 1
                                  • N Offline
                                    n3IVI0 @xxGBHxx
                                    last edited by

                                    @xxgbhxx Does Opnsense have a variant of PFBlockerNG?

                                    1 Reply Last reply Reply Quote 0
                                    • N Offline
                                      n3IVI0 @xxGBHxx
                                      last edited by

                                      @xxgbhxx I may have too also. I can't keep wrestling with this. I've wasted endless time trying to find out what's wrong, only to find out it's a bad implementation of the WireGuard package. I was running myself crazy, wondering if it was some problem with my ISP, or some arcane config setting. Unbelievable.

                                      S X 2 Replies Last reply Reply Quote 0
                                      • S Offline
                                        sLy1337 @n3IVI0
                                        last edited by

                                        @n3ivi0 guess that's why it is marked EXPERIMENTAL :-)

                                        X N 2 Replies Last reply Reply Quote 0
                                        • X Offline
                                          xxGBHxx @n3IVI0
                                          last edited by

                                          This post is deleted!
                                          1 Reply Last reply Reply Quote 0
                                          • X Offline
                                            xxGBHxx @sLy1337
                                            last edited by

                                            @sly1337 Wireguard on FreeBSD has been an unmitigated disaster but at least it's going to be kernel native for v14 and written in conjunction with JD.

                                            But we need to remember the absolutely dire implementation that led to that situation that had been funded by Netgate and then grossly mismanaged. So much so it led to a very public argument between the author of Wireshark and Netgate.

                                            We shouldn't be surprised almost 2 years later it's still in a shambles really.

                                            N 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.