Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange Wireguard Setup Problem

    Scheduled Pinned Locked Moved
    WireGuard
    4
    10
    747
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Ryu945
      last edited by Ryu945

      I can set up Wireguard and it connects fine. If I then turn off OpenVPN client the server is running then Wireguard disconnects and cannot reconnect. When I turn back on the OpenVPN client, Wireguard connects again.

      I have NAT rules like LAN IP range to any over the Wireguard interface. I have a similiar rule on LAN Net to any over LAN interface. I have a rule on the Wireguard interface and Wireguard specific interface to allow all traffic. I have the Interfaces set up with the IP4 upstream gateway.

      Why is this happening and how do I fix it?

      R 1 Reply Last reply Reply Quote 0
      • R
        Ryu945 @Ryu945
        last edited by Ryu945

        Anyone have any idea on how to solve this? I am on the lastest stable pfsense.

        What is strange is that I have used my exact setup before to make a Wireguard connection to a different VPN provider and I did not have this issue. I simply duplicated what I did there in this VPN.

        1 Reply Last reply Reply Quote 0
        • X
          xxGBHxx
          last edited by

          As is typical you've been left with no replies. I rarely come to these forums as the "support" is generally shocking as unless you're now paying, Netgate seems to not care. It's free so I guess I shouldn't complain.

          That said FWIW I find the Wireguard implementation on PfSense to be incredibly flaky. I've documented a number of my issues with it on here before. It's inconsistent, illogical and will often just stop working with exactly the same config for no reason (I've had countless issues with the WG VPN just dropping, randomly and not being able to re-connect. Even a re-instalation of the VM image didn't repair it.)

          Once it's working I'm now petrified to upgrade (twice it's broken WG so hard I've had to rebuild from scratch) or reboot (4 times I've rebooted and the tunnel has never come back up) so I try to maximise my uptime as much as I can with it. Also FWIW I've also run WG in a OpenSense FW to the exact same connection in the exact same way and I've yet to have it disconnect or fail after a reboot. Anecdotal apples to pears but hey. it is what it is.

          So your issue I think is caused by your OpenVPN tunnel acting as the default route. This means when the WG tunnel is brought up I think it looks to use the default interface. You will need to enter a static route to the far side WG gateway with the gateway being set as the WAN connection (i.e. your unencrypted WAN GW). This will then force the WG tunnel to come up on the WAN instead of on the OpenVPN link. I had exactly the same issue and IIRC that's how I solved it.

          KOMK R 2 Replies Last reply Reply Quote 0
          • KOMK
            KOM @xxGBHxx
            last edited by

            @xxgbhxx WTF are you even talking about??? This forum is full of solutions to problems both simple & complex. And despite your nonsensical claim that nobody will help you unless you pay for support, both Netgate's JimP and SteveW are quite active & help everyone they can. And that isn't counting all of the other users who help. Look at the posts in every category. How many go unanswered? How many get solved? You're talking out of your ass here.

            As for Wireguard, I've been using it site-to-site to my company and it's been rock-solid. I haven't read any similar complaints from other people. I've upgraded several times without incident -- including my WG config.

            Nothing is perfect but considering you're paying jack-effing-squat, you're right -- you don't have much right to complain and yet here you are. The value and support here is far better than most open-source projects I've interacted with.

            J X 2 Replies Last reply Reply Quote 0
            • J
              Jarhead @KOM
              last edited by

              @kom Not to mention this is the third time (at least) that Ryu945 asked the same question and I replied to one of them but he never replied to that post.

              R 1 Reply Last reply Reply Quote 0
              • X
                xxGBHxx @KOM
                last edited by

                @kom said in Strange Wireguard Setup Problem:

                @xxgbhxx WTF are you even talking about??? This forum is full of solutions to problems both simple & complex. And despite your nonsensical claim that nobody will help you unless you pay for support, both Netgate's JimP and SteveW are quite active & help everyone they can. And that isn't counting all of the other users who help. Look at the posts in every category. How many go unanswered? How many get solved? You're talking out of your ass here.

                As for Wireguard, I've been using it site-to-site to my company and it's been rock-solid. I haven't read any similar complaints from other people. I've upgraded several times without incident -- including my WG config.

                Nothing is perfect but considering you're paying jack-effing-squat, you're right -- you don't have much right to complain and yet here you are. The value and support here is far better than most open-source projects I've interacted with.

                Ahh rabid fanboys are always the funniest.

                This specific subforum is littered with unanswered questions, people complaining of erratic and unstable behaviour and the general instability with the Wireguard implementation. Posts often go unanswered or may be answered but then there's no follow up. I know, I've been there more than once.

                You're falling for a logical fallacy (not for the first time in your post) "It's ok for me then it must be ok for you" is a flawed response. Just because people are using it without an issue doesn't mean everyone is. It also doesn't mean there isn't an issue. It just means you've not been affected by it and good for you. But that's not me or the countless others who've posted in this sub over the last few years with WG issues.

                Here's another one of those fallacies. "It's free so why are you complaining? You shouldn't expect it to work". Maybe but that's not helpful for others who might read this or don't know to expect it not to work. Like it or not this part of the project seems to have been sidelined but their own admittance. Netgate have simply done what so many vendors before them have also done. Taken an open source product, made it better with the help and support of the community then taken it closed source and thrown the users of that free product to the wolves. Noticed how it's now been 6 months since the last patch or update? Ironically for me the only thing keeping me using this dead end product is a third party plugin that's nothing to do with Netgate (pfblocker). If it wasn't for that I would have bailed to something else already.

                Lets also not forget the first implementation of WG in PF and what an unmitigated technical and security disaster that was. So much so WG's creator specifically called out Netgate as bad actors acting in bad faith. I didn't do much follow up after that but it highlighted the attitude and lax approach Netgate had as a company. I don't think the WG implementation has ever recovered from that or been properly implemented as a result. After all, next to nothing has been done with it since it was hastily shoehorned in when they had to putt the disaster that was the original code.

                You find and see what you want to see, I'm quite comfortable in what I see.

                KOMK 1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM @xxGBHxx
                  last edited by KOM

                  @xxgbhxx Yes, that's me the rabid fanboy who has posted here a handful of times in the past 6 months. Are you sure you're not just being super-defensive because someone called you out on your bullshit? Could that be it??

                  This specific subforum is littered with unanswered questions, people complaining of erratic and unstable behaviour and the general instability with the Wireguard implementation.

                  Like where, specifically? Show me all these alleged posts. Then show me how any you find are conclusively due to the WG implementation and not just bonehead users misconfiguring. I'll wait.

                  You're falling for a logical fallacy (not for the first time in your post) "It's ok for me then it must be ok for you" is a flawed response.

                  As opposed to your "I had a problem ergo it's shit" approach? lol. To quote you right back, just because you had a problem with it doesn't mean everyone or anyone else does.

                  Lets also not forget the first implementation of WG in PF and what an unmitigated technical and security disaster that was.

                  Speaking of logical fallacies, what does that have to do with anything? "The previous thing was shit ergo the new thing which is totally different must also be shit" lol.

                  Instead of whining, just leave. If it doesn't work for you and you think the support you get for free is substandard then leave. You bitching here doesn't accomplish anything. It just makes you look like a whiny loser.

                  X 1 Reply Last reply Reply Quote 0
                  • X
                    xxGBHxx @KOM
                    last edited by

                    @kom said in Strange Wireguard Setup Problem:

                    @xxgbhxx Yes, that's me the rabid fanboy who has posted here a handful of times in the past 6 months. Are you sure you're not just being super-defensive because someone called you out on your bullshit? Could that be it??

                    This specific subforum is littered with unanswered questions, people complaining of erratic and unstable behaviour and the general instability with the Wireguard implementation.

                    Like where, specifically? Show me all these alleged posts. Then show me how any you find are conclusively due to the WG implementation and not just bonehead users misconfiguring. I'll wait.

                    You're falling for a logical fallacy (not for the first time in your post) "It's ok for me then it must be ok for you" is a flawed response.

                    As opposed to your "I had a problem ergo it's shit" approach? lol. To quote you right back, just because you had a problem with it doesn't mean everyone or anyone else does.

                    Lets also not forget the first implementation of WG in PF and what an unmitigated technical and security disaster that was.

                    Speaking of logical fallacies, what does that have to do with anything? "The previous thing was shit ergo the new thing which is totally different must also be shit" lol.

                    Instead of whining, just leave. If it doesn't work for you and you think the support you get for free is substandard then leave. You bitching here doesn't accomplish anything. It just makes you look like a whiny loser.

                    Whats so funny to me is you've not even bothered to check out your own rabid ramblings before posting. But lets rip your post apart.

                    So first, you strawman. I didn't once mention how many times you post, I called you a rabid fanboy. What has the number of times you a post have to do with being a rabid fanboy? Next no I'm not super defensive, you're just blinkered and ignorant but that's ok, you probably can't help it.

                    I'm not here to prove myself to you. I know the posts are there. But you know what? As you're so obnoxious I thought I'd do some analysis just to show how misguided you are.

                    Of the top 25 or 30 posts I see in this forum, 10 have had ZERO replies (so exactly 1/3 of the posts). Of the remaining 20, of the ones I checked

                    • 1 has no response but has been added to 3 times by the OP - NO RESOLUTION, NO NG POST
                    • 1 has no response but was solved by the user re-installing 3 times (?!) - RESOLUTION, NO NG POST
                    • 1 Has no answers and is just the OP and one other talking about having the same issue - NO RESOLUTION, NO NG POST
                    • 1 Has no answers and is again just two people comparing the fact they have the same issue - NO RESOLUTION, NO NG POST
                    • 1 Has OP reposting to bump the issue - NO RESOLUTION, NO NG POST
                    • 1 Has OP posting issue, someone else stating it's amazing how much he's done - NO RESOLUTION, NO NG POST
                    • 1 Has resolution of sorts - RESOLUTION, NG POST
                    • 1 has resolution - RESOLUTION, NO NG POST
                    • 1 has no resolution as OP stopped responding - NO RESOLUTION, NO NG POST
                    • 1 has resolution OP sorted it himself - RESOLUTION, NO NG POST
                    • 1 has resolution OP sorted it himself but doesn't know what fixed it - RESOLUTION, NO NG POST
                    • 1 highlights a bug in NG's WG implementation - NO RESOLUTION, NO NG POST

                    So just to tally up the ones I checked

                    10 have ZERO response including the OP
                    4 are just the OP bumping their own post
                    3 Have no resolution but is the OP and one other discussing the same issue
                    5 have resolutions for various reasons, 3 the OP sorted themselves, one after reinstalling 3 times
                    One the OP stopped resonding
                    One is a bug with WG

                    I didn't check the rest, the pattern was clear.

                    Of all those posts I checked only 2 I could see had responses from Netgate. Of the posts I checked, only 5 out of the 30 or so had a resolution. Whether it is something wrong with the coding side of the implementation, the documentation side, the support side or the GUI it all leads to lots of people posting lots of problems they don't get or can't find help with.

                    Now, as I've just shown above, there are a number of people with problems, many of whom don't get resolution (in fact far more people post without resolution than otherwise). But likewise you have ZERO idea or knowledge how many people are actually using WG on PF. It MAY be 1000's have tried, failed and never posted and just gone and used OpenVPN. It may be this board is 90% of the people using it and you're in a tiny minority of those with it working, or may be this forum is 0.00001% of the people using it. Who knows.

                    But there you go strawmanning me again. I never said everyone had issues, I said the implementation on PF is flawed and judging by the number of issues posted in this forum, the types of issues and the number of times people just suddenly get it working by randomly re-installing it multiple times suggests there's something wrong with it on PF. But you do realise something can be flawed and still work for many people yeh? No, you probably don't.

                    Their track record and history with implementing WG is relevant as is their relationship (or otherwise) with the person who wrote it. That rocky start and then the hasty backporting of the FreeBSD WG implementation, which itself was originally not fit for use might suggest that it wasn't as planned or clean as they might have hoped. Of course a broken, flawed implementation doesn't mean the second one will be as well. But it also doesn't rule it out and as the saying goes, once bitten, twice shy.

                    As this will be my last post on this as we've veered wildly off track I will say this. Netgate are NOT a good company in my opinion. I don't like their attitude, I don't like their approach and I believe they've simply cut the CE edition loose now they have no further need for it. Capitalism at its best but I don't have to like it.

                    1 Reply Last reply Reply Quote 0
                    • R
                      Ryu945 @Jarhead
                      last edited by

                      @jarhead Which reply did I miss?

                      1 Reply Last reply Reply Quote 0
                      • R
                        Ryu945 @xxGBHxx
                        last edited by Ryu945

                        @xxgbhxx said in Strange Wireguard Setup Problem:

                        So your issue I think is caused by your OpenVPN tunnel acting as the default route.

                        This ended up being the issue. Even though my Pfsense configuration said wireguard interface was the default route, I had to force it to WAN. Now it works fine. Now that I had forced it to WAN one time, I find wireguard is connecting fine whether I have the default route set to WAN or the wireguard interface. This is strange that wireguard as default route works now when it didn't before and I suspect it is related to some underlying bug. From my experience with 2.6.0 so far, I have noticed things acting buggy. It is the first time I had a configuration fail to apply. I think I was apply a DNS resolver configuration and I had to apply a different configuration before I could apply the one I intended to as clicking save and reapply did not reapply it. This version of Pfsense feels like it should had stayed in the development branch for longer.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.