Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard refusing handshake bug from gui

    Scheduled Pinned Locked Moved WireGuard
    2 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      chowder
      last edited by

      Re: Wireguard suddenly refuses to handshake

      Sorry to reply to an old topic but some people reported the issue still happens and at least on my installation I found the bug and it's a very repeatable and isolated one.

      pfSense-CE-2.7.0-DEVELOPMENT-amd64-latest
      pfSense-pkg-WireGuard 0.1.6_5
      wireguard-kmod 0.0.20220615_1
      wireguard-tools-lite 1.0.20210914_1

      For setting up IVPN, I followed this guide: https://www.ivpn.net/setup/router/pfsense-wireguard
      and this guide https://mullvad.net/en/help/pfsense-with-wireguard/ is very similar.

      However the WebGUI, after all rules and peers were entered the GUI reported that my tunnel had no peers even though in the tunnel view it showed it had peers. No handshake would happen as a result.

      The GUI offers to put in the Allowed IPs but when using 0.0.0.0/0 for example it will overwrite the input and leave it blank when you go back to that peer's setting.

      Looking in the config file, usr/local/etc/wireguard/tun_wg0.conf the settings end up getting written in the peer as:

      ...
AllowedIPs = /32,/128

      Everytime I touch any of Wireguard settings in the GUI the config file will be changed to the above. Resulting in no handshake, and no peer shown in the tunnel status page.

      Which when restarting the service from the GUI produces an error and link to a 404 syslog.

      Atleast for IVPN I need the AllowedIPs to look like this:

      AllowedIPs = 0.0.0.0/0, ::/0

      Which I changed manually on the server. Then applied the changes with:

      wg syncconf tun_wg0 /usr/local/etc/wireguard/tun_wg0.conf

      and restarted wg with:

      ifconfig tun_wg0 down && ifconfig tun_wg0 up

      As long as I keep from touching the wireguard GUI, the peers will connect successfully and all the respective rules act as expected. These changes do not survive a reboot unfortunately.

      1 Reply Last reply Reply Quote 1
      • G
        Gremlin999
        last edited by Gremlin999

        Thanks, this fix definitely worked and I can confirm this is the problem with my setup, has anyone already tried to implement a patch or a script to run on startup to fix this? New to the PfSense project and a big fan of wireguard, is there a github/ gitlab where we can submit issues/ fixes for this? [EDIT: disregard, it seems that the tunnel reset corrected the issue initially, although follow up attempts have been met with a working handshake but no flowing traffic, Might be easier to move to another VPN protocol at this stage]

        1 Reply Last reply Reply Quote 0
        • T TeeNetGate1 referenced this topic on
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.