• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Wireguard refusing handshake bug from gui

Scheduled Pinned Locked Moved WireGuard
2 Posts 2 Posters 1.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    chowder
    last edited by Feb 23, 2023, 12:24 AM

    Re: Wireguard suddenly refuses to handshake

    Sorry to reply to an old topic but some people reported the issue still happens and at least on my installation I found the bug and it's a very repeatable and isolated one.

    pfSense-CE-2.7.0-DEVELOPMENT-amd64-latest
    pfSense-pkg-WireGuard 0.1.6_5
    wireguard-kmod 0.0.20220615_1
    wireguard-tools-lite 1.0.20210914_1

    For setting up IVPN, I followed this guide: https://www.ivpn.net/setup/router/pfsense-wireguard
    and this guide https://mullvad.net/en/help/pfsense-with-wireguard/ is very similar.

    However the WebGUI, after all rules and peers were entered the GUI reported that my tunnel had no peers even though in the tunnel view it showed it had peers. No handshake would happen as a result.

    The GUI offers to put in the Allowed IPs but when using 0.0.0.0/0 for example it will overwrite the input and leave it blank when you go back to that peer's setting.

    Looking in the config file, usr/local/etc/wireguard/tun_wg0.conf the settings end up getting written in the peer as:

    ...
AllowedIPs = /32,/128

    Everytime I touch any of Wireguard settings in the GUI the config file will be changed to the above. Resulting in no handshake, and no peer shown in the tunnel status page.

    Which when restarting the service from the GUI produces an error and link to a 404 syslog.

    Atleast for IVPN I need the AllowedIPs to look like this:

    AllowedIPs = 0.0.0.0/0, ::/0

    Which I changed manually on the server. Then applied the changes with:

    wg syncconf tun_wg0 /usr/local/etc/wireguard/tun_wg0.conf

    and restarted wg with:

    ifconfig tun_wg0 down && ifconfig tun_wg0 up

    As long as I keep from touching the wireguard GUI, the peers will connect successfully and all the respective rules act as expected. These changes do not survive a reboot unfortunately.

    1 Reply Last reply Reply Quote 1
    • G
      Gremlin999
      last edited by Gremlin999 Apr 16, 2024, 9:35 AM Apr 16, 2024, 8:39 AM

      Thanks, this fix definitely worked and I can confirm this is the problem with my setup, has anyone already tried to implement a patch or a script to run on startup to fix this? New to the PfSense project and a big fan of wireguard, is there a github/ gitlab where we can submit issues/ fixes for this? [EDIT: disregard, it seems that the tunnel reset corrected the issue initially, although follow up attempts have been met with a working handshake but no flowing traffic, Might be easier to move to another VPN protocol at this stage]

      1 Reply Last reply Reply Quote 0
      • T TeeNetGate1 referenced this topic on Oct 3, 2024, 12:57 AM
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received