opnsense
After reboot OPNsense 25.7, WireGuard stops working (connection don't work)
*** Tested and verified the issue in versions 25.1.10 and 25.7 *** *** Tested in bare metal and virtual machine with the same issue on both ***
After rebooting OPNsense WireGuard stops working, clients connect, everything looks normal, WireGuard status show client handshake, connection ports are ok, client can send data but wireguard don't send data back to client.
Routes are also correct, firewall rules are ok
The solution found is restarting the service from the Lobby->Dashboard or from CLI using the command: /usr/local/sbin/pluginctl -s wireguard restart
For some reason on boot WireGuard isn't properly configured and need a service restart after the system completely boots
This issue need urgent investigation from development team.
OPNsense 25.7 (amd64). Intel® Xeon™ D-2123IT 2.20Ghz Quad Core Network Intel® I350-AM4
Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.
For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.
The easiest option to gain traction is to close this ticket and open a new one using one of our templates.
Found another fix to the issue: creating a manual NAT outbound rule:
- Firewall->NAT->Outbound
- Change to Hybrid outbound NAT
- Create a new manual rule Source: WG_VPN (the wireguard interface net) Source Port: * Destination: * Destination Port: * NAT Address: Interface address NAT Port: * Static Port: NO
Add a description and Save->Apply
If you have servers with public IP address behind the firewall using NAT One-to-One in Destination put !RFC1918 (invert RFC1918) where RFC1918 it's an Alias with the three RFC1918 subnets (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or if you want use an alias with your subnets behind the firewall. Source: WG_VPN (the wireguard interface net) Source Port: * Destination: !RFC1918 Destination Port: * NAT Address: Interface address NAT Port: * Static Port: NO
Tested several times after reboot and Wireguard keeps working in versions 25.1.10 and 25.7.
Something I figured out: (25.7.5 - Mullvad VPN)
HOW TO REPRODUCE:
- When I reboot, the Wireguard VPN connection is lost.
- If I go to VPN: WireGuard: Status, I see that the PEER is red. While the instance is green.
WORKAROUND:
- I deactivate the PEER and the INSTANCE. Press APPLY.
- Now, this is important: I click to PEER first, and activate. (APPLY), then I go to INSTANCE and activate (APPLY).
It seems like we have to activate first the PEER, and then the INSTANCE. Then it works.
Not practical to manually activate the wireguard after a reboot. See configuration fix above using Hybrid NAT, 100% working until now.
The problem is that the workaround didn't work for me. (The one about creating a Firewall->NAT->Outbound).
Let me give you more details:
-
I have a working VPN interface and peer.
-
I have already the NAT Outbound: (this was created already)
-
Now I reboot opnSense.
-
For some reason, the PEER is red. In other words, the workaround didn't work here.
WORKAROUND 2: (when the initial workaround doesn't work)
- Go to VPN / WireGuard / Instances (click the disable checkbox)
- Go to VPN / WireGuard / Peers (click the disable checkbox)
- Apply
- Go to VPN / WireGuard / Peers (click the ENABLE), then APPLY.
- Go to VPN / WireGuard / Instances (click to ENABLE), then APPLY.
And it's working again:
As I said, it seems like after the reboot, opnSense is trying to create first the INTERFACE and then the PEER. I'm wondering if that's not the right order???
Anyway, thanks everyone.