Odd issue that has plagued this install over the past year, was hoping the most recent update would fix it but it does not.
Whenever the device reboots I have to manually log into the UI and hit "Apply" on the main WireGuard configuration page for the service to start correctly. I have attempted to uninstall and reinstall with no improvements, my next step being a complete OS rebuild that I am trying to avoid.
When I hop on the console/shell after a reboot I see the following:
root@pdx1fw1:~ # service wireguard status
Unable to access interface: Device not configured
Starting it via CLI does not work correctly, while the status/interfaces are created. Traffic is not actually passible untill I login to the UI and again hit "Apply" on the config page
root@pdx1fw1:~ # service wireguard start
[#] ifconfig wg create name wg0
[#] wg setconf wg0 /dev/stdin
[#] ifconfig wg0 inet 192.168.255.3/24 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] route -q -n add -inet 10.2.0.0/16 -interface wg0
[#] route -q -n add -inet 10.1.0.0/16 -interface wg0
[+] Backgrounding route monitor
root@pdx1fw1:~ # service wireguard status
interface: wg0
public key: <snip>
private key: (hidden)
listening port: 51280
peer: <snip>
endpoint: <snip>:51280
allowed ips: 10.1.0.0/16
latest handshake: 1 minute, 8 seconds ago
transfer: 15.31 KiB received, 852 B sent
persistent keepalive: every 30 seconds
peer: <snip>
endpoint: <snip>:51280
allowed ips: 10.2.0.0/16
latest handshake: 1 minute, 8 seconds ago
transfer: 8.96 KiB received, 3.83 KiB sent
persistent keepalive: every 30 seconds
CLI Start command, while it appears to look functional, does not actually pass traffic untill I hit "Apply" in the UI so I am not able to fix this with a cron. Anyone know some additional troubleshooting steps I can take before I rebuild from scratch? Remote sides are setup the same and do not have this issue.
Ironic part being we are starting wireguard multiple times through the boot process just to see if it reacts. If it doesn't either your WAN (DHCP) or WireGuard itself (cannot resolve host names for example) isn't ready.
Cheers,
Franco
Have you set up the Cron script to restart stale WG tunnels to be excuted every minute? Works fine here...
Do you have an example of the commands your running in that cron? service wireguard start/restart does not appear to correctly get traffic flowing. I see the tunnels up but traffic wont flow until I hit Apply in the UI. If there is a wg command I can cron I would be happy to simply do that :)
Go System -> Settings -> Cron and add a new job with
* * * * *
and the "Command" (from drop-down menu):
"Renew DNS for WireGuard on stale connections"
The underlying script monitors the handshakes for WG tunnels and if necessary restarts DNS resolution and starts tunnel.
I have been hit by this too. I am running
OPNsense 23.7.5-amd64
FreeBSD 13.2-RELEASE-p3
OpenSSL 1.1.1w 11 Sep 2023
After a reboot my wireguard clients can connect through wireguard and ping the peer, but not access the internet. If I log into the OPNsense gui and restart the service everything works as expected.
Restarting the service via console does not work?
root@opn:~ # service restart wireguard
restart does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
Activating the cron job "Renew DNS for WireGuard on stale connections" does not help.
Any news on this, or a open bug. I could not find anything.
Instead of just randomly starting or restarting WG, you should look into what is actually failing.
Are the WG connections dropping and not immediately picking back up? They're getting timed out because WG doesn't send any traffic if there's nothing to send. Add keepalive 25 to both OPNSense and the client.
Are DNS queries not being resolved on WG? Set Unbound back to listen on all interfaces and change the access list back to allow.
That fixes the vast majority of WG issues. If you don't fall into either of those cases, then post a new thread documenting the actual failure point. Test each piece of the chain, from the DNS resolution of the server name, to the incoming connection, to the firewall rules, to local DNS resolution, to outbound connections.
Lastly, starting things via CLI can cause problems or give false results if you don't use the same commands and options that OPNSense does.
I had the same issue, but it's gone away now and the only thing I can remeber changing was toggling the "Lock" - "Preventing interface removal" for my LAN and WAN interfaces.
Coincidentally, a patch was added to 24.1.3 that addressed this sort of problem. ;)
Cheers,
Franco
Quote from: franco on March 20, 2024, 10:12:24 PMCoincidentally, a patch was added to 24.1.3 that addressed this sort of problem. ;)
Cheers,
Franco
I have the same problem
> I have the same problem
I don't? :)
Quote from: franco on December 22, 2025, 08:26:46 AM> I have the same problem
I don't? :)
Do I have to put script to work? Which is version will be fixed? This bug is up 2 years.
Which bug?
Quote from: chemlud on January 03, 2026, 10:59:10 AMWhich bug?
Are you kidding me? If I reboot OPNsense the wireguard not work. I have to manual restart. OPNsense shutdown at nights because cause sound then I cant sleep.
I have to restart manually to work wireguard.
Did you outline the precise steps necessary to reproduce the problem? Did you create a bug report/issue on github? No? So no bug that anybody but you knows of.
Golden rule of FOSS: If not everybody can reproduce, it's YOUR bug. Sorry, that's the way it is.
Various WG tunnels here, no problems with reboots for years...
Quote from: chemlud on January 03, 2026, 02:31:28 PMGolden rule of FOSS: If not everybody can reproduce, it's YOUR bug. Sorry, that's the way it is.
Various WG tunnels here, no problems with reboots for years...
Same here: various tunnels across multiple locations - all starting at boot just fine. Never had a problem with WG. I moved all site to site IPsec connections where I control both ends to WG years ago.
Quote from: Patrick M. Hausen on January 03, 2026, 12:51:23 PMDid you outline the precise steps necessary to reproduce the problem? Did you create a bug report/issue on github? No? So no bug that anybody but you knows of.
I sent to original site here. I don't have github account. I don't know how to report it.
Quote from: chemlud on January 03, 2026, 02:31:28 PMGolden rule of FOSS: If not everybody can reproduce, it's YOUR bug. Sorry, that's the way it is.
Various WG tunnels here, no problems with reboots for years...
Every day, every boot I have the below message. Please, would you like to help me to solve this problem. I have this problem over 2 years.
/usr/local/opnsense/scripts/wireguard/wg-service-control.php: The command </usr/bin/wg syncconf 'wg1' '/usr/local/etc/wireguard/wg1.conf'> returned exit code 1 and the output was "Name does not resolve: `******.****.net:51820' Configuration parsing error"
Thats the main difference between stable and non stable wireguard setups. Hostname resolution.
Some users who configure hostnames in wireguard might have issues, since wireguard only tries to resolve the name once and then just fails. If the firewall does not have working WAN or DNS yet after boot when wireguard starts, it fails on start if it depends on resolving on hostnames.
But I dont know in which order services start and if this can be improved or not, since quite some users have highly custom DNS settings (like using adguard home with dns over tls and making the firewall use that too).
Quote from: Monviech (Cedrik) on January 03, 2026, 07:19:48 PMThats the main difference between stable and non stable wireguard setups. Hostname resolution.
Some users who configure hostnames in wireguard might have issues, since wireguard only tries to resolve the name once and then just fails. If the firewall does not have working WAN or DNS yet after boot when wireguard starts, it fails on start if it depends on resolving on hostnames.
But I dont know in which order services start and if this can be improved or not, since quite some users have highly custom DNS settings (like using adguard home with dns over tls and making the firewall use that too).
So this bug have and other users. Franco says is my bug. So if someone has solve the problem , to write here and tell us the solution.
You didnt even tell what your DNS configuration is and what kind of WAN connectivity you have. Without disclosing more information there is little that can be done.
You could fix this right away though by using a static IP address as a target in wireguard. (Pragmatic since your environment is unknown)
Quote from: Monviech (Cedrik) on January 03, 2026, 07:30:16 PMYou didnt even tell what your DNS configuration is and what kind of WAN connectivity you have. Without disclosing more information there is little that can be done.
You could fix this right away though by using a static IP address as a target in wireguard. (Pragmatic since your environment is unknown)
I dont have static IP. I have vdsl only IPv4 I have no-ip.com a hostname. My dns is from adguard. I use quad dns. If I use unbound dns I have the same problem. Tell me what specific information do you want from opnsense then I will give you.
So it could be two things.
- Either your PPPoE login is very slow and internet access happens after wireguard has already started (I dont know if this delays bootup of services, I dont know the boot sequence that well)
- Or DNS resolution is very slow for some reason, check what happens if you select "Allow DNS server list to be overridden by DHCP/PPP on WAN" or give it a hardcoded dns server there e.g. 1.1.1.1 (System - Settings - General)
Quote from: Monviech (Cedrik) on January 03, 2026, 07:46:32 PMSo it could be two things.
- Either your PPPoE login is very slow and internet access happens after wireguard has already started (I dont know if this delays bootup of services, I dont know the boot sequence that well)
- Or DNS resolution is very slow for some reason, check what happens if you select "Allow DNS server list to be overridden by DHCP/PPP on WAN" or give it a hardcoded dns server there e.g. 1.1.1.1 (System - Settings - General)
How check if PPPoe is very slow or DNS is very slow?
Some times after reboot works. Most of the times every morning that starts opnsense wireguard not work. I will try . Below Allow DNS server list to be overridden by DHCP/PPP on WAN has the choice Exclude Interfaces. May I put 1.1.1.1 below DNs server with none gateway?
Adguard do I have to disable ??
May I exclude some interface?
I would enable
- Allow DNS server list to be overridden by DHCP/PPP on WAN
- Exclude interfaces (dont select any)
- Do not use the local DNS service as a nameserver for this system (so adguard is not used for dns requests of the firewall itself.
these options only affect the firewall itself as dns client (eg if a service running on the firewall needs to resolve dns), not your normal clients in your networks. Your normal clients will still use adguard.
Quote from: Monviech (Cedrik) on January 03, 2026, 08:01:17 PMI would enable
- Allow DNS server list to be overridden by DHCP/PPP on WAN
- Exclude interfaces (dont select any)
- Do not use the local DNS service as a nameserver for this system (so adguard is not used for dns requests of the firewall itself.
these options only affect the firewall itself as dns client (eg if a service running on the firewall needs to resolve dns), not your normal clients in your networks. Your normal clients will still use adguard.
I enabled as I said - Allow DNS server list to be overridden by DHCP/PPP on WAN.
I don't understand this.
- Do not use the local DNS service as a nameserver for this system (so adguard is not used for dns requests of the firewall itself.
What do you mean?
I have inside adguard Upstream DNS servers tls://dns.nextdns.io and tls://dns.quad9.net.
I have news for you. I reboot now then there isn't any error at wireguard log file.
The firewall is a dns client itself, just as for example a windows PC or iphone or whatever in your network.
In system - settings - general you configure how the firewall itself should resolve dns names. (e.g. where the firewall as a client should send requests to, to resolve google.com and other names for its own use.) This does not affect your other clients.
If it uses a service on localhost e.g. adguard, it depends on this service to be available to resolve names when wireguard starts. And that seems to not always be tha case.
So by giving the firewall a different dns forwarder (your isp provided ones for example) to use only for itself, it doesnt need adguard and can use the fast path without this dependency.
If it works now consistently after reboots that proves it.
Quote from: Monviech (Cedrik) on January 03, 2026, 08:27:00 PMThe firewall is a dns client itself, just as for example a windows PC or iphone or whatever in your network.
In system - settings - general you configure how the firewall itself should resolve dns names. (e.g. where the firewall as a client should send requests to, to resolve google.com and other names for its own use.) This does not affect your other clients.
If it uses a service on localhost e.g. adguard, it depends on this service to be available to resolve names when wireguard starts. And that seems to not always be tha case.
So by giving the firewall a different dns forwarder (your isp provided ones for example) to use only for itself, it doesnt need adguard and can use the fast path without this dependency.
If it works now consistently after reboots that proves it.
I am not sure if I understood. I understand that opnsense is a client dns as a iphone. Do I have any change under Sytstem -> Settings -> General -> below Networking section ??
I think is fixed only with one click. Thank you very much
I don't think I can explain it better without writing way too much.
TLDR: You don't have to change anything more. You could also input your quad dns server in system - settings - general and uncheck using the ISP dns servers again if you want.
For anybody that comes after: Using wireguard with hostnames and forcing the OPNsense to be a DNS client to Adguard itself can be a bad idea due to race conditions during boot.
serious question: and this problem really can't be adressed adequately by the cron job on DNS resolution of wireguard endpoints outtlined above? really?
It probably can but the issue was that wireguard remained stopped right after boot. If it starts eventually later with a cronjob was not part of the issue here.
Quote from: Monviech (Cedrik) on January 03, 2026, 09:03:03 PMI don't think I can explain it better without writing way too much.
TLDR: You don't have to change anything more. You could also input your quad dns server in system - settings - general and uncheck using the ISP dns servers again if you want.
For anybody that comes after: Using wireguard with hostnames and forcing the OPNsense to be a DNS client to Adguard itself can be a bad idea due to race conditions during boot.
There is no selection system - settings - general and uncheck using the ISP dns servers again if you want.
Screenshot from 2026-01-03 23-29-55.pngDo you mean untick the selection Allow DNS server list to be overridden by DHCP/PPP on WAN then I put the empy line on DNS server 9.9.9.9 ????
and use gateway?
I upload screenshot
For stable VPN connections static IP addresses are mandatory, IMHO. I never used anything else. At least one side of the connection must have a static IP address. Everything else is a gamble for which OPNsense is not to blame, Pick your poison.
Quote from: Patrick M. Hausen on January 04, 2026, 12:17:08 AMFor stable VPN connections static IP addresses are mandatory, IMHO. I never used anything else. At least one side of the connection must have a static IP address. Everything else is a gamble for which OPNsense is not to blame, Pick your poison.
Why? I never had any issues with none static IPv4 over WireGuard.
Quote from: Patrick M. Hausen on January 04, 2026, 12:17:08 AMFor stable VPN connections static IP addresses are mandatory, IMHO.
Hell, no, works just fine.
Quote from: Patrick M. Hausen on January 04, 2026, 12:17:08 AMI never used anything else.
So, how can you know in the first place? With zero practical experience with WG and DynDNS? I prefer to post only on issues I personally have experience with...
That depends on how you define "stable VPN connection". The problem with dynamic IPs is threefold:
1. When one side changes the IP, a standing wireguard connection from the other side will not detect the change and wait forever. This is because Wireguard does DNS lookups only at start.
2. The cron job will detect stale connections and restart them if need be. However, many people do not know this and thus complain here in the forum - partly, they are correct, because the official docs do not mention it.
3. Still, this will induce a drop of connectivity for an even longer period than the actual outage takes, depending on the cron periodicity and how fast the dynamic DNS gets updated.
Practical experience over about 10 years with openVPN and then the last maybe 5-6 years with WG:
Configure more than one dynDNS fpr each IP to be monitored. Nearly no service interruption, only if the net access provider fails to do what he is paid for.
Experience of others in this forums, too...
Quote from: chemlud on January 04, 2026, 11:51:36 AMSo, how can you know in the first place? With zero practical experience with WG and DynDNS?
I treat "dynamic IP addresses" and DynDNS as a bad hack and would never use them in a business critical context. For a private "consumer" line, maybe. But then I would not consider using DynDNS for public services but rent a VPC at some cloud provider and build a tunnel from the dynamic IP uplink using the fixed address of the VPC as both VPN endpoint and public service address.
You do you. If customers ask me I tell them to get a fixed IP address if they want a reliable connection between office locations.
Quote from: novel on January 03, 2026, 10:37:43 PMQuote from: Monviech (Cedrik) on January 03, 2026, 09:03:03 PMI don't think I can explain it better without writing way too much.
TLDR: You don't have to change anything more. You could also input your quad dns server in system - settings - general and uncheck using the ISP dns servers again if you want.
For anybody that comes after: Using wireguard with hostnames and forcing the OPNsense to be a DNS client to Adguard itself can be a bad idea due to race conditions during boot.
There is no selection system - settings - general and uncheck using the ISP dns servers again if you want.
Screenshot from 2026-01-03 23-29-55.pngDo you mean untick the selection Allow DNS server list to be overridden by DHCP/PPP on WAN then I put the empy line on DNS server 9.9.9.9 ????
and use gateway?
I upload screenshot
You can remove the checkbox "Allow DNS server list to be overridden by DHCP/PPP" and add 9.9.9.9 in one of these DNS fields, but do not select a gateway.
Also please read the helptexts and think about what you are doing, I cannot hand hold every configuration change you want to make. Try things out and try to understand the why and how. (E.g., why is the firewall a DNS client, and a DNS server, whats the difference...)
Quote from: Monviech (Cedrik) on January 04, 2026, 09:57:50 PMQuote from: novel on January 03, 2026, 10:37:43 PMQuote from: Monviech (Cedrik) on January 03, 2026, 09:03:03 PMI don't think I can explain it better without writing way too much.
TLDR: You don't have to change anything more. You could also input your quad dns server in system - settings - general and uncheck using the ISP dns servers again if you want.
For anybody that comes after: Using wireguard with hostnames and forcing the OPNsense to be a DNS client to Adguard itself can be a bad idea due to race conditions during boot.
There is no selection system - settings - general and uncheck using the ISP dns servers again if you want.
Screenshot from 2026-01-03 23-29-55.pngDo you mean untick the selection Allow DNS server list to be overridden by DHCP/PPP on WAN then I put the empy line on DNS server 9.9.9.9 ????
and use gateway?
I upload screenshot
You can remove the checkbox "Allow DNS server list to be overridden by DHCP/PPP" and add 9.9.9.9 in one of these DNS fields, but do not select a gateway.
Also please read the helptexts and think about what you are doing, I cannot hand hold every configuration change you want to make. Try things out and try to understand the why and how. (E.g., why is the firewall a DNS client, and a DNS server, whats the difference...)
Quote from: Monviech (Cedrik) on January 04, 2026, 09:57:50 PMQuote from: novel on January 03, 2026, 10:37:43 PMQuote from: Monviech (Cedrik) on January 03, 2026, 09:03:03 PMI don't think I can explain it better without writing way too much.
TLDR: You don't have to change anything more. You could also input your quad dns server in system - settings - general and uncheck using the ISP dns servers again if you want.
For anybody that comes after: Using wireguard with hostnames and forcing the OPNsense to be a DNS client to Adguard itself can be a bad idea due to race conditions during boot.
There is no selection system - settings - general and uncheck using the ISP dns servers again if you want.
Screenshot from 2026-01-03 23-29-55.pngDo you mean untick the selection Allow DNS server list to be overridden by DHCP/PPP on WAN then I put the empy line on DNS server 9.9.9.9 ????
and use gateway?
I upload screenshot
You can remove the checkbox "Allow DNS server list to be overridden by DHCP/PPP" and add 9.9.9.9 in one of these DNS fields, but do not select a gateway.
Also please read the helptexts and think about what you are doing, I cannot hand hold every configuration change you want to make. Try things out and try to understand the why and how. (E.g., why is the firewall a DNS client, and a DNS server, whats the difference...)
Thank you very much. I appreciate your help.
1. Which is better option. with tick allow dns server.... and blank dns fields or opposite?
Sometimes I use Adguard with Unbound dns as recursive, caching DNS resolver.
2. in dns field I have to fill 127.0.0.1:5353 ?
Quote from: Monviech (Cedrik) on January 03, 2026, 09:03:03 PMYou can remove the checkbox "Allow DNS server list to be overridden by DHCP/PPP" and add 9.9.9.9 in one of these DNS fields, but do not select a gateway.
Also please read the helptexts and think about what you are doing, I cannot hand hold every configuration change you want to make. Try things out and try to understand the why and how. (E.g., why is the firewall a DNS client, and a DNS server, whats the difference...)
I did it. I remove the checkbox "Allow DNS server list to be overridden by DHCP/PPP" and add 9.9.9.9 in one of these DNS fields, but do not select a gateway.
It doesn't work. Wireguard show the same error.