Hi friends,
I'm new to OPNsense and actually stuck with one problem, maybe someone can help me out.
Setup:
- OPNsense fresh install 25.1 with:
- WAN (primary Internet)
- LTE (Huawei USB HiLink stick, backup/failover)
- WireGuard VPN client (Mullvad)
- Gateway group configured:
- Policy-based routing is used:
- Two specific clients are routed through the WireGuard tunnel
- All other clients use WAN/LTE depending on availability
Problem:
When WAN fails, LTE takes over and both general traffic and VPN continue to work as expected.
However, when WAN comes back online:
- General traffic correctly switches back to WAN
- The two WireGuard clients continue to use the LTE connection
- The WireGuard tunnel remains bound to LTE and does not rebind to WAN
Only working solution:
The only thing that restores proper routing (WireGuard over WAN) is:
- Navigate to
VPN → WireGuard → Instances - Uncheck "Enabled"
- Click Apply
- Re-enable the instance
- Click Apply again
After this, the tunnel is re-established over the WAN interface.
Tried solutions (none worked):
configctl wireguard restart- Restarts the tunnel logic, but does not trigger interface rebinding
- Floating firewall rule:
- Attempted to force UDP traffic (port 51820) to Mullvad IP over WAN
- Has no effect after LTE failover
configctl system config reload- Reloads the configuration, but does not apply service changes
- Manual edit of
/conf/config.xml (sed to disable/enable the instance)
- Without GUI "Apply" step, changes are not applied
service wireguard stop/start- Not available; WireGuard is managed via plugin, not classic rc scripts
- Shell scripts using
configctl and
interface reconfigure all- Do not reproduce the effect of the GUI "Apply" step
- Rebooting OPNsense
- A full reboot works, but is not a practical solution
Summary:
WireGuard in OPNsense does not automatically rebind to the primary WAN interface after a failover to LTE. The tunnel remains on LTE even when WAN is restored. No CLI or API method reliably reproduces the GUI behavior. The only known working solution is manually disabling and re-enabling the WireGuard instance via the GUI.