Hi All,
Having some trouble with my wireguard configuration and can't figure out why is is not working. I have followed the WireGuard ProtonVPN Road Warrior Setup and looked at many other guides but can't get it to work correctly
The setup:
I have a few vlans, some that should go through the VPN, some that should not. They are organized in 2 firewall groups, IG_OUT_VPN, and IG_OUT_WAN. Up to here everything works correctly.
I then have 2 peer/instances in wireguard with ProtonVPN for IG_OUT_VPN. The expectation is that if one tunnel is down or slow, the 2nd should start working. IG_OUT_WAN is not affected and should continue to work no matter if tunnels are up or not and traffic does not go through the tunnels.
Screenshot 2025-05-05 at 22.55.15.png
Reality is everything stops working the second 1 tunnel goes down, even IG_OUT_WAN, and for the live of me, I cannot figure out why.
Lately it seems no matter the VPN conf I choose, one of the tunnels goes down. I have tried various Proton servers, but everyday now, no matter what I choose, one goes down. Once one is down, the internet connection stops for both IG_OUT_VPN and IG_OUT_WAN.
Below is my conf. I'm not sure where I went wrong. I have tried various changes but nothing seems to resolve the issue
Instance 1Name: CH582
Public key: <generated from private key>
Private key: <private key>
Listen port: 51820
MTU: 1412
Tunnel address: 10.2.0.2:28
Peers: CH582
Disable routes: checked
Gateway: 10.2.0.1
Instance 2Name: CH321
Public key: <generated from private key>
Private key: <private key>
Listen port: 51821
MTU: 1412
Tunnel address: 10.3.0.2:28
Peers: CH321
Disable routes: checked
Gateway: 10.3.0.1
Peer 1Name: CH582
Public key: <public key>
Allowed IPs: 0.0.0.0/0
Endpoint address: <ip from vpn provider>
Endpoint port: 51820
Instances: CH582
Keepalive interval: 25
Peer 2Name: CH321
Public key: <public key>
Allowed IPs: 0.0.0.0/0
Endpoint address: <ip from vpn provider>
Endpoint port: 51820
Instances: CH321
Keepalive interval: 25
Gateway 1Name: VPN0
Interface: VPN0
Address family: IPv4
IP Address: 10.2.0.1
Far Gateway: checked
Disable Host Route: unchecked
Monitor IP: <ip from vpn provider>
Priority: 255
Gateway 2Name: VPN1
Interface: VPN1
Address family: IPv4
IP Address: 10.3.0.1
Far Gateway: checked
Disable Host Route: unchecked
Monitor IP: <ip from vpn provider>
Priority: 255
Gateway groupWAN_DHCP: never
VPN0: Tier 1
VPN1: Tier 2
Trigger Level: Packet Loss and High Latency
Firewall GroupsIG_OUT_VPN: 2 vlans that should use vpn
IG_OUT_WAN: 2 vlans that should not go through vpn
Firewall rules IG_OUT_VPNProtocol: IPv4 *
Source: IG_OUT_VPN net
Destination: !RFC1918
Gateway: VPN_GROUP
Firewall rules IG_OUT_WANProtocol: IPv4 *
Source: IG_OUT_WAN net
Destination: !RFC1918
Gateway: WAN_DHCP
I don't see any mistake but there has to be one somewhere.
Any advise on how I could debug the issue and figure out what is going on? Wireguard logs don't seem to say much
Would love to get at least the non-vpn networks to work correctly
So turns out it might have been a bug in opnsense 25.1.5, since upgrading to 25.1.6 the issue seems to have stopped, at least the tunnels are not dropping anymore.