I have a wireguard setup that I don't use often that has at some point stopped working (currently OPNsense 25.7.11_9-amd64). The log error complained that netflow was interfering with the service, so I removed the wireguard interface from netflow and restarted the service (enable/disabled) and also rebooted, but now that the service is listening again, its still not working on the WAN interface (it works from the LAN...)
- I connect to the WAN interface directly on the public IP.
- I have assigned wg0 to an interface and have an inbound firewall rule allowing the wireguard port. I can't see any automatically generated rules that would affect this, and I also have the default "let out anything from firewall host itself" rule in place.
- I also have a rule on the wireguard interface allowing access to my LAN subnets.
- The peers connect fine on the LAN so I know the keys / peer configurations are correct.
- The wireguard debug shows logs like this so I know its receiving the handshake request and replying.
Quote2026-03-15T15:11:37 Notice kernel <6>[20290] wg0: Sending handshake response to peer 12
2026-03-15T15:11:37 Notice kernel <6>[20290] wg0: Receiving handshake initiation from peer 12
- On the peer side, I just send the initiation packets but receive no response (confirmed w/ wireshark). My ISP doesn't block anything, I've also tried a different port.
- When I do a packet capture on opnsense itself, I also only see the incoming initiation packets but I do not see the reply packets.
- In the firewall live log, I can see the permitted inbound session on port 51820.
- My firewall rule use the default gateway, internet and default routing works fine. I do have some other gateways configured but they are all tunnels and there's no routing. Regardless, I have also tried to set the wireguard rule to use the specific gateway of my ISP, which didn't solve anything.
- I've tried lowering the MTU to 1380, and I've also entirely deleted and re-created the wireguard instance. I did reboot initially, but I haven't done a second reboot since re-creating the wireguard instance.
Esp. as this
was working, I'm struggling to figure out what else could be the issue? Does anyone have any ideas?
In particular, is there any way to do a full flow debug so I can see not only the inbound rule hit but also the reply processing?
The fix turned out to be I needed to configure a port forward on my WAN interface for my wireguard port to 127.0.0.1. Not sure why this is required, I did not have any overlapping port forwards.
You do not need a port-forward, but you do need to open the firewall for the wireguard ports. This is steps 4a and 4b in the official docks (https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html) - and this also applies for road warrior setups.