Messages

You've explained very little about your own setup so hard to comment. Eg what sort of prefix does your ISP give you? What configuration have you set up in OPNsense? Is your ISP modem a pure modem or a modem/router? If the latter is it bridged? Note that with IPv6 sometimes even bridging does not fully pass through IPv6 - you have to disable IPv6 on the modem/router before bridging to ensure it doesn't pinch the prefix.

You still can. Have the "on-demand activation" on in the iOS app, then exclude the SSIDs for your LAN network. So it will only activate when you are not on LAN (and deactivate when you get back on LAN)

Curious as to why you bother with the VPN when your device is already on the LAN network?

This ^

In my case it renews on WAN exactly every 15 minutes. Which is because my ISP sets 30 minute lease times

What are the Allowed IPs in the config on your Android phone?

/conf/config.xml

Not really. Routing doesn't happen by accident.

Or you can have unbound listen on the WG interface

Basically it's replicating the force gateway rule for WAN, to ensure that packets coming from the WG interface IP go out the right gateway. See this (lengthy) discussion: https://github.com/opnsense/core/issues/5329.

Should really only be an issue for services on OPNsense itself that are intended to use the tunnel (eg unbound in the issue linked above).

It will work fine. This is exactly how I originally configured OPNsense. Connected it to a laptop, gave it a manual local IP and then spent a couple of days configuring as needed. Then deployed

You will need to turn off "block local IPs" on the wan interface initially while configuring (since wan will have a local IP) and then turn it back on when deployed

One immediate thing that jumps out is that the public key on the client config for the peer (ie OPNsense) does not match the public key in the local config on OPNsense.

Not a lot of detail to go on there. What about firewall rules for wan and wireguard interface? Are you sure public and private keys have been entered in the right spots? Show all of your WG config, hiding private keys

Good pickup. Looks like the client is configured to use the wrong endpoint.

You may find this of assistance: https://docs.opnsense.org/manual/how-tos/wireguard-client.html

Edit the topic heading to include "[RESOLVED]" at the beginning.