WireGuard stuck on LTE after WAN failover

Started by waterchill, April 02, 2025, 12:29:44 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 02, 2025, 12:29:44 PM
Hi friends,

I'm new to OPNsense and actually stuck with one problem, maybe someone can help me out.

Setup:


  • OPNsense fresh install 25.1 with:
    • WAN (primary Internet)
    • LTE (Huawei USB HiLink stick, backup/failover)
    • WireGuard VPN client (Mullvad)
  • Gateway group configured:

    • WAN = Tier 1
    • LTE = Tier 2
  • Policy-based routing is used:
    • Two specific clients are routed through the WireGuard tunnel
    • All other clients use WAN/LTE depending on availability

Problem:

When WAN fails, LTE takes over and both general traffic and VPN continue to work as expected.
However, when WAN comes back online:

  • General traffic correctly switches back to WAN
  • The two WireGuard clients continue to use the LTE connection
  • The WireGuard tunnel remains bound to LTE and does not rebind to WAN
Only working solution:

The only thing that restores proper routing (WireGuard over WAN) is:

  • Navigate to 

    Code Select
    VPN → WireGuard → Instances
  • Uncheck "Enabled"
  • Click Apply
  • Re-enable the instance
  • Click Apply again
After this, the tunnel is re-established over the WAN interface.
Tried solutions (none worked):


  • Code Select
    configctl wireguard restart
    • Restarts the tunnel logic, but does not trigger interface rebinding
  • Floating firewall rule:

    • Attempted to force UDP traffic (port 51820) to Mullvad IP over WAN
    • Has no effect after LTE failover
  • Code Select
    configctl system config reload
    • Reloads the configuration, but does not apply service changes
  • Manual edit of 

    Code Select
    /conf/config.xml (sed to disable/enable the instance)

    • Without GUI "Apply" step, changes are not applied
  • Code Select
    service wireguard stop/start
    • Not available; WireGuard is managed via plugin, not classic rc scripts
  • Shell scripts using 

    Code Select
    configctl and 

    Code Select
    interface reconfigure all
    • Do not reproduce the effect of the GUI "Apply" step
  • Rebooting OPNsense

    • A full reboot works, but is not a practical solution
Summary:
WireGuard in OPNsense does not automatically rebind to the primary WAN interface after a failover to LTE. The tunnel remains on LTE even when WAN is restored. No CLI or API method reliably reproduces the GUI behavior. The only known working solution is manually disabling and re-enabling the WireGuard instance via the GUI.
Print
Go Up Pages1
User actions