wireguard not passing traffic?

[nerd]

SO, I have been running OPNsense with wireguard on top of it for quite a while now, but have recently noticed my wireguard setup isn't working anymore.
Both my peer devices (mobile phone and laptop) are having issues.
FW has a rule to allow any to WAN_addr udp 1234
A record remote.domain.tld resolves to this WAN_addr
I have wg0 tied into my VPN interface and have a VPN_net alow any any rule set.
Tunnel address is an internal subnet x.y.z.1/24.
Peer endpoint address is remote.domain.tld:1234 (non-default port).
Peer address is x.y.z.2/32 and x.y.z.3/32
Peers allowed IPs is 0.0.0/0

Symptoms:
Peer shows tunnel state active, I can see traffic sent (on the peer), but none received.
Interface shows status up, but down for both peers and transfer sent/receive does not move. Any way to reset these statistics?

Why is this not working anymore?

[hansdampf]

Same here! I tried to add a new client, but the problem is still there. :(

[Taomyn]

I've suddenly started getting issues with my Wireguard connection, couldn't be at the worst time when I'm switching phone and provider. No problems on the old and new phone, and even after switching provider all was well until about 2 days ago.

Now I can connect and traffic local to my remote network is fine, but pass through to the Internet just gets stuck. The GUI shows the connection is fine, but what I did notice this time was that since restarting the Wireguard service which seemed to fix it for a while, when I went to check it again just now there was zero logging since then and restarting the service brought that back as well as my traffic.

Versions
OPNsense 25.7.2-amd64
FreeBSD 14.3-RELEASE-p2
OpenSSL 3.0.17

[meyergru]

@Taomin: Probably, either your IP sometimes changes and you have not enabled the cron job to detect a stale connection and restart Wireguard automatically (on both sides of the connection!) or your new provider has DS-Lite with CG-NAT and you cannot be reached via IPv4 any more.

[Taomyn]

@Taomin: Probably, either your IP sometimes changes

Nope, my firewall has a proper fixed IP, business account, as does my company office WiFi - I'm using the guest account which has no restrictions, just cannot access on the corporate LAN.

you have not enabled the cron job to detect a stale connection and restart Wireguard automatically (on both sides of the connection!)

No, I see the connection from my phone on the firewall changing state connected/stale/disconnected, and it doesn't matter how often I manually disconnect/reconnect on the phone. As for the cronjob, I have no clue about that as it's never been anything I needed to configure or even knew I needed.

your new provider has DS-Lite with CG-NAT and you cannot be reached via IPv4 any more.

It's happening on WiFi with a fixed IP

Only manually restarting Wireguard on the firewall do things start working again, and then only for some random amount of time at which point the traffic going external comes to a halt and from the looks of things so does the firewall Winguard logging. On the phone Wireguard is oblivious to the issue because the gateway IP and everything else internal still responds.

It's very bizzarre.

[Taomyn]

I believe I've resolved it for myself and so far it's only happened once which I think was just a bad connection while I was travelling home on the tram.

The Android WireGuard app was missing the permission to Run in Background:Unrestricted Battery it was on the default Optimised. Once I enabled this the connection became reliable again - I can only guess Android would over time pause the app in some way. Every other app after transferring across phones would prompt me the first time I ran them, as it seems this permission doesn't transfer at least not for me, so why WireGuard I don't know.

[Taomyn]

I believe I've resolved it for myself and so far it's only happened once which I think was just a bad connection while I was travelling home on the tram.

The Android WireGuard app was missing the permission to Run in Background:Unrestricted Battery it was on the default Optimised. Once I enabled this the connection became reliable again - I can only guess Android would over time pause the app in some way. Every other app after transferring across phones would prompt me the first time I ran them, as it seems this permission doesn't transfer at least not for me, so why WireGuard I don't know.

Unfortunately this was only part of it, I think it was making the issue worse as randomly I still have the same problem with the connection blocking all traffic to the Internet and my DNS. Like before only restarting WireGuard or disconnecting then waiting a few hours gets it working again. For now I have added a cron job to restart WireGuard each midnight, and I have noted the command so I can use SSH manually restart it if I need it urgently.

[Noci]

That is the same issue as I noticed.
It occurs since OpnSense 25.7.....

Only restart of wireguard will enable the tunnels. (might lock clients, phone starts after touching the wireguard app).

I added a cronjob to the firewall to get reasonably "stable connections"...
See attached image. on my Phone i replaced official wireguard with WG Tunnel from F-Droid
(that does actively check connections, and continues if one access fails, on failure it restarts a link)
 
It restarts Wireguard every 4 hours.
BTW the root cause seems to be replaced routes after a while, overwriting/superseding/removing wireguards routes
that bypass the NAT on the outgoing WAN interface.