WireguardVPN fails to start after reboot with DNS

Started by browne, June 29, 2026, 02:38:32 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 29, 2026, 02:38:32 PM Last Edit: June 29, 2026, 03:07:45 PM by browne
Hi everyone,

I've recently run into an issue with the latest OPNsense version, where WireGuard is included by default.

When I start the VPN tunnel manually, everything works as expected using the domain name. However, after rebooting the device, I noticed that the WireGuard tunnel appears to be enabled (everything is green), but no traffic passes through it. The only way to get it working again is to restart the tunnel manually.
I already tested it with a cron job, but the "stale connections" one only restarts it if there was an existing connection that got updated—like when the IP changes on one side or something similar. When I reboot, though, there was never any connection in the first place, which is why the DNS assumes nothing has changed and never updates the VPN/DNS.

I suspect this is related to the boot order. My guess is that WireGuard tries to establish the tunnel before the DNS service is fully available, so the domain name can't be resolved during startup. This theory seems to be supported by the fact that everything works perfectly if I configure the tunnel to use the public IP address instead of the domain name.

I'm looking for a solution that doesn't require creating custom shell scripts or modifying system files, as those kinds of workarounds can easily be forgotten or overwritten by future updates. I'm also not looking for the suggestion to "just use the IP address."

Has anyone encountered this issue before or found a script-free solution? If you need any additional information, feel free to ask.

Thanks in advance!
June 29, 2026, 03:55:29 PM #1
There is a cron job called "Restart Wireguard on stale connections" - try enabling that.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+
June 29, 2026, 04:18:11 PM #2
Hey, thank you for your response.
As I mentioned before, I have already tried the cron job you suggested. The issue is that it only restarts WireGuard if it was previously connected. However, my connection is not online at all, so the cron job never triggers a restart because it doesn't detect any changes.
In other words, the cron job only reacts to state changes, not to initialization failures.
June 29, 2026, 05:53:19 PM #3
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+
Today at 11:24:35 AM #4
You can try to edit /usr/local/opnsense/scripts/wireguard/reresolve-dns.py like described here and try if this works for you:

https://github.com/opnsense/plugins/issues/3565#issuecomment-4841782276
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+
Today at 03:31:21 PM #5
Hey, thank you for your efforts.
Unfortunately, I'm not able to try this right now, and I won't have access to this system for the next few weeks. I was also hoping for a solution that doesn't require modifying configuration files or system files.
Quote from: browne on June 29, 2026, 02:38:32 PMI'm looking for a solution that doesn't require creating custom shell scripts or modifying system files, as those kinds of workarounds can easily be forgotten or overwritten by future updates
That said, I will definitely give it a try the next time I have access to this environment.
Today at 03:38:53 PM #6
It is not my idea to do any mods that will get undone in the future.

However, I am only speculating that the fix I propose will heal your problem - I do not experience it, so I cannot try. If the fix indeed helps, Deciso might be compelled to include it in future releases. I filed a bug report for this: https://github.com/opnsense/core/issues/10475

Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, Leox LXT-010H-D

1100 down / 450 up, Bufferbloat A+
Print
Go Up Pages1
User actions