Wireguard and SG-1100 - Won't Handshake

Has anyone had any issues with the wireguard package on an ARM powered SG-1100 appliance? I have a wireguard tunnel and peers set up on one of my pfsense installs on a x86 machine and had little issue setting that up, but I just got a SG-1100 for a family member and I can’t for the life of me get a client to handshake.

• WG is installed an enabled

• Firewall rule on WAN to Allow UDP on 51820

• Firewall rule on wireguard to allow from source which I have set as 10.1.15.0/24, that subnet being the subnet I chose for my WG interface

• Hybrid NAT rule on outbound for 10.1.15.0/24 NAT address being WAN address

• Tunnel is set up as 10.1.15.1/24

• Peer is set up as 10.1.15.2/32

• Macbook client is set as (keys are hidden, but public key from the Macbook client is input into the pub key of the pfsense peer, and pfsense tunnel public key is in the config below under peer pub key):

[Interface]
PrivateKey = xxx
Address = 10.1.15.2/24
DNS = 10.1.15.1

[Peer]
PublicKey = xxx
AllowedIPs = 0.0.0.0/0
Endpoint =MyIPAddress:51820

Tried reinstalling the package, rebooting the appliance, tried an iphone and macbook as clients, tried different ports and subnet’s. I can’t for the life of me get it to handshake. Anyone have any idea? Is there some weird ARM issue with this package?

I did a lot of testing with my SG-2100 and had no issues at all.

Hmm, I wonder what is going on. I have tried this a few times repeatedly following multiple youtube guides, can’t get it to handshake to save my life.

Must be some basic thing I am missing.

I found the issue after hours of pulling my hair out… No-IP DDNS is not working on this appliance. I have no idea why, it shows a green check as if it is updating, but it is not. The IP’s were a very close match so I missed the fact they were different through all my troubleshooting.

Bigger problem is now… why is no-ip not working?

Merry Christmas!

Are you sure you have selected the correct NO-IP entry in the dynamic DNS entry ? You will need to select the 4th one, No-IP (free), this entry will work with NO-IP free version.

Yes, unfortunately it looks like there is a bug in pfsense, and this was the thread I found to fix it.

For anyone that may end up stumbling on this ini the future, the simple solution is to apply this patch, as shown here: No-IP not updating, how to apply patch? | Netgate Forum

Oh that’s interesting I’ve not seen a patch before, it looks like it’s only available for Netgate devices, that option to apply the patch isn’t on the CE version as far as I can see.

I’ve been using NO-IP for ages on 2.5.2 without issues on a non-netgate device, perhaps this issue only affects Netgate devices for some reason.

Actually I believe it does affect CE as well. To apply patches, you have to install the patch installer plug-in. I didn’t know any of this either until yesterday as I believe my CE version built on an old core i5 machine I have hasn’t seemingly had the issue.

Fun fact tho, DDNS reports as working even though it in fact isn’t. So for all I know my system just hasn’t had its IP changed so I didn’t notice anything stop working. Once I am back home after holidays I’ll try and force an IP change to see if DDNS follows.

That’s a good tip on the patch add-in wasn’t aware of it.

I’m on a static IP, though I still use NO-IP, could well affect CE then.

Ok I see in that forum posting, that not using symbols in your NO-IP password also addresses the issue without needing to apply the patch.

I changed my password to try that work around, didn’t work for me. I tried everything listed on that page and nothing worked. As soon as the bo rebooted after the patch was applied, instantly worked.

But… if you’re on a static IP, your IP will never change, so doesn’t really matter if its working or not

Have a second pfsense box on a dynamic IP connection so still a handy tip