diff --git a/net/wireguard/Makefile b/net/wireguard/Makefile
index f6ce57bbdf..ab8782ab78 100644
--- a/net/wireguard/Makefile
+++ b/net/wireguard/Makefile
@@ -1,6 +1,6 @@
 PLUGIN_NAME=		wireguard
 PLUGIN_VERSION=		2.5
-PLUGIN_REVISION=	1
+PLUGIN_REVISION=	2
 PLUGIN_COMMENT=		WireGuard VPN service kernel implementation
 PLUGIN_DEPENDS=		wireguard-kmod
 PLUGIN_CONFLICTS=	wireguard-go
diff --git a/net/wireguard/pkg-descr b/net/wireguard/pkg-descr
index 57bbbedb31..0d5c694c16 100644
--- a/net/wireguard/pkg-descr
+++ b/net/wireguard/pkg-descr
@@ -20,6 +20,8 @@ Changelog
 
 * Fix error with empty tunnel address in instance (contributed by Monviech)
 * Switch "setconf" to "syncconf" on (re)configuration
+* Fix regression of UUID return in setClientAction()
+* Reload the packet filter after reconfiguration
 * Allow instance selection from peer
 * Use "syncconf" on newwanip event
 * CARP event handling improvements
diff --git a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
index 249e6f606a..0e09a98a60 100755
--- a/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
+++ b/net/wireguard/src/opnsense/scripts/Wireguard/wg-service-control.php
@@ -294,5 +294,9 @@ function get_stat_hash($fhandle)
             }
         }
     }
+
+    if (count($server_devs)) {
+        configd_run('filter reload'); /* XXX required for NAT rules, but needs coalescing */
+    }
 }
 closelog();