wg_timers_expired_handshake_last_sent() uses getnanouptime(9) and REKEY_TIMEOUT to determine whether the last handshake sent has timed out.
This creates a timing issue in which persistent keep-alive doesn't work when starting a fast-booting machine (for example, a VM), because netstart(8) typically starts less than REKEY_TIMEOUT (5 seconds) into the boot process.

Tested on amd64 (physical and VM)

Ido

diff --git sys/net/if_wg.c sys/net/if_wg.c
index 79f0e2ad639..e9e9ebe9cd4 100644
--- sys/net/if_wg.c
+++ sys/net/if_wg.c
@@ -1026,6 +1026,9 @@ wg_timers_expired_handshake_last_sent(struct wg_timers *t)
 	struct timespec uptime;
 	struct timespec expire = { .tv_sec = REKEY_TIMEOUT, .tv_nsec = 0 };
 
+	if(t->t_handshake_last_sent.tv_sec == 0)
+		return ETIMEDOUT;
+
 	getnanouptime(&uptime);
 	timespecadd(&t->t_handshake_last_sent, &expire, &expire);
 	return timespeccmp(&uptime, &expire, >) ? ETIMEDOUT : 0;