@droidus

Hello,

I have a similar problem with setting up a new wireguard "client".

Wireguard is running for a longer time with some clients connecting to home network. There are Androids and Linux Mint devices. All connect through a full tunnel.

I added a new Linux Mint device. As always, same config (besides the keys...). The client is able to connect to pfsense, connect to the internet via tunnel BUT can't connect to any services hosted in my home network.

Some important configs in my environment:

Wireguard config file for my Linux Mint clients:

[Interface] Address = 192.168.200.20/32 PrivateKey = 1234 DNS = 192.168.1.1 [Peer] PublicKey = 2222 PresharedKey = 3333 AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = example.domain:51820 PersistentKeepalive = 15

-> DNS is my pfsense.

DNS Resolver is enabled. No other DNS connection (e.g. 8.8.8.8) are allowed.

Firewall logs show only connections to pfsense:53, to visited sites in the internet but no connections to local services in my home lan. I can't see any blocked packets of the attempt to connect
.
There are no states visible between any local service and the client.

I even restarted pfsense.

Any ideas what to check to fix this?

@poldus
My "thinking" of this PROBLEM are

all KEYS (publics, privates and preshareds) are OK (because of handshaking OK) in both peers (Android, Windows)

2.. what else? rules? "default 51820 port (not working too)

WireGuard is so "experimental" to me? so experimental that UNUSED from me?

@mrwaltman

You haven't given me enough information to know the answer to your question.

But, if you're worried about it, change your subnet at home.

Personally, I prefer to use 10.1.1.1/24 for my router. It's super easy to type.

I had the same issue, and the pfblocker virtual IP 10.10.10.1 was the cause. Adding it to my WG peer allowed IPs resolved the issue.

I tried

nslookup website.com DNSIP

command to see where the DNS is failing. I see the router on remote LAN network it resolved correctly. When I specify the wireguard address, it fails instantly. When I specify the other server`s router on the main LAN site, it failes instantly.

edit: It is strange that I can ping the servers over port 53 with a traceroute but I can't get the DNS to work.

@CapitanBlack Thank you! that's is what I needed.
I didn't realize I could assign the same IP on pf1 and pf2 wg interfaces.
Now I need to test the failover.

@Neverstopdreaming said in Wireguard S2S and pfSense HA connecttion issue:

@CapitanBlack
If I undestood correctly your setup, you need an outbound NAT rule for the HQ_LAN on the pfsense3 and BRANCH_LAN on pfsense1

https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html

It worked great! Thanks again!

@Nick-Wollman said in Wireguard with HA:

Re: Does WireGuard work in a High Availability (pfsync mirrored firewall environment?)

Pulling up an old thread again. I am wondering if we cant have a wireguard setup that is aware of which CARP member is active, so we can have two firewall serving the same clients with seamless failover when one goes down.

Check out my post in Wireguard area - I have S2S Wireguard setup working in HA mode.

I updated to 24.11. That resolved it. So, it appears the wireguard 0.2.9 package is incompatible with 24.03?

@pvswie Try copying it in HTTPS mode.

I am so sorry to have wasted your time but I've solved this, and it was complete and absolute muppetry on my behalf.

I had, many months ago, attempted to set this same thing up using an IPsec tunnel. The non-working IPsec tunnel was still set up on one of the devices...

@Bob-Dig said in SOLVED: Wiregurad trouble after install and apply system_patches 2.2.11_16 in 2.7.2,:

My guess, it will come back

It was coming back today after rebooting host and start the pfsense in its VM.
At least i now fond a solution without reboot the host and the pfsense.
Solution was to go to Interfaces -> WGTun0 (tun_wg0) and disable the interface, safe that and the enable the interface gain.
So i gust the WGTun0-Interface will not every time comes up correctly after rebooting pfsense. Something went wrong.

@jmdomini I used this page when I first tried it..

https://www.wundertech.net/how-to-set-up-wireguard-on-pfsense/

@abstergo do a search in the forum, please. You'll see the topic came up a few times it's not something that can easily be done.

Seems setting up two separate tunnels and use OSPF is one option that doesn't involve scripting.

@flat4
Not sure -- but it's really strange how the routing / connection persists after initiating on my cellular network then "transistioning" to the guest wifi