@Frosch1482 For starters change the interface to a /24. You have it as a /32.

@TeeNetGate1 Adding in more testing, from pfsense I can ping the endpoint IPv4 & v6. But still not handshake.

I took a server I know works, from the 3100, but it does not work.

I have added in an interface IP, which i can ping and this does not work.

Do I have a lemon of a pfsense box?

@db858

Android:
interface -> addresses is the client IP address for example 10.20.30.10/32
peer -> "allowed IP" is for the destinations to route over the WireGuard tunnel

pfSense:
Allowed IPs is the client IP address 10.20.30.10/32

@erdeed I asked the same question here:
https://forum.netgate.com/topic/189938/bind-wireguard-tunnel-listener-to-a-specific-wan-ip?_=1726753285158

I'll watch your post too in case someone replies.

@elvisimprsntr privacy is probably more of a concern than vm expense ! why the hell we can not self hosted tailscale and paie a license to use it ! it's beyond me :)

@Zockerherz

Good to know you got it working. I dismissed my FritzBox since it did not work with my ISP (o2) behind a pfsense at all. Since in the Box is a predefined configuration for o2 i need to make a user defined one for make it working behind pf sense. But all my tries to make the user defined configuration working sucks. always if i enter the o2 sip server, the box destroy my own config and switch back to the predefined config.

Therefor i do use a Gigaset go box 100 and Gigaset DECT-Phones now. Much less trouble to config.

@Bob-Dig

Hey thanks for chiming in just really stumped why things exactly 2 days ago stopped working.

Hopefully this might help from the pfsense side:

Wireguard Tunnels:

Screenshot 2024-09-07 at 3.11.40 PM.png

wg1 interface settings:

Screenshot 2024-09-07 at 3.13.45 PM.png

Firewall for the WG interface (wg1)
Screenshot 2024-09-07 at 3.14.56 PM.png

Digital_Ocean_WG_S2S_VPN has value of 10.8.110.0/24

Screenshot 2024-09-07 at 3.33.04 PM.png

Isn't there a log file somewhere where the WG service would log attempted connections? It seems based on firewall rules and firewall logs there would be traffick passed through to the listening process on 51821. Within the linux client on digital ocean its possible to do dynamic kernel logging. I think within pfSense the wireguard stuff isn't within the kernel but a user space utility?

@Bob-Dig You are correct. Thank you for the reply. I have peace of mind with the config now. Again, I appreciate the time

@ogghi Sorry for the spam!
It works just fine now.
I had to remove the upstream gateway from the 2 tunnel interfaces on each site and then it started...

@McMurphy said in Does the GW IP matter?:

SiteA = 172.16.0.1
SiteB = 172.16.0.2

These are both in the same network even if you had a /30

Do you have other interfaces i.e. LANs on these boxes? I assume you do. Yes you would be able to see at least both addresses from either box.

left to guess your layout nobody can really understand what your goal is.

@ManofWax

known issue

https://redmine.pfsense.org/issues/13405

no fix…

@McMurphy sure you can - its just an example.. You can use whatever tunnel network you want, as large or as small as you need as long as it doesn't overlap with any of your other networks.

As to what you allow, sure you could just allow the whole tunnel network if you want, etc.

@erdeed How many peers/clients are we talking about? Is it so many that you need some automatic handling of it or could you manually or semi manually assign it via different IP's.

I'm thinking policy routing might work? I mean each client get's their own IP inside the tunnel right?
So under Firewall / Rules / Wireguard, if you add a policy rule per client IP, to simply go out the selected gateway??