@Zockerherz

Good to know you got it working. I dismissed my FritzBox since it did not work with my ISP (o2) behind a pfsense at all. Since in the Box is a predefined configuration for o2 i need to make a user defined one for make it working behind pf sense. But all my tries to make the user defined configuration working sucks. always if i enter the o2 sip server, the box destroy my own config and switch back to the predefined config.

Therefor i do use a Gigaset go box 100 and Gigaset DECT-Phones now. Much less trouble to config.

@Bob-Dig

Hey thanks for chiming in just really stumped why things exactly 2 days ago stopped working.

Hopefully this might help from the pfsense side:

Wireguard Tunnels:

Screenshot 2024-09-07 at 3.11.40 PM.png

wg1 interface settings:

Screenshot 2024-09-07 at 3.13.45 PM.png

Firewall for the WG interface (wg1)
Screenshot 2024-09-07 at 3.14.56 PM.png

Digital_Ocean_WG_S2S_VPN has value of 10.8.110.0/24

Screenshot 2024-09-07 at 3.33.04 PM.png

Isn't there a log file somewhere where the WG service would log attempted connections? It seems based on firewall rules and firewall logs there would be traffick passed through to the listening process on 51821. Within the linux client on digital ocean its possible to do dynamic kernel logging. I think within pfSense the wireguard stuff isn't within the kernel but a user space utility?

@Bob-Dig You are correct. Thank you for the reply. I have peace of mind with the config now. Again, I appreciate the time

@ogghi Sorry for the spam!
It works just fine now.
I had to remove the upstream gateway from the 2 tunnel interfaces on each site and then it started...

@McMurphy said in Does the GW IP matter?:

SiteA = 172.16.0.1
SiteB = 172.16.0.2

These are both in the same network even if you had a /30

Do you have other interfaces i.e. LANs on these boxes? I assume you do. Yes you would be able to see at least both addresses from either box.

left to guess your layout nobody can really understand what your goal is.

@ManofWax

known issue

https://redmine.pfsense.org/issues/13405

no fix…

@McMurphy sure you can - its just an example.. You can use whatever tunnel network you want, as large or as small as you need as long as it doesn't overlap with any of your other networks.

As to what you allow, sure you could just allow the whole tunnel network if you want, etc.

@erdeed How many peers/clients are we talking about? Is it so many that you need some automatic handling of it or could you manually or semi manually assign it via different IP's.

I'm thinking policy routing might work? I mean each client get's their own IP inside the tunnel right?
So under Firewall / Rules / Wireguard, if you add a policy rule per client IP, to simply go out the selected gateway??

@prudentcircle said in Does WireGuard work in a High Availability (pfsync, "CARP") mirrored firewall environment?:

Can the same logic be applied to Wireguard?

IPsec or OpenVPN are doing that, if a node is standby and it's configured on a CARP IP. But as Wireguard does not have an interface binding it's a bit more complicated.

@prudentcircle said in Does WireGuard work in a High Availability (pfsync, "CARP") mirrored firewall environment?:

If CARP is capable of judging who is active and who is standby, can this be used as a signal for where to run one instance of Wireguard and kill all the other Wireguard processes in the cluster?

Perhaps - I'm not sure.

@prudentcircle said in Does WireGuard work in a High Availability (pfsync, "CARP") mirrored firewall environment?:

IPSec and OpenVPN could tell who is active and who is standby because they are bound to interfaces, right? So those two VPN protocols can form a cluster without relying on something like CARP because they are bound to interfaces, right?

To the first part: yes. To the second: I don't understand what you mean by forming a cluster without relying on CARP etc. A cluster is a cluster because of things like CARP, keepalived or stuff. What do you mean by "form a cluster without relying on sth like CARP"?

@prudentcircle said in Does WireGuard work in a High Availability (pfsync, "CARP") mirrored firewall environment?:

Then what about making Wireguard dependent on CARP and run only single instance of Wireguard where CARP status is confirmed to be active?

Wouldn't change a thing as the problem with Wireguard still remains, that it is interface-agnostic and doesn't bind to the VIP (virtual IP) of a cluster. You simply don't want Wireguard to use your interface IP instead of the cluster IP as your communication would always come from the wrong IP and you can't that easily set it up to work on a fixed interface.

@prudentcircle said in Does WireGuard work in a High Availability (pfsync, "CARP") mirrored firewall environment?:

I know that VyOS is doing something similar to this. They combine VRRP and transition scripts to do this to make sure that if a node becomes a VRRP master, Wireguard comes up and if you are not a master anymore, kill wireguard.

Could maybe work. Still don't know how they'd treat WG to fix it's tendency to use the wrong IP or wrong interface though.

@prudentcircle said in Does WireGuard work in a High Availability (pfsync, "CARP") mirrored firewall environment?:

Is it because PfSense software itself is limited in some software designs?
or Is it because CARP has inherent limitations and is different from VRRP?

Nothing to do with FreeBSD or pfSense, wireguard is simply weird that way. And as I don't know what VyOs does with keepalived and if it's really using VRRP and runs WG only on the VRRP IP - I can't say that.
Also check that post in VyOS forums, that describes exactly what I said. Wireguard simply ignores the VRRP interface and communicates via the physical IP what you don't want in a cluster:
-> https://forum.vyos.io/t/wireguard-does-not-work-with-vrrp-ip-address/14909

@cypherpunk AFAIK, the pfSense Wireguard implementation does not support multicast.

Mentioned in the doc here.

@McMurphy said in Where to set MTU:

The maximum packet size for the internet link before fragmentation is 1472 (+28 = 1500)

in your case 1440 is fine for IPv4 only Tunnel. If the Tunnel also shall transport IPv6-Trafic you shall not use a MT bigger 1420. The reason is the slightly bigger overhead of IPv6 compared to IPv4.

Using tracepath you can check out pmtu and packet transfer, to find optimal results

See: https://schroederdennis.de/vpn/wireguard-mtu-size-1420-1412-best-practices-ipv4-ipv6-mtu-berechnen/ (german language)

@Bob-Dig
Awww. Suggesting that is like taking a xmas present back from a child. ☹️

Good idea - I'll try pruning the clients back to maybe 2 or 3 and experiment from there. If I have no luck with that, I'll check out opendwt (I used to run ddwrt - i didn't realise openwrt was unlocked/unlicensed for x86).

@Bob-Dig This is an added layer of security, if the device/machine is stolen for example they would have the private key. So by blocking by public IP we can stop the WG connect being used elsewhere. At least to certain networks using a VLAN firewall rule.

I have just install and is up and runing pf sense CE in my infrastrature. But regrading WireGuard with all the user I have is impossible to generate peer for every user on manual base.

So I create a new Ubuntu Server with pivpn with wireguard, then a port foward to that server.

At this point I have 700mb download and 650mb upload using wireguard and this configuration.

I know this is stupid, but creating peer manual for many users is also stupid. If someone convert the pivpn files to pfsense would be great.

@gabacho4 Did you ever figure it out?