@Neverstopdreaming said in Wireguard S2S and pfSense HA connecttion issue:

@CapitanBlack
If I undestood correctly your setup, you need an outbound NAT rule for the HQ_LAN on the pfsense3 and BRANCH_LAN on pfsense1

https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html

It worked great! Thanks again!

@Neverstopdreaming

Interfaces: pfSense1

Each WG tunnel uses own /24 network - i.e. 10.10.10.0/24 and 10.10.11.0/24

f8d65066-84d2-4ff2-b8e7-15d6e7700429-image.png

14cc3ee4-2fcd-4826-9df8-fa91c05a9944-image.png

Wireguard Tunnels and peers (status screen)

208b96e6-1a58-4805-bfa9-d3ace2646008-image.png

pfSense1 Gateways

78f80f5c-cecd-415e-9877-9e307a74e7d8-image.png

**pfSense1 Wireguard Gateway group **

5d7f7251-1652-472b-9040-22a4efa6777f-image.png

Wireguard Status pfSense1 (left) vs. pfSense3 (right)

85279878-f461-4676-b69d-cdc63e75b37e-image.png

Wireguard Status pfSense2 (left) vs. pfSense4 (right)

fbb00a12-91e0-4d2d-8cac-9f578cea1330-image.png

@Ryu945 Did you add the remote subnet to the main site @ Services | DNS Resolver | Access Lists?

@Nick-Wollman said in Wireguard with HA:

Re: Does WireGuard work in a High Availability (pfsync mirrored firewall environment?)

Pulling up an old thread again. I am wondering if we cant have a wireguard setup that is aware of which CARP member is active, so we can have two firewall serving the same clients with seamless failover when one goes down.

Check out my post in Wireguard area - I have S2S Wireguard setup working in HA mode.

@Bob-Dig So it gets weirder. When I connect using my peer's .conf file via the hotspot on my phone, I can connect to the devices on my lan. It shows on pfsense that my device is connected. But when I connect using the same .conf file via my home's wifi, I can't connect to anything internally. It seems like there's a relationship b/w the .conf file and my phone?....

I updated to 24.11. That resolved it. So, it appears the wireguard 0.2.9 package is incompatible with 24.03?

@pvswie Try copying it in HTTPS mode.

I am so sorry to have wasted your time but I've solved this, and it was complete and absolute muppetry on my behalf.

I had, many months ago, attempted to set this same thing up using an IPsec tunnel. The non-working IPsec tunnel was still set up on one of the devices...

@Bob-Dig said in SOLVED: Wiregurad trouble after install and apply system_patches 2.2.11_16 in 2.7.2,:

My guess, it will come back

It was coming back today after rebooting host and start the pfsense in its VM.
At least i now fond a solution without reboot the host and the pfsense.
Solution was to go to Interfaces -> WGTun0 (tun_wg0) and disable the interface, safe that and the enable the interface gain.
So i gust the WGTun0-Interface will not every time comes up correctly after rebooting pfsense. Something went wrong.

@jmdomini I used this page when I first tried it..

https://www.wundertech.net/how-to-set-up-wireguard-on-pfsense/

@abstergo do a search in the forum, please. You'll see the topic came up a few times it's not something that can easily be done.

Seems setting up two separate tunnels and use OSPF is one option that doesn't involve scripting.

@flat4
Not sure -- but it's really strange how the routing / connection persists after initiating on my cellular network then "transistioning" to the guest wifi

@dennypage Okay thanks.

@michmoor Thanks but we have trashed it and will do OpenVPN even though it is slower, but more reliable and easier to troubleshoot.

To anyone having the same problem follow this guide
https://blog.matrixpost.net/set-up-wireguard-site-to-site-vpn-on-pfsense/

or in short, do not set an upstream gateway and set static routes as allowed ips.