@Bob-Dig Yes, only 1 wg-client, and 2 openvpn-clients. As per the MTU value of 1320, I know it's not optimal, but that is the default MTU proposed by my provider (AirVPN), and was "good enough" to highlight the issue and narrow the possible cause (didn't want to mess with too many parameters): better have a MTU that is too low than too high, as far as I understand. Once I get a solution or workaround, it will certainly start playing with the values to optimize my bandwidth and will certainly come to set it at 1420.

@Bob-Dig & @paoloposo I have entertained the idea that DNS might need to be configured specifically for Wireguard (hence my post here), but somehow my googling always went off in different directions. And this has been going on for two weeks. I tried so many solutions both software and hardware, but somehow it completely escaped me that there even is a DNS field in the Wireguard app for Android. I feel embarrassed for having bothered the community with such a simple matter, but am grateful that both of you stepped in to help out. Thanks!

@hspindel Update, finally got the VPN tunnel to work!

I can only access the NAS which is in another network

@Bronko Ah yes, I forgot to post a link to the reddit thread as well. Thank you!

@Bronko said in Port forwarding through WG tunnel missing reply-to: Ok, but @carrnelltech have the right ideas already included at bug report. Yes, agree, he elaborated this bug report very well. Similar as the interface config page for OpenVPN, there could be some different options if you have assigned a Wireguard instance as network port.

Gotcha, well it's not really feasible to say give a VPN client a local IP on a subnet the firewall is already managing as an interface, so I think the only solution would be to use NAT but this can create it's own issues. But if you were to NAT the wireguard connection to a different IP within that local LAN subnet (and make sure it's not one within that subnets DHCP pool) then you probably can achieve what you're looking for here.

@JuntaSense thank you so much - this did it!

@Owen82 They both should be in it. Remove any rules you have except allow anything for testing. And set keep alive with 25 seconds for testing. Set a port in the VPS as well.

SNORT!!!

I was able to get my ISP to give me a publicly accessible IP address for my WAN. This has solved my problem. Thanks for all the suggestions.

@DaddyGo ok thank you so much for confirming

@JonathanLee Hey, thanks for replying. Yes I have tried both of those things you suggested. I noticed this in the system routing logs: 2023-09-19 00:50:01.509563-04:00 miniupnpd 69708 SSDP packet sender 10.200.0.40:41899 (if_index=10) not from a LAN, ignoring //(this seems like a problem 0 phone is 10.200.0.40 here, and it's packet is being ignored) 2023-09-19 00:48:42.339875-04:00 miniupnpd 69708 ioctl(dev, DIOCGETRULES, ...): Invalid argument //(LOTS of these)

@Bob-Dig My wan is ppoe with vlan, the other wan is the nic interface (parent). I will try later when i go home, if ports remain up for wg and for that reason i need to use another port to bring up the connection. It is still werid why wg tunnel is working with different port.

@adam23450 said in wireguard and one interface multiple peers with network 0.0.0.0/0: @Bob-Dig When I add 0.0.0.0/0 in both, each of the gates is no longer reachable. It says here that the address must be unique. So it follows that I have to add each network manually? ... Allowed IP entries here will be transformed into proper subnet start boundaries prior to validating and saving. These entries must be unique between multiple peers on the same tunnel. Otherwise, traffic to the conflicting networks will only be routed to the last peer in the list. @cmcdonald Now I became curious too, the limitation that only one peer can hold 0.0.0.0/0, is this an inherent limitation of WG or could/should it be changed for the implementation in pfSense? I will connect mine to two other pfSense(s) and I want to use each as an "exit node" for mine. I will opt for two tunnels for now.