Gotcha, well it's not really feasible to say give a VPN client a local IP on a subnet the firewall is already managing as an interface, so I think the only solution would be to use NAT but this can create it's own issues. But if you were to NAT the wireguard connection to a different IP within that local LAN subnet (and make sure it's not one within that subnets DHCP pool) then you probably can achieve what you're looking for here.

@JuntaSense thank you so much - this did it!

@Owen82 They both should be in it. Remove any rules you have except allow anything for testing. And set keep alive with 25 seconds for testing. Set a port in the VPS as well.

SNORT!!!

I was able to get my ISP to give me a publicly accessible IP address for my WAN. This has solved my problem. Thanks for all the suggestions.

@DaddyGo ok thank you so much for confirming

@JonathanLee Hey, thanks for replying. Yes I have tried both of those things you suggested. I noticed this in the system routing logs: 2023-09-19 00:50:01.509563-04:00 miniupnpd 69708 SSDP packet sender 10.200.0.40:41899 (if_index=10) not from a LAN, ignoring //(this seems like a problem 0 phone is 10.200.0.40 here, and it's packet is being ignored) 2023-09-19 00:48:42.339875-04:00 miniupnpd 69708 ioctl(dev, DIOCGETRULES, ...): Invalid argument //(LOTS of these)

@Bob-Dig My wan is ppoe with vlan, the other wan is the nic interface (parent). I will try later when i go home, if ports remain up for wg and for that reason i need to use another port to bring up the connection. It is still werid why wg tunnel is working with different port.

@adam23450 said in wireguard and one interface multiple peers with network 0.0.0.0/0: @Bob-Dig When I add 0.0.0.0/0 in both, each of the gates is no longer reachable. It says here that the address must be unique. So it follows that I have to add each network manually? ... Allowed IP entries here will be transformed into proper subnet start boundaries prior to validating and saving. These entries must be unique between multiple peers on the same tunnel. Otherwise, traffic to the conflicting networks will only be routed to the last peer in the list. @cmcdonald Now I became curious too, the limitation that only one peer can hold 0.0.0.0/0, is this an inherent limitation of WG or could/should it be changed for the implementation in pfSense? I will connect mine to two other pfSense(s) and I want to use each as an "exit node" for mine. I will opt for two tunnels for now.

@xxnumbxx Like with every other vpn tunnel.

@mushinsky You can't have two addresses for the interface and you also have other problems. Maybe take a closer look here.

@umme You can't create same ip on a gateway because that will overlap, so you have to change the ip on each gateway it doesn't matter what ip as long as interface is the same with the gateway, then try changing listening port per tunnel on wireguard i figured that is nordvpn problem not connecting to peers spend 24 hours trial and error for that, specific endpoint you choose only the endpoint must remain on the default wireguard port.

@swinster Here's as far as I've gotten so far. It's "seemingly" doing everything right, and not returning any errors, but then it also fails to create a new peer, and I haven't figured out where to go from here. Mind that this is an interactive script that expects you to press Y, but should be easy to adopt to say take an email address as parameter instead and then email the config to that address. It also assumes that you have a /24 subnet for your wireguard clients (for now). #!/bin/sh DNS="10.2.10.10, mydomain.com" ALLOWEDIPS="10.2.10.0/24" ENDPOINT="wireguard.mydomain.com:51820" ## Usage #./wg-add-peer.sh <username> # check that only 1 argument is given if [ $# -ne 1 ]; then echo "illegal number of parameters\nUsage\n$0 <username>" exit 1 fi # Get tunnel name tunnel=`xmllint --xpath "string(/pfsense/installedpackages/wireguard/tunnels/item/name)" /conf/config.xml` # Get the first 3 actets subnet=`xmllint --xpath 'string(/pfsense/installedpackages/wireguard/tunnels/item/addresses/row/address)' /conf/config.xml | cut -f-3 -d'.'` # Get count of existing peers peer_count=`xmllint --xpath "count(/pfsense/installedpackages/wireguard/peers/item)" /conf/config.xml` find_next_ip() { # Assume the first integer in last octet belongs to our tunnel interface ip seq=2 # Find next available integer for i in `xmllint --xpath "//pfsense/installedpackages/wireguard/peers/item//allowedips/row/address" /conf/config.xml | sed 's/<*.address>//g' | sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n | cut -f4 -d'.'`; do if [ $i != $seq ]; then echo $i return $i fi seq=$((seq+1)) done echo $seq return $seq } next_ip="$subnet.$(find_next_ip)" #Generate keys private_key=$(wg genkey) public_key=$(echo "$private_key" | wg pubkey) cat > /tmp/pfSsh_script.tmp << EOF \$newPeer['enabled'] = 'yes'; \$newPeer['tun'] = '$tunnel'; \$newPeer['descr'] = '$1'; \$newPeer['persistentkeepalive'] = ''; \$newPeer['publickey'] = '$public_key'; \$newPeer['presharedkey'] = ''; \$newPeerIP['address'] = '$next_ip'; \$newPeerIP['mask'] = '32'; \$newPeerIP['descr'] = ''; \$config['installedpackages']['wireguard']['peers']['item']][] = \$newPeer; \$config['installedpackages']['wireguard']['peers']['item']['$peer_count']['allowedips']['row'][] = \$newPeerIP pfSense shell: parse_config(true); pfSense shell: write_config(); pfSense shell: exec; playback svc restart WireGuard exit EOF cat > "$1-wg.conf" << EOL [Interface] PrivateKey = $private_key Address = $next_ip/32 DNS = $DNS [Peer] PublicKey = $(wg|grep "public key"|rev|cut -d' ' -f1|rev) AllowedIPs = $ALLOWEDIPS Endpoint = $ENDPOINT PersistentKeepalive = 15 EOL echo "About to run the following pfSsh.php script:" cat /tmp/pfSsh_script.tmp read -r -p $'Confirm by pressing y... ' key if [ "$key" == 'y' ] || [ "$key" == 'Y' ]; then /usr/local/sbin/pfSsh.php < /tmp/pfSsh_script.tmp rm -f /tmp/pfSsh_script.tmp echo "$1-wg.conf:" cat "$1-wg.conf" else # Anything else pressed, do whatever else. echo User input not y... exit 1 fi