@xxnumbxx Like with every other vpn tunnel.

@mushinsky You can't have two addresses for the interface and you also have other problems. Maybe take a closer look here.

@umme You can't create same ip on a gateway because that will overlap, so you have to change the ip on each gateway it doesn't matter what ip as long as interface is the same with the gateway, then try changing listening port per tunnel on wireguard i figured that is nordvpn problem not connecting to peers spend 24 hours trial and error for that, specific endpoint you choose only the endpoint must remain on the default wireguard port.

@swinster Here's as far as I've gotten so far. It's "seemingly" doing everything right, and not returning any errors, but then it also fails to create a new peer, and I haven't figured out where to go from here. Mind that this is an interactive script that expects you to press Y, but should be easy to adopt to say take an email address as parameter instead and then email the config to that address. It also assumes that you have a /24 subnet for your wireguard clients (for now). #!/bin/sh DNS="10.2.10.10, mydomain.com" ALLOWEDIPS="10.2.10.0/24" ENDPOINT="wireguard.mydomain.com:51820" ## Usage #./wg-add-peer.sh <username> # check that only 1 argument is given if [ $# -ne 1 ]; then echo "illegal number of parameters\nUsage\n$0 <username>" exit 1 fi # Get tunnel name tunnel=`xmllint --xpath "string(/pfsense/installedpackages/wireguard/tunnels/item/name)" /conf/config.xml` # Get the first 3 actets subnet=`xmllint --xpath 'string(/pfsense/installedpackages/wireguard/tunnels/item/addresses/row/address)' /conf/config.xml | cut -f-3 -d'.'` # Get count of existing peers peer_count=`xmllint --xpath "count(/pfsense/installedpackages/wireguard/peers/item)" /conf/config.xml` find_next_ip() { # Assume the first integer in last octet belongs to our tunnel interface ip seq=2 # Find next available integer for i in `xmllint --xpath "//pfsense/installedpackages/wireguard/peers/item//allowedips/row/address" /conf/config.xml | sed 's/<*.address>//g' | sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n | cut -f4 -d'.'`; do if [ $i != $seq ]; then echo $i return $i fi seq=$((seq+1)) done echo $seq return $seq } next_ip="$subnet.$(find_next_ip)" #Generate keys private_key=$(wg genkey) public_key=$(echo "$private_key" | wg pubkey) cat > /tmp/pfSsh_script.tmp << EOF \$newPeer['enabled'] = 'yes'; \$newPeer['tun'] = '$tunnel'; \$newPeer['descr'] = '$1'; \$newPeer['persistentkeepalive'] = ''; \$newPeer['publickey'] = '$public_key'; \$newPeer['presharedkey'] = ''; \$newPeerIP['address'] = '$next_ip'; \$newPeerIP['mask'] = '32'; \$newPeerIP['descr'] = ''; \$config['installedpackages']['wireguard']['peers']['item']][] = \$newPeer; \$config['installedpackages']['wireguard']['peers']['item']['$peer_count']['allowedips']['row'][] = \$newPeerIP pfSense shell: parse_config(true); pfSense shell: write_config(); pfSense shell: exec; playback svc restart WireGuard exit EOF cat > "$1-wg.conf" << EOL [Interface] PrivateKey = $private_key Address = $next_ip/32 DNS = $DNS [Peer] PublicKey = $(wg|grep "public key"|rev|cut -d' ' -f1|rev) AllowedIPs = $ALLOWEDIPS Endpoint = $ENDPOINT PersistentKeepalive = 15 EOL echo "About to run the following pfSsh.php script:" cat /tmp/pfSsh_script.tmp read -r -p $'Confirm by pressing y... ' key if [ "$key" == 'y' ] || [ "$key" == 'Y' ]; then /usr/local/sbin/pfSsh.php < /tmp/pfSsh_script.tmp rm -f /tmp/pfSsh_script.tmp echo "$1-wg.conf:" cat "$1-wg.conf" else # Anything else pressed, do whatever else. echo User input not y... exit 1 fi

Actually please delete, for some reason I am able to access TrueNAS now... not too sure what the cause was, I reset network configuration on TrueNAS and BAM started working.. Please close this thread. Thank you!!

@keyser Thanks for the info, if that is the case I wouldn't bother trying to make this work then.

I've already tried the 100% trick as per the following forum thread, but colums do not scale.

@luckman212 Has this been integrated into a subsequent release or is this patch still valid? I'm having the same issue on 23.05.1-RELEASE.

This looks like it will solve my issue. I'll update after I've had a chance to try it out.

@cburbs [image: 1691336653243-187e2a46-521f-4dc3-ae9e-c8033cff7719-image.png] So if the phone connecting is on the 10.0.2 wireguard tunnel and I only want access to Vlan 3 what's the best way to do that? While on wireguard: No access to the pfsense box, Switches, Vlan1, Vlan4, Vlan4 Can't ping anything in the above either Just access to one docker on Vlan3.

@JustAnotherUser said in Routing Internet Traffic Through A Site-To-Site Wireguard tunnel: You set your SITE's Default Gateway to your WG interface ...WG interface on MAIN Router. (to be unambiguous)

@mThirteen Your WG VPN may be up and running fine and you just don't know it... From each device: ping the far end WG tunnel IP. If you can ping the tunnel IPs, your VPN is working fine. If your VPN is working fine but there's still no traffic through it, it's probably because: You didn't set up the static routes. You have OpenVPN entries on your pfSense box that are interfering. The Wireguard module is a little bit broken in that OpenVPN entries (even disabled ones), mess up WG. I fixed this issue by deleting all of my OVPN entries. Others have fixed this issue by deleting the WG peers and tunnels and re-installing them. I highly suggest you backup your pfSense before deleting anything. One other thing you may try is to explicitly add your tunnel's far end IP in the Allowed IPs (/32). With 0.0.0.0, it shouldn't matter but the WG module is a little flaky and this might fix it: [Peer] PublicKey = ************************************ AllowedIPs = x.x.x.x/32 AllowedIPs = 0.0.0.0/0

Thank guys, I have a Wireguard client set up like https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-client.html with a gateway group that prefers routing over Wireguard (tun_wg0) and fails over to normal WAN GW in case of Wireguard failure. I have found that the best way of disabling Wireguard from GUI is to disable the tun_wg0 interface. In that way traffic fails over to WAN GW. If I do the same in CLI using ifconfig tun_wg0 down, the interface goes down, but traffic never fails over to WAN GW. What is the CLI equivalence of disabling tun_wg0 in GUI?