@jhl

Yes, the older version of iperf3 on Windows clients was to blame for low testing speeds.

@marksmeets The allowed IP's are the networks on the other side of the tunnel that will be allowed to traverse the tunnel.
On the peer config in pfSense, not the actual peer, you're only allowing the tunnel IP. You should also add 0.0.0.0/0 as allowed.
My thinking was this was causing the problem when the AP changed since you said the laptop would then have a different IP.

@n3IVI0 My setup was correct. The problem was on Mullvad's end. The first server in my list was one of their Houston servers. It's a fast server, one I tend to use a lot. And it was first in line. That server appears to be down. None of my clients will connect to it. The moment I tried to connect to a different one, it connected immediately.

And yes, I should have thought of that. I am working through some jet lag at the moment. DOH.

Been running in circles for days trying to figure this out.

@JustAnotherUser I guess I'll say it again, you would have to allow computer 2 across the WG0 tunnel.

@JustAnotherUser
did you save your config before trying to add the wireguard VPN? If so load the old config and reboot your system to get back to a known working router with OpenVPN.

Try again next week.

I run both wireguard and openvpn servers and clients simultaneously.

@Tenorbro It does not need to be assigned but that changes the rules. You would then not have a discreet interface to put rules on and only use the Wireguard group for rules. This could be problematic if you have a few tunnels so it's easier to assign an interface just because of the rules.
This also depends on the WG setting "Interface Group Membership".

@java4dev You also need routes and the correct config of Wireguard at Site HQ.
If you don't figure it out, post a lot of screenshots I guess.

@sensenmann
damn stupid
just reinstalled the package, works
SORRY

@jimp Thank you. You are awesome. A threat you replied to in 2014 fixed a problem I am facing today hahaha.

301ad6d5-c20a-417b-abfa-a78a39fb81ff-image.png

f83d7898-70cc-438b-9970-6e5b46caeeeb-image.png

Overview:

a) create screen with :
field to type IP interface WG
- how get latest one to add + 1c? where is stored?
- OneWord name to identify cliente

b) validate IP typed (do not exist, valid, inside WG interface range)

c) Use template file and replace data from step A to generate config-IP.file

d) convert config-IP.file to QRCODE
(verify how https://www.wireguardconfig.com/qrcode do it on client side)

e) save/show config-IP.file e show QRCODE on screen

f) (MAYBE) sent QRCODE by e-mail (if so... request it on step A)

@Thrashbang well, in short terms:
you'd need a (wireguard / vpn) server in a country that provides your wanted IP.
Then you could set your server and app so that all traffic goes thru the wireguard tunnel.

Since most ppl do not have access to such a setup, there are some services (that cost money) that do that for you. You can set the country the tunnel comes out (therefore the geo IP).
BUT: imho such services are mostly bs (sorry). You never really know what those services do with their (your) data, they often have funny locations and overall often seem kinda...well...bs. So, you better look twice and make sure you chose a reliable company. Search for VPN provider, VPN geo lock...you'll find a lot..
jm2c

@droidus Need to investigate elsewhere in your config i'm afraid.

@tman222 Good question. Try it!

@Hangnail6119 Ok few updates that I found out after digging a lot more.

In the S2S config pfsense uses transit network IP address so if you have a tunnel as in the video 10.100.90.0/31 that means your sites when sending requests to other end will use that tunnel ips: 10.100.90.0 and 10.100.90.1 Firewall that is asked for a DNS record needs to have Access Lists record for the tunnel. Otherwise it will just refuse those requests. You don't need to add other firewall as DNS server you just need to define Domain override.
With that knowledge how would my example work:

I have 2 sites connected with a tunnel: 10.100.90.0/31
SITE_1 with IP: 10.100.90.0
SITE_2 with IP: 10.100.90.1
SITE_1 has some servers under domain example.com and SITE_2 wants to access them
SITE_1 has host overrides for single servises under Services > DNS Resolver > Host Overrides for example:
git.example.com points at some internal IP and SITE_2 will want to access that
SITE_1 will need to have Access List added for tunnel network Services > DNS Resolver > Access List > +Add and there tunnel network specified 10.100.90.0/31
SITE_! will also need a rule that allows it to recive DNS requests from other end of the tunnel, The simple rule ALLOW src:* dst:This Firewall(53) on S2S interface should be enough AFAIK(at least it works for me :P)
Now the only thing that SITE_2 needs to do is add Domain override. It's located under: Services > DNS Resolver > Domain Overrides and it needs 2 things example.com domain and IP address of SITE_1 that would be 10.100.90.0
And that was my problem, now everything works.

@weyon668 here is what I would suggest you do then.

Your stuff your trying to get to is on your lan network? You can ping your pfsense lan IP.. Ok now sniff on your lan interface for icmp and your destination IP.. Do you see the ping go on?

If so and you get no answer, then the device your pinging is not answering, or he is sending the answer to something other than pfsense..

Here I connected to my openvpn on my phone via a cell connection - and pinging my nas..

vpn.jpg

That 10.0.8.2 is my phone, you can see it sends on the ping request, and in my setup my nas is answering.. Are you not seeing the ech request go out towards your devices IP your trying to ping?