@db858

Android:
interface -> addresses is the client IP address for example 10.20.30.10/32
peer -> "allowed IP" is for the destinations to route over the WireGuard tunnel

pfSense:
Allowed IPs is the client IP address 10.20.30.10/32

@erdeed I asked the same question here:
https://forum.netgate.com/topic/189938/bind-wireguard-tunnel-listener-to-a-specific-wan-ip?_=1726753285158

I'll watch your post too in case someone replies.

@elvisimprsntr privacy is probably more of a concern than vm expense ! why the hell we can not self hosted tailscale and paie a license to use it ! it's beyond me :)

@Zockerherz

Good to know you got it working. I dismissed my FritzBox since it did not work with my ISP (o2) behind a pfsense at all. Since in the Box is a predefined configuration for o2 i need to make a user defined one for make it working behind pf sense. But all my tries to make the user defined configuration working sucks. always if i enter the o2 sip server, the box destroy my own config and switch back to the predefined config.

Therefor i do use a Gigaset go box 100 and Gigaset DECT-Phones now. Much less trouble to config.

@Bob-Dig

Hey thanks for chiming in just really stumped why things exactly 2 days ago stopped working.

Hopefully this might help from the pfsense side:

Wireguard Tunnels:

Screenshot 2024-09-07 at 3.11.40 PM.png

wg1 interface settings:

Screenshot 2024-09-07 at 3.13.45 PM.png

Firewall for the WG interface (wg1)
Screenshot 2024-09-07 at 3.14.56 PM.png

Digital_Ocean_WG_S2S_VPN has value of 10.8.110.0/24

Screenshot 2024-09-07 at 3.33.04 PM.png

Isn't there a log file somewhere where the WG service would log attempted connections? It seems based on firewall rules and firewall logs there would be traffick passed through to the listening process on 51821. Within the linux client on digital ocean its possible to do dynamic kernel logging. I think within pfSense the wireguard stuff isn't within the kernel but a user space utility?

@Bob-Dig You are correct. Thank you for the reply. I have peace of mind with the config now. Again, I appreciate the time

@ogghi Sorry for the spam!
It works just fine now.
I had to remove the upstream gateway from the 2 tunnel interfaces on each site and then it started...

@McMurphy said in Does the GW IP matter?:

SiteA = 172.16.0.1
SiteB = 172.16.0.2

These are both in the same network even if you had a /30

Do you have other interfaces i.e. LANs on these boxes? I assume you do. Yes you would be able to see at least both addresses from either box.

left to guess your layout nobody can really understand what your goal is.

@ManofWax

known issue

https://redmine.pfsense.org/issues/13405

no fix…

@McMurphy sure you can - its just an example.. You can use whatever tunnel network you want, as large or as small as you need as long as it doesn't overlap with any of your other networks.

As to what you allow, sure you could just allow the whole tunnel network if you want, etc.

@erdeed How many peers/clients are we talking about? Is it so many that you need some automatic handling of it or could you manually or semi manually assign it via different IP's.

I'm thinking policy routing might work? I mean each client get's their own IP inside the tunnel right?
So under Firewall / Rules / Wireguard, if you add a policy rule per client IP, to simply go out the selected gateway??

@prudentcircle said in Does WireGuard work in a High Availability (pfsync, "CARP") mirrored firewall environment?:

Can the same logic be applied to Wireguard?

IPsec or OpenVPN are doing that, if a node is standby and it's configured on a CARP IP. But as Wireguard does not have an interface binding it's a bit more complicated.

@prudentcircle said in Does WireGuard work in a High Availability (pfsync, "CARP") mirrored firewall environment?:

If CARP is capable of judging who is active and who is standby, can this be used as a signal for where to run one instance of Wireguard and kill all the other Wireguard processes in the cluster?

Perhaps - I'm not sure.

@prudentcircle said in Does WireGuard work in a High Availability (pfsync, "CARP") mirrored firewall environment?:

IPSec and OpenVPN could tell who is active and who is standby because they are bound to interfaces, right? So those two VPN protocols can form a cluster without relying on something like CARP because they are bound to interfaces, right?

To the first part: yes. To the second: I don't understand what you mean by forming a cluster without relying on CARP etc. A cluster is a cluster because of things like CARP, keepalived or stuff. What do you mean by "form a cluster without relying on sth like CARP"?

@prudentcircle said in Does WireGuard work in a High Availability (pfsync, "CARP") mirrored firewall environment?:

Then what about making Wireguard dependent on CARP and run only single instance of Wireguard where CARP status is confirmed to be active?

Wouldn't change a thing as the problem with Wireguard still remains, that it is interface-agnostic and doesn't bind to the VIP (virtual IP) of a cluster. You simply don't want Wireguard to use your interface IP instead of the cluster IP as your communication would always come from the wrong IP and you can't that easily set it up to work on a fixed interface.

@prudentcircle said in Does WireGuard work in a High Availability (pfsync, "CARP") mirrored firewall environment?:

I know that VyOS is doing something similar to this. They combine VRRP and transition scripts to do this to make sure that if a node becomes a VRRP master, Wireguard comes up and if you are not a master anymore, kill wireguard.

Could maybe work. Still don't know how they'd treat WG to fix it's tendency to use the wrong IP or wrong interface though.

@prudentcircle said in Does WireGuard work in a High Availability (pfsync, "CARP") mirrored firewall environment?:

Is it because PfSense software itself is limited in some software designs?
or Is it because CARP has inherent limitations and is different from VRRP?

Nothing to do with FreeBSD or pfSense, wireguard is simply weird that way. And as I don't know what VyOs does with keepalived and if it's really using VRRP and runs WG only on the VRRP IP - I can't say that.
Also check that post in VyOS forums, that describes exactly what I said. Wireguard simply ignores the VRRP interface and communicates via the physical IP what you don't want in a cluster:
-> https://forum.vyos.io/t/wireguard-does-not-work-with-vrrp-ip-address/14909

@cypherpunk AFAIK, the pfSense Wireguard implementation does not support multicast.

Mentioned in the doc here.