Risk of necropost, but I found this topic helpful:

setup-docs-incomplete-for-wireguard-confused-about-terms-having-a-challenging-time-setting-up-wireguard-read-here

@Bob-Dig That fixed it, thank you so much for your help. You are right, I was not thinking about this properly.

Steve

@inghaj As long as the Fritzbox does support Wireguard properly, this should be totally possible.

In terms of broad brushtrokes, the pfSense docs will be your best bet:

https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/index.html

https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html

Second link is an example config of a Site-to-Site tunnel, should help a bit. In terms of configuring the Fritzbox, probably best to consult their manual about that.

@Gertjan Thanks very much for the ideas & sorry for the late reply...family went on a surprise vacay. So yes the windows firewall was blocking it but blocking before the "Private or Public" pop up. I only mention in case someone else stumbles upon this thread and needs clarification. The Nic was set to "Private". To resolve I had to go into the windows firewall rules and add an inbound rule. Under "Scope", "Remote IP Addresses" I added my vpn range. I can now ping & access the file shares - the security pop up box does in fact now pop up asking for the credentials.

The WDMybook has a static IP BUT set within the configuration of the WDMybook GUI. It is within PFSense's dynamic IP range so I will change to WDMybook to dynamic (within the WDMybook Settings) and then set a static ip address for it within PFSense.

I do have wireguard set to use the dns ip of pfsense.

As for the remaining ip's. One device is a debian box that will also need it's firewall rules adjusted if I want access to it. The others are Amazon devices and they (Amazon) seem to block VPN's. I think it's a blanket thing to prevent ppl trying to access content outside of their global region but seems to also block incoming connections. Not a big deal as I don't need access to the echo dot's from outside.

Thanks for the help. Glad it's working

Ugh, not at all related to Wireguard, but an outage on one of my ISPs. I need to improve my alerting.

[I tried to post this the other day, but the forums were having issues]

It seems to be an error specific for my setup here and not regarding pfsense/wireguard. I only have this problem at our provider colocation and not at our own locations.

Nevermind. I got it figured out based on Lawrence Systems video:
https://youtu.be/8jQ5UE_7xds?si=iH1hbJp1ZIj34XyI

Turns out I had missed yet another piece of the tutorial. It asked to set interface group membership to only unassigned tunnels and then says to apply the firewall rule to the individual interfaces not the WireGuard interface group. I had set them to not be in the group but then still set my allow all rule on the group and not the individual interface! Once I fixed that error everything seems to be talking as it should. Hopefully my stupidity helps someone else googling the same problem years from now.

@tomasenskede

This is what I am trying to setup

e66b3dcd-b006-4bca-959b-bc4898ebda47-image.png

@hspindel Yes, on all my boxes actually there are VPNs active, including in production mission critical environments, in fact some have like 30 VPNs setup, some WG, some IPsec, etc..... so I don't really think it was related to that. Either way though glad it's working as expected now!

@franta correct.

My use-case is Site-to-Site VPN where I have added networks later on and did forget to change the allowed IPs in the configuration. And this happened to me more than once. 😉
And pfSense itself is not using those allowed IPs for its routing so right now I am using this on a tunnel on both ends. I like the freedom of not having to touch this tunnel ever again.

@paoloposo If you are referring to System>Routing and creating Gateway and Static Route for Wireguard network, yes I did.
One portion of information I forgot to mention was when I do a IP scan from remote office to main office over the wireguard tunnel. I am able to see three internal IP address on main office network and that is it.
One IP is our Global Protect IP that is NAT to internal to external, second IP is the pfsense Box LAN IP address and third IP is Dell Equal Logic SAN internal.