WireGuard multiple client bug
-
Has anyone created a WireGuard server on pfsense and tried to have more than one clients with it?
I can only make one client working at the time, as soon as I add a new one, the old one stops working. Sounds like a bug, but just curious if anyone else encountered it.Handshake still goes through just no data in/out.
While the other device other account with the same firewall settings, just different client pub/private key config works just fine. -
@bbusa
Hi, make sure you assign with different IP's on each client -
@bbusa
Hi, using 7 peers here all performing fine, even all together:
-
Almost the same:
-
I have set allowed IPs 0.0.0.0/0 for both clients and manually set the clients IP in their configs.
Do I manually have to specify the allowed IPs in the client config in pfsense?
-
-
@ciscox What do you set on the client side? I want to tunnel all traffic via the pfsense when connected.
What do you set for allowed IPs on the client device?
-
-
Have the same issue when setting up multiple peers, only the last one added is working. Was thinking it was a iOS15 Bug as the Peer was not able to connect arount the time iOS15 came out, but after deleting the Peer and recreating it it now works but the other peer is no longer working. Sounds like the same issue.
@bbusa is only the last created one working on your side as well?
-
@boessi
Hi, I see you have the same endpoint port on your clients, mine is different for every new device that is connected
-
@ciscox using different endpoints are basically creating different servers for different clients.
My whole point was that one server should be able to communicate with multiple clients at the same time using the same receiving port.
-
@boessi yes thatโs exactly the โbugโ I have encountered too.
-
@psp do you have them all working at the same time too?
-
@bbusa
Yes, but I need (according to my config) to identify any road warrior device with its own IP in order to define different rules and to route VPN traffic only for defined subnets (i.e. no 0.0.0.0/0). -
@boessi the peer endpoint should be your WAN IP not private IP space like you are using - 10.0.0.x.
It is not the same address space as your tunnel address/assignment.
-
@ahking19 the configuration is working from inside and outside the network, the configuration on the phone is using the wan ip as normal. the internal ip's are the internal peer ip's and thats like in all the guids I can find. The problem is only that just one of the config is working (the newest) as soon as I delete the newest one the one that is currently not working is working again. everything up until the handshake is woriking but then nothing happens. maybe good to point out, I had a working peer for a longer time, then I added a second peer that worked too, but since then my previous peer was not working anymore up to the point where I delete the newer peer and the old config started to work again.
Client Config (not working after creating the iPhone Peer that is working)
[Interface] PrivateKey = aM7J....... ListenPort = 51820 Address = 10.0.0.20/24 DNS = 10.0.0.1 [Peer] PublicKey = fRz1..... AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = wan.dns.tld:51820So the address is in the range of ther internal interface. The exact same configuration for the other peer is working (up until creating a new peer configuration).
The configuration is nothing special and as said, one peer is always working, but just the newest created peer.
-
Server Config
[Interface] PrivateKey = KGqqu..... ListenPort = 51820 # Peer: Windows [Peer] PublicKey = uiYic... AllowedIPs = 0.0.0.0/0 # Peer: iPhone [Peer] PublicKey = ZWTd... AllowedIPs = 0.0.0.0/0 -
On the "server" you do not put 0.0.0.0/0 into allowed IPs. That doesn't tell the server which networks that the client can reach. It tells the server which address belongs to the client.
For the client to reach anything you put the
0.0.0.0/0in the client's allowed IPs list. On the server you put the IP address assigned to that client. -
@jimp ok, so the server config is a extract from the file system, I only use the package interface and as every guide mentioned to put 0.0.0.0/0 into the peer config I just do that :) . Will try to put the client ip (10.0.0.20/32) into it and will try again.
-
