Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    One tunnel multiple peers?

    Scheduled Pinned Locked Moved WireGuard
    41 Posts 2 Posters 9.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      f.meunier @swemattias
      last edited by f.meunier

      @swemattias
      you can check "dynamic endpoint" if you have a "computer to network" situation,

      (give an endpoint address or fqdn only in "site to site" configuration)

      what is the WG_INTERFACE (OPT3) configuration ?
      what is the rule on WAN ?
      what is the rule on WG_INTERFACE ?

      Also, show the peer status if you can.

      (mostly ZOTAC CI or CA nano barebones)

      S 1 Reply Last reply Reply Quote 0
      • F
        f.meunier @swemattias
        last edited by f.meunier

        @swemattias
        I see on tunnel config : listen port 55120
        but you set the other side's "Endpoint = wg.domain.io:58220"
        This should be the same port.
        Thus, should be "Endpoint = wg.domain.io:55120"

        (mostly ZOTAC CI or CA nano barebones)

        S 1 Reply Last reply Reply Quote 0
        • S
          swemattias @f.meunier
          last edited by

          @f-meunier said in One tunnel multiple peers?:

          @swemattias
          I see on tunnel config : listen port 55120
          but you set the other side's enpoint port as 58220
          This should be the same port

          That is just mistake from my side during preparing the post. Ofc I have the same port.

          F 1 Reply Last reply Reply Quote 0
          • S
            swemattias @f.meunier
            last edited by

            @f-meunier Here are those configs:
            wg_interface.png wg_iface_rule.png wan-rule.png

            F 2 Replies Last reply Reply Quote 0
            • F
              f.meunier @swemattias
              last edited by

              @swemattias
              please try checking "dynamic"
              Doing so, you only have to set parameters on the "fixed" side...
              (client side will "use" these params in the [Peer] section)

              (mostly ZOTAC CI or CA nano barebones)

              S 1 Reply Last reply Reply Quote 0
              • F
                f.meunier @swemattias
                last edited by

                @swemattias

                according to your screenshots, you should have :

                [Interface]
                PrivateKey = <Device 1 private key>
                Address = 172.16.16.1/24
                DNS = 172.16.16.254
                
                [Peer]
                PublicKey = <Server/pfSense public key or in your words FWpubk>
                AllowedIPs = 172.16.16.0/24, 10.0.0.0/24
                Endpoint = wg.domain.io:55120
                

                pinging 172.16.16.254 from client works ?

                (mostly ZOTAC CI or CA nano barebones)

                1 Reply Last reply Reply Quote 0
                • S
                  swemattias @f.meunier
                  last edited by swemattias

                  @f-meunier That didn't help, setting it to Dynamic, I can surf and write this through this tunnel, but I cannot reach the inside.

                  F 1 Reply Last reply Reply Quote 0
                  • F
                    f.meunier @swemattias
                    last edited by

                    @swemattias
                    also confirm in pfSense' peer config that "Public Key : device 1 pkey" is the public key of the client

                    (not the private key from [Interface] PrivateKey)

                    (mostly ZOTAC CI or CA nano barebones)

                    1 Reply Last reply Reply Quote 0
                    • F
                      f.meunier @swemattias
                      last edited by f.meunier

                      @swemattias
                      sorry, I did not understand the situation.
                      You have a computer connecting to the pfSense through the WG tunnel, you manage to surf through but can't access internal network 10.0.0.x /24 ?

                      according to your config, it's not a "catch all" tunnel. Your computer access to the internet will not use the tunnel, but its local router/gateway directly...

                      (mostly ZOTAC CI or CA nano barebones)

                      S F 2 Replies Last reply Reply Quote 0
                      • S
                        swemattias @f.meunier
                        last edited by

                        @f-meunier Yes I am testing with my computer to see if it works.
                        First question - yes. Switching to 4G network activating the tunnel.
                        I cannot ping anything on either 172.16.16.0/24 or 10.0.0.0/24.

                        1 Reply Last reply Reply Quote 0
                        • F
                          f.meunier @f.meunier
                          last edited by

                          let's summarize.
                          Your computer client should have 2 interfaces :
                          LAN interface (let's say 192.168.1.1/24)
                          wireguard interface : 172.16.16.1/24

                          client config is

                          [Interface]
                          PrivateKey = <Device 1 private key>
                          Address = 172.16.16.1/24
                          DNS = 172.16.16.254
                          
                          [Peer]
                          PublicKey = <Server/pfSense public key or in your words FWpubk>
                          AllowedIPs = 172.16.16.0/24, 10.0.0.0/24
                          Endpoint = wg.domain.io:55120
                          

                          pfsense has public IP wg.domain.io
                          LAN interface IP is 10.0.0.254/24
                          wireguard tunnel (tun_wg0) is bound to interface WG_INTERFACE
                          WG_INTERFACE has static IPv4 172.16.16.254/24
                          tunnel listen port = 55120

                          (mostly ZOTAC CI or CA nano barebones)

                          F 1 Reply Last reply Reply Quote 0
                          • F
                            f.meunier @f.meunier
                            last edited by

                            On the client computer side, what is the output of "route print -4" ?

                            (mostly ZOTAC CI or CA nano barebones)

                            S 1 Reply Last reply Reply Quote 0
                            • S
                              swemattias @f.meunier
                              last edited by

                              @f-meunier route is available in OS X but not like that... :) No idea what do you want outputted? ;)

                              F 1 Reply Last reply Reply Quote 0
                              • F
                                f.meunier @swemattias
                                last edited by

                                @swemattias
                                let me check the equivalent command in OSX...

                                (mostly ZOTAC CI or CA nano barebones)

                                F 1 Reply Last reply Reply Quote 0
                                • F
                                  f.meunier @f.meunier
                                  last edited by

                                  netstat -rn

                                  (mostly ZOTAC CI or CA nano barebones)

                                  F 1 Reply Last reply Reply Quote 0
                                  • F
                                    f.meunier @f.meunier
                                    last edited by

                                    the routes to 172.16.16.0/24 and 10.0.0.0/24 should appear in the list

                                    (mostly ZOTAC CI or CA nano barebones)

                                    S 1 Reply Last reply Reply Quote 0
                                    • S
                                      swemattias @f.meunier
                                      last edited by

                                      @f-meunier This is what I get out cut out the lines with the right info in them:

                                      10.0.0/24         link#16            UCS             utun5       
                                      127                  127.0.0.1          UCS               lo0       
                                      127.0.0.1          127.0.0.1          UH                lo0       
                                      172.16.16/24   172.16.16.1      UGSc            utun5       
                                      172.16.16.1      172.16.16.1      UH              utun5
                                      
                                      F 1 Reply Last reply Reply Quote 0
                                      • F
                                        f.meunier @swemattias
                                        last edited by f.meunier

                                        @swemattias
                                        well, your tunnel seems effectively up, and the routes are there.
                                        what is the pfSense config of LAN interface ? 4th byte of 10.0.0.x address ?

                                        (mostly ZOTAC CI or CA nano barebones)

                                        F 1 Reply Last reply Reply Quote 0
                                        • F
                                          f.meunier @f.meunier
                                          last edited by

                                          can you give the pfSense STATUS > Wireguard
                                          (click on Show peers to see the details)

                                          (mostly ZOTAC CI or CA nano barebones)

                                          F 1 Reply Last reply Reply Quote 0
                                          • F
                                            f.meunier @f.meunier
                                            last edited by f.meunier

                                            One last check on WG_INTERFACE

                                            Verify that "Block private networks and loopback addresses" and "Block bogon networks" are UNCHECKED
                                            43af513d-591c-4149-b2ff-d4fde42ec683-image.png

                                            (mostly ZOTAC CI or CA nano barebones)

                                            F 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.