One tunnel multiple peers?

f.meunier

@swemattias
let me check the equivalent command in OSX...

f.meunier

netstat -rn

f.meunier

the routes to 172.16.16.0/24 and 10.0.0.0/24 should appear in the list

swemattias

@f-meunier This is what I get out cut out the lines with the right info in them:

10.0.0/24         link#16            UCS             utun5       
127                  127.0.0.1          UCS               lo0       
127.0.0.1          127.0.0.1          UH                lo0       
172.16.16/24   172.16.16.1      UGSc            utun5       
172.16.16.1      172.16.16.1      UH              utun5

f.meunier

@swemattias
well, your tunnel seems effectively up, and the routes are there.
what is the pfSense config of LAN interface ? 4th byte of 10.0.0.x address ?

f.meunier

can you give the pfSense STATUS > Wireguard
(click on Show peers to see the details)

f.meunier

One last check on WG_INTERFACE

Verify that "Block private networks and loopback addresses" and "Block bogon networks" are UNCHECKED

f.meunier

nevertheless, ping 172.16.16.254 should work...

f.meunier

what is curious :
route 10.0.0.0/24 should be accessible through a gateway -> flag " G" missing.

really need to know your macOSX LAN IP...

also can you explain "I can surf and write this through this tunnel, but I cannot reach the inside."

f.meunier

set up a debian client to check

Got a route to wg subnet and pfSense (172.16.16.254 in your case)
Had no route to the remote LAN subnet (10.0.0.0/24 in your case)
(bizarre since it's in the WG client config !)

Eventually, I manually added the route to 10.0.0.0/24
ip route add 10.0.0.0/24 dev wg0

Now I can ping a machine in subnet 10.0.0.0/24

I will check why the route is not automatically added in the routing table even though it is present in AllowedIPs list...
It IS automatically added on windows client...

f.meunier

Succeeded (on linux) using wg-quick tool
(it creates the interfaces, assigns IP and creates routes)

fm@debian11:~$ wg-quick up /home/fm/wg0.conf
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 192.168.201.3/24 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] ip -4 route add 10.0.0.0/24 dev wg0

swemattias

@f-meunier Thanks for all the help! It took days before I had time to return to this by then I remembered a video I watched that really explained this to me... and I found it. So now I have a working Wireguard setup using pfSense as the server.
This is the video:
Lawrence system on Wireguard remote home

f.meunier

@swemattias
Glad to sse you got through !

For the record (and the community) could you tell us what was wrong initially ?

swemattias

@f-meunier I wish I knew... some miss config from my part. If I had to guess I would say I mixed up the keys...
The video also shows how do do the original question of this thread, one tunnel multiple peers.

f.meunier

@swemattias
Yes, multiple peers with the same goal / security rules = 1 tunnel, x peers

I shall advise multiple tunnels only when you have different populations of peers (let's say internal users, external users or customers, etc.)

Have a nice day !