Multiple peers in 1 tunnel

KoenH

Hi

I'm posting this question to understand "1 Tunnel - Multiple peers" better.
So i have an existing tunnel that works with one peer.
If i add a second peer with a different peer public key than the previous peer is not working anymore.

Is this default behavior?

Thanks in advance.

slu

Yes you can have multiple peers per tunnel.
If this do not work there's maybe a typo in the keys somewhere...

KoenH

Hi @slu

That would be very strange, because the working configuration is unchanged and when i add a new one the previous is broken...?

Jarhead

@koenh Using overlapping IP's maybe?
Post the config's and we'll take a look.

KoenH

@jarhead

Normally it doesn't, but please correct me if i'm wrong!

Config tunnel:

# Description: WireGuard VPN
[Interface]
PrivateKey = xxxxxxx
ListenPort = 51xxx

# Peer: iPhone_Koen
[Peer]
PublicKey = CocXxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.0/24
PersistentKeepalive = 0

# Peer: Laptop Koen V2
[Peer]
PublicKey = lGpQxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.0/24
PersistentKeepalive = 0

# Peer: Laptop Koen V3
[Peer]
PublicKey = fGUMjxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.0/24
PersistentKeepalive = 0

iPhone Koen:

[Interface]
PrivateKey = APkOxxx
ListenPort = 51xxx
Address = 10.10.10.4/32
DNS = 10.10.10.x

[Peer]
PublicKey = kL5Lxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.0/24
Endpoint = xxx.xxx.org:51xxx

Laptop Koen V2:

[Interface]
PrivateKey = YDv6xxx
ListenPort = 51xxx
Address = 10.10.10.2/32
DNS = 10.10.10.x

[Peer]
PublicKey = kL5Lxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.0/24
Endpoint = xxx.xxx.org:51xxx

Laptop Koen V3:

[Interface]
PrivateKey = eCAD7xxx
ListenPort = 51xxx
Address = 10.10.10.3/32
DNS = 10.10.10.x

[Peer]
PublicKey = kL5Lxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.0/24
Endpoint = xxx.xxx.org:51xxx

Jarhead

@koenh On the clients, change the interface address to the actual subnet, /24.
Then in the allowed IP's leave the LAN subnet but make the tunnel just the 10.10.10.1/32 on each client.

The allowed IP's in the peer of pfSense should have each client entered as a /32.

KoenH

@jarhead

I've changed the configs to the following and also performed a small cleanup of peers.
Now the peers can connect to internet but not the internal LAN 192.168.0.0/24.

To further test it, i've added an any to any rule on both LAN & Wireguard configs.
But still no success.

Config tunnel:

# Description: WireGuard VPN
[Interface]
PrivateKey = xxxxxxx
ListenPort = 51xxx

# Peer: iPhone_Koen
[Peer]
PublicKey = CocXxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.1/32
PersistentKeepalive = 0

# Peer: Laptop Koen
[Peer]
PublicKey = lGpQxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.1/32
PersistentKeepalive = 0

iPhone Koen:

[Interface]
PrivateKey = APkOxxx
ListenPort = 51xxx
Address = 10.10.10.4/32
DNS = 10.10.10.x

[Peer]
PublicKey = kL5Lxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.1/32
Endpoint = xxx.xxx.org:51xxx

Laptop Koen:

[Interface]
PrivateKey = YDv6xxx
ListenPort = 51xxx
Address = 10.10.10.2/32
DNS = 10.10.10.x

[Peer]
PublicKey = kL5Lxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.1/32
Endpoint = xxx.xxx.org:51xxx

Jarhead

@koenh You didn't do what I asked you to do.
Keep in mind, the allowed IP section is the IP's from the other side that you allow to traverse the tunnel.

In pfSense, go to the peer section.
The allowed IP's will be the clients interface addresses entered as a /32.
peer 1 = 10.10.10.2/32
peer 2 = 10.10.10.3/32
etc
You don't need the local network there as it's on that side already.

In the clients, The interface address will be the tunnel as a /24.
So client 1 will be 10.10.10.2/24
client 2 10.10.10.3/24
etc
Allowed IP's on all clients will be the same:
AllowedIPs = 192.168.0.0/24, 10.10.10.1/32

KoenH

@jarhead
Thank you, that works!

The fault was that i was confused with the "Allowed IPs" of the peer section in pfSense.
For me, it looked like i need to fill in what subnets or IPs are allowed.
So actually the same as in the client configuration...

If i read the documentation over again and your explanation, it al makes sense:

Allowed IPs:
The tunnel IP address for this peer, from the list determined above, with a /32 CIDR mask. For example, the first peer will be 10.6.210.2/32, the second will be 10.6.210.3/32, and so on.

Anyway, thank you for the help!

Jarhead

@koenh No problem.
Glad you got it fixed and believe me, the Wireguard wording is confusing at best!