• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Multiple peers in 1 tunnel

Scheduled Pinned Locked Moved WireGuard
10 Posts 3 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    KoenH
    last edited by Jan 7, 2023, 3:31 PM

    Hi

    I'm posting this question to understand "1 Tunnel - Multiple peers" better.
    So i have an existing tunnel that works with one peer.
    If i add a second peer with a different peer public key than the previous peer is not working anymore.

    Is this default behavior?

    Thanks in advance.

    1 Reply Last reply Reply Quote 0
    • S
      slu
      last edited by Jan 13, 2023, 10:32 AM

      Yes you can have multiple peers per tunnel.
      If this do not work there's maybe a typo in the keys somewhere...

      pfSense Gold subscription

      K 1 Reply Last reply Feb 3, 2023, 8:33 PM Reply Quote 0
      • K
        KoenH @slu
        last edited by Feb 3, 2023, 8:33 PM

        Hi @slu

        That would be very strange, because the working configuration is unchanged and when i add a new one the previous is broken...?

        J 1 Reply Last reply Feb 3, 2023, 8:38 PM Reply Quote 0
        • J
          Jarhead @KoenH
          last edited by Feb 3, 2023, 8:38 PM

          @koenh Using overlapping IP's maybe?
          Post the config's and we'll take a look.

          K 1 Reply Last reply Feb 4, 2023, 10:27 PM Reply Quote 0
          • K
            KoenH @Jarhead
            last edited by Feb 4, 2023, 10:27 PM

            @jarhead

            Normally it doesn't, but please correct me if i'm wrong!

            Config tunnel:

            # Description: WireGuard VPN
[Interface]
PrivateKey = xxxxxxx
ListenPort = 51xxx

# Peer: iPhone_Koen
[Peer]
PublicKey = CocXxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.0/24
PersistentKeepalive = 0

# Peer: Laptop Koen V2
[Peer]
PublicKey = lGpQxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.0/24
PersistentKeepalive = 0

# Peer: Laptop Koen V3
[Peer]
PublicKey = fGUMjxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.0/24
PersistentKeepalive = 0

            iPhone Koen:

            [Interface]
PrivateKey = APkOxxx
ListenPort = 51xxx
Address = 10.10.10.4/32
DNS = 10.10.10.x

[Peer]
PublicKey = kL5Lxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.0/24
Endpoint = xxx.xxx.org:51xxx

            Laptop Koen V2:

            [Interface]
PrivateKey = YDv6xxx
ListenPort = 51xxx
Address = 10.10.10.2/32
DNS = 10.10.10.x

[Peer]
PublicKey = kL5Lxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.0/24
Endpoint = xxx.xxx.org:51xxx

            Laptop Koen V3:

            [Interface]
PrivateKey = eCAD7xxx
ListenPort = 51xxx
Address = 10.10.10.3/32
DNS = 10.10.10.x

[Peer]
PublicKey = kL5Lxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.0/24
Endpoint = xxx.xxx.org:51xxx
            J 1 Reply Last reply Feb 4, 2023, 10:38 PM Reply Quote 0
            • J
              Jarhead @KoenH
              last edited by Feb 4, 2023, 10:38 PM

              @koenh On the clients, change the interface address to the actual subnet, /24.
              Then in the allowed IP's leave the LAN subnet but make the tunnel just the 10.10.10.1/32 on each client.

              The allowed IP's in the peer of pfSense should have each client entered as a /32.

              K 1 Reply Last reply Feb 5, 2023, 11:00 AM Reply Quote 0
              • K
                KoenH @Jarhead
                last edited by Feb 5, 2023, 11:00 AM

                @jarhead

                I've changed the configs to the following and also performed a small cleanup of peers.
                Now the peers can connect to internet but not the internal LAN 192.168.0.0/24.

                To further test it, i've added an any to any rule on both LAN & Wireguard configs.
                But still no success.

                Config tunnel:

                # Description: WireGuard VPN
[Interface]
PrivateKey = xxxxxxx
ListenPort = 51xxx

# Peer: iPhone_Koen
[Peer]
PublicKey = CocXxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.1/32
PersistentKeepalive = 0

# Peer: Laptop Koen
[Peer]
PublicKey = lGpQxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.1/32
PersistentKeepalive = 0

                iPhone Koen:

                [Interface]
PrivateKey = APkOxxx
ListenPort = 51xxx
Address = 10.10.10.4/32
DNS = 10.10.10.x

[Peer]
PublicKey = kL5Lxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.1/32
Endpoint = xxx.xxx.org:51xxx

                Laptop Koen:

                [Interface]
PrivateKey = YDv6xxx
ListenPort = 51xxx
Address = 10.10.10.2/32
DNS = 10.10.10.x

[Peer]
PublicKey = kL5Lxxx
AllowedIPs = 192.168.0.0/24, 10.10.10.1/32
Endpoint = xxx.xxx.org:51xxx
                J 1 Reply Last reply Feb 5, 2023, 11:27 AM Reply Quote 0
                • J
                  Jarhead @KoenH
                  last edited by Jarhead Feb 5, 2023, 11:31 AM Feb 5, 2023, 11:27 AM

                  @koenh You didn't do what I asked you to do.
                  Keep in mind, the allowed IP section is the IP's from the other side that you allow to traverse the tunnel.

                  In pfSense, go to the peer section.
                  The allowed IP's will be the clients interface addresses entered as a /32.
                  peer 1 = 10.10.10.2/32
                  peer 2 = 10.10.10.3/32
                  etc
                  You don't need the local network there as it's on that side already.

                  In the clients, The interface address will be the tunnel as a /24.
                  So client 1 will be 10.10.10.2/24
                  client 2 10.10.10.3/24
                  etc
                  Allowed IP's on all clients will be the same:
                  AllowedIPs = 192.168.0.0/24, 10.10.10.1/32

                  K 1 Reply Last reply Feb 5, 2023, 5:35 PM Reply Quote 1
                  • K
                    KoenH @Jarhead
                    last edited by Feb 5, 2023, 5:35 PM

                    @jarhead
                    Thank you, that works!

                    The fault was that i was confused with the "Allowed IPs" of the peer section in pfSense.
                    For me, it looked like i need to fill in what subnets or IPs are allowed.
                    So actually the same as in the client configuration...

                    If i read the documentation over again and your explanation, it al makes sense:

                    Allowed IPs:
The tunnel IP address for this peer, from the list determined above, with a /32 CIDR mask. For example, the first peer will be 10.6.210.2/32, the second will be 10.6.210.3/32, and so on.

                    Anyway, thank you for the help!

                    J 1 Reply Last reply Feb 5, 2023, 5:36 PM Reply Quote 0
                    • J
                      Jarhead @KoenH
                      last edited by Feb 5, 2023, 5:36 PM

                      @koenh No problem.
                      Glad you got it fixed and believe me, the Wireguard wording is confusing at best!

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received