roaming peer fails
-
I've set up wireguard on pfsense and added two peers: a mobile and a linux laptop. I thought I did a good job because at first everything was working. Unfortunately I noticed that the peers would not be able to connect to the internet after they got a change of IP addresses. This is 100% reproducible: if I switch wifi hotspots on the laptop the problem occurs. It's a bit strange because the netgate documentation explicitly states
WireGuard supports roaming automatically, and can detect when a peer has changed IP addresses. WireGuard will recognize that authenticated data is coming from a new address and update itself accordingly.
I think it has to do with how the server is set up since both the mobile phone and the laptop show this problem. Any hints how I can fix this, or narrow down the problem?
Here's a bit more about my pfsense config:
And here's the config of one of the peers:
On the linux laptop I use networkmanager to handle the wireguard connection. The config file looks like this:
On the laptop I'm connected to the internet via (for instance) ethernet, then activate wireguard. Everything is fine. I keep a ping to google running. Then I switch to a different wifi, and see that the ping stops. Visiting a web page no longer works (it times out). If I now deactivate wireguard on the laptop, the ping starts running again. If I then reactivate wireguard initially the ping stops. It will take a couple of seconds but then it starts running again. My question is: what do I need to adjust in order to get roaming to work?
-
@marksmeets When using a Dynamic Endpoint you should enable the keep alive. Try 25 seconds.
Also on the peer, you're only allowing the tunnel, add 0.0.0.0/0 as allowed. -
@Jarhead Thanks for your help, although I am confused. In the peer configuration I have
allowed-ips=0.0.0.0/0
so I didnt understand what you meant by "on the peer, you're only allowing the tunnel, add 0.0.0.0/0 as allowed"I had a feeling this wasn't about allowed-ips, but about address1. I've changed that line to
address1=10.200.0.6/24
(removing the gateway), and now it seems to work!I'm still confused, I thought specifying the gateway was correct. Maybe I'm misinterpreting your post. If so, could you explain a bit more? In both cases: many thanks!
-
@marksmeets The allowed IP's are the networks on the other side of the tunnel that will be allowed to traverse the tunnel.
On the peer config in pfSense, not the actual peer, you're only allowing the tunnel IP. You should also add 0.0.0.0/0 as allowed.
My thinking was this was causing the problem when the AP changed since you said the laptop would then have a different IP.