Wireguard Remote access : impossible to connect a 2nd user

HuskerDu

I've started playing with Wireguard, more for learning than anything else, but get stuck with my second remote access user.

First setup on my mac using Wireguard client from App Store using 172.16.2.2/28, no issue on first shot.
Second setup on my Android device with client from Play Store using 172.16.2.3/28.... no connectivity whatsoever.

Long story short, I've ended up using the conf file from my Mac on Android, works on first shot. Using conf file from my Android on Mac, no connectivity

I've done and redone the second config file at leat 5 or 6 times, with extensive attention on copy/paste working structure and keys... no matter what I'm doing, the second file never works.

Any thoughts on where to look for ?

AB5G

@huskerdu Pasting from my reply in another thread

Assuming you have the basic setup completed like here - https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html

Then you should

Assign a wireguard interface (recommended) (detailed here) - https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/assign.html
Create a outbound NAT rule to NAT local LAN to the tunnel IP
Your Android client should be able to connect. Look for logs in the Android client - in IOS there is a way to see the logs.

Also your Android client should be setup as 172.16.2.3/32 not as a /28.

HuskerDu

@ab5g Thanks for the tips, I'll take a look at them.

p1erre

@huskerdu Same issue here, after adding a second peer I get:

wg show
interface: wg0
  public key: xxxxxxxxx
  private key: (hidden)
  listening port: 51820

peer: xxxxxxxxx
  endpoint: 1.2.3.4:51820
  allowed ips: ::/0, 0.0.0.0/0

Unable to access interface wg1: Cannot allocate memory

With just one peer

wg show
interface: wg0
  public key: xxxxxxxxx
  private key: (hidden)
  listening port: 51820

peer: xxxxxxxxx
  endpoint: 1.2.3.4:51820
  allowed ips: ::/0, 0.0.0.0/0

interface: wg1
  public key: xxxxxxxxx
  private key: (hidden)
  listening port: 51821

peer: xxxxxxxxx
  allowed ips: 0.0.0.0/0

HuskerDu

I've added an interface, change all relevant ranges to /32 and NAT... the 2nd peer get connected but passes no traffic.

Interestingly, I can connect twice with the same conf/address at the same time...

tympom

I have the same issue, after adding second connection wg responds "Unable to access interface wg0: Cannot allocate memory". Client connects but no traffic.

I guess it has been tested only with one

p1erre

Ticket: https://redmine.pfsense.org/issues/11460

manicmoose

@huskerdu

Yep, my experience is exactly the same.

jimp

You cannot have multiple peers when one is using 0.0.0.0/0 and/or ::/0 -- It's an invalid configuration as WireGuard has no way to tell what traffic goes to which peer.

Input validation will prevent this in future releases: https://redmine.pfsense.org/issues/11465

p1erre

@jimp said in Wireguard Remote access : impossible to connect a 2nd user:

You cannot have multiple peers when one is using 0.0.0.0/0 and/or ::/0 -- It's an invalid configuration as WireGuard has no way to tell what traffic goes to which peer.

Input validation will prevent this in future releases: https://redmine.pfsense.org/issues/11465

Thanks for clarification @jimp

HuskerDu

@jimp Thanks for the info.

noconnor

@ab5g said in Wireguard Remote access : impossible to connect a 2nd user:

Create a outbound NAT rule to NAT local LAN to the tunnel IP

Could you elaborate on that NAT rule? I've got an Android phone peer that will connect (I can see rx/tx packets) and I can see its DNS requests hit my firewall/tunnel IP but no connections ever return so I think that rule could be the key.

manicmoose

@jimp Aha! Thanks Jim!

Griffo

I get the same thing.

With the below config, nothing will flow. Delete the second peer, and peer 1 starts to work straight away.

interface: wg1
  public key: 6iEV/lkOxZTe7naSF3LvLl+M9KfMDqdxxxxx=
  private key: (hidden)
  listening port: 51821

peer: 6GfLrKXZ8K1RMQGuh7ewJS7jaOj4K9wFz8fxxxxx=
  allowed ips: 192.168.70.67/32

peer: tKr3Dow7LN9FWWAmBU1za9PHN2fiPANUUuxxxxx=
  allowed ips: 192.168.71.66/32

quasides

@jimp
your answer while technically correct created some confusion as the whole proposition is wrong.

people think allowed IPs in the peerlist are equivalent to pushroutes in openvpn.

THIS IS NOT THE CASE

wireguard dont push routes (it cant) it also has no server or clients, it sees everything as a peer - even tough we see PFsense as a server and clients as clients.

to clarify: allowed IPs in the peerlist is a routing table, route allowed ips to this peer.
that also means every client that wants to route 0.0.0.0 via your pfsense (server) needs to set allwoed ips 0.0.0.0 in his local peerlist while the allowed ips on pfsense stays emtpy

yes for connecting site to site this is a nightmare as you would need to set all subnets of all peers you wanna route from and to into every peer list of all clients.
and you as a server have no control what client is doing.
no push anything

AB5G

@noconnor Check

• System > Routing > Default gateway IPv4 is set to WAN_DHCP (or whatever you are using)
• Have you created the WG interface by going to Interface > Assignments and selecting wg0 tunnel ?
• Next on this newly created interface. Goto Firewall > Rules > WG > select source WG interface then destination any allow. P.S you'll see another Menu for WireGuard when you goto Firewall > Rules. Don't enter rules there - leave that blank
• Lastly for NAT - goto Firewall > NAT > outbound > select Hybrid Outbound NAT > Add new rule
  Interface WG, source LAN subnet of Firewall source port any dest any dest port any Nat address WG address

noconnor

@ab5g Thanks!

I set the gateway and created the interface. Fwiw, I think it also seems to work if the FW rules are set on the "WireGuard" tab too. My understanding is that the "Wireguard" tab rules apply to all WG interfaces, and the WG# interface rules apply just to that interface/tunnel. For one tunnel I haven't seen a difference in function.

Thanks for elaborating on the NAT rule. Helped a lot!

bruor

@jimp Just to make sure I don't get surprised by a change in config validation. In wireguard right now I've got 3 sites connected.

in order to get things working, each peer's allowed list has: <peer_ip>/32,0.0.0.0/0

Is this considered an invalid configuration?

@jimp said in Wireguard Remote access : impossible to connect a 2nd user:

You cannot have multiple peers when one is using 0.0.0.0/0 and/or ::/0 -- It's an invalid configuration as WireGuard has no way to tell what traffic goes to which peer.

Input validation will prevent this in future releases: https://redmine.pfsense.org/issues/11465

jimp

One tunnel with multiple peers on pfSense can't have 0.0.0.0/0 in the peer entries on the pfSense tunnel configuration.

The remote peer configurations (not pfSense, but whatever the remote clients are) can each have 0.0.0.0/0 in their configurations to send all traffic through their VPN.

The "Allowed IPs" list is "which IP address can I reach through this VPN?"

It is not "What should this peer be told to reach though this VPN" since WireGuard has no mechanism to push settings to clients or tell them how to operate.

A lot of people get confused by that last part since they are used to how OpenVPN and IPsec operate in various modes where they list things that get pushed to clients, but WireGuard doesn't work that way.

HuskerDu

@jimp Thanks, that was my misunderstanding.

I've finally managed to setup remote access for several peers with one "instance" of wg on pFsense.

Remote config file look like this

[Interface]
PrivateKey = PrivateRemote1234567890+++
Address = 172.16.2.2/32
DNS = 10.0.0.1

[Peer]
PublicKey = PublicPfSense0987654321----
PresharedKey = PreSharedPfSense0987654321----
AllowedIPs = 0.0.0.0/0
Endpoint = 8.9.10.11:51820

Centrally, the associated Allowed IP is

172.16.2.2/32