Second peer not passing traffic
-
It's possible something was fixed here, but I can't replicate this behavior.
I added a second tunnel configured like the first and
wg
outputs the config from both.: wg interface: wg1 public key: LMtMofK78bDgsPgkjJRr/8zkHTFV/ZGVVVkBV9/wKV4= private key: (hidden) listening port: 51821 peer: efIIIX7tjFdFhWVsPlgQHJcYDgidNjFllpS12+9D2EU= allowed ips: 10.6.211.4/32 peer: wtvPLZrlCvB+dvxkwbtAkmnSqCRXmC9+14LE/SvktSc= allowed ips: 10.6.211.3/32 peer: KN2+TVoXjngczbcDgwdUG6C4T9tJz4k1dgr92Zf0YUc= allowed ips: 10.6.211.2/32 interface: wg0 public key: PUVBJ+zuz/0mRPEB4tIaVbet5NzVwdWMX7crGx+/wDs= private key: (hidden) listening port: 51820 peer: V0qTImT7Vdr0eaZTAUg8D/sXP3Q6zGWRBa8+sSIHISw= allowed ips: 10.17.210.4/32 peer: bfad7zPslGzPJtSqf+SRS4+0KSiX3gf6g1KsYeiSPUE= allowed ips: 10.17.210.3/32 peer: 71nJC+0wt52pWSUpg/xYCCK3XbMcfanZ8UlDa4HZQQc= allowed ips: 10.6.210.2/32
Also, FYI, those are public keys, so not worth redacting, even if they weren't throwaways from my lab.
-
This post is deleted! -
My configs for reference:
: pkg info -E pfSense pfSense-2.5.0.a.20210125.2350
: cat /etc/wg/wg0.conf # This WireGuard config file has been created automatically. Do not edit! # Description: Remote Access [Interface] PrivateKey = <blah> ListenPort = 51820 # Peer: test [Peer] PublicKey = 71nJC+0wt52pWSUpg/xYCCK3XbMcfanZ8UlDa4HZQQc= AllowedIPs = 10.6.210.2/32 # Peer: someone [Peer] PublicKey = bfad7zPslGzPJtSqf+SRS4+0KSiX3gf6g1KsYeiSPUE= AllowedIPs = 10.6.210.3/32 # Peer: another [Peer] PublicKey = V0qTImT7Vdr0eaZTAUg8D/sXP3Q6zGWRBa8+sSIHISw= AllowedIPs = 10.6.210.4/32
: cat /etc/wg/wg1.conf # This WireGuard config file has been created automatically. Do not edit! # Description: Second RA [Interface] PrivateKey = <blah again> ListenPort = 51821 # Peer: alice [Peer] PublicKey = KN2+TVoXjngczbcDgwdUG6C4T9tJz4k1dgr92Zf0YUc= AllowedIPs = 10.6.211.2/32 # Peer: bob [Peer] PublicKey = wtvPLZrlCvB+dvxkwbtAkmnSqCRXmC9+14LE/SvktSc= AllowedIPs = 10.6.211.3/32 # Peer: sue [Peer] PublicKey = efIIIX7tjFdFhWVsPlgQHJcYDgidNjFllpS12+9D2EU= AllowedIPs = 10.6.211.4/32
-
I don't know how I reach this but I just reformatted and reinstalled a fresh pfSense VM. Configured everything to get it working as expected and I still run into it giving me that error when I run the wg command.
[2.5.0-DEVELOPMENT][admin@localrooter]/root: cat /etc/wg/wg0.conf # This WireGuard config file has been created automatically. Do not edit! # Description: WGVPN [Interface] PrivateKey = xxxxxxxx= ListenPort = 51820 # Peer: [Peer] PublicKey = xxxxxx= AllowedIPs = 10.30.x.0/24, 192.168.x.0/24 # Peer: [Peer] PublicKey = xxxxx= AllowedIPs = 10.30.x.0/24, 192.168.x.0/24 [2.5.0-DEVELOPMENT][admin@localrooter]/root: wg Unable to access interface wg0: Cannot allocate memory [2.5.0-DEVELOPMENT][admin@localrooter]/root:
I have assigned the wg0 interface with OPT1. I do have some static information I have configured for gateways and outbound NAT but that shouldn't be effecting this.
-
I can also confirm the VM does have plenty of memory to play with
last pid: 33282; load averages: 0.83, 0.60, 0.54 up 0+00:40:15 12:04:50 54 processes: 1 running, 53 sleeping CPU: 1.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 99.0% idle Mem: 60M Active, 7944K Inact, 334M Wired, 86M Buf, 3513M Free Swap: 1024M Total, 1024M Free
-
I think I've identified the problem. I had same problem as OP.
My problem was that in PFsense -> WireGuard -> Peers I had assigned 0.0.0.0/0 as "Allowed IPs". Which you make think based on the description in pfsense:"List of CIDR-masked subnets which can be reached via this peer."
I shared 0.0.0.0/0 both in the wireguard iOS-app and PFSense to experiment with a roadwarrior VPN.
Then I saw @jimp's example and quickly realized that his AllowedIPs (for the server!) are actually the tunnel IP to clients.
So in my case I assigned 192.168.18.2/32 to my iphone and 192.168.18.3/32 to my ipad (the thunnel has 192.168.18.0/24). In the Wireguard IOS-app, I use the same adress under "Adresses" in the interface.
In the peer-section of the client (iOS-app for me), I add the networks I want to reach via pfsense (for a split VPN):
192.168.1.0/24, 192.168.10.0/24 etc or 0.0.0.0/0 if I want to have a roadwarrior-VPN.I guess the reasoning that "allowedIPs" in the server configuration is telling the wireguard server how to reach the client, but for the client it's which traffict to send over VPN.
This is my old non-working config:
# Description: [Interface] PrivateKey = RedactedJustBecause ListenPort = 51820 # Peer: ios-iphone [Peer] PublicKey = RedactedJustBecause AllowedIPs = 0.0.0.0/0 # Peer: IOS-ipad [Peer] PublicKey = RedactedJustBecause AllowedIPs = 0.0.0.0/0
The working config looks like this:
# Description: [Interface] PrivateKey = RedactedJustBecause # Peer: ios-iphone [Peer] PublicKey = RedactedJustBecause AllowedIPs = 192.168.18.2/32 # Peer: IOS-ipad [Peer] PublicKey = RedactedJustBecause AllowedIPs = 192.168.18.3/32
Thanks for the good work by integrating Wireguard! I'll experiment with it and give feedback.
-
That's right you can't have the same Allowed IPs on two peers of the same VPN, otherwise it has no idea where to send the traffic. It uses the combination of the peer key and Allowed IPs to figure out how to route things internally inside WireGuard.
Also there is no "client" or "server" with WireGuard -- each side has peers, and the "Allowed IPs" on the peer are the networks on the peer side which can be reached via that peer.
So as you found, duplicating the same value across multiple peers breaks. We may need some input validation to prevent that from being allowed, but it could get tricky.
-
Taking @ritte approach I believe he may have gotten it. I was assuming the allowedIPs was what the server allowed the client to access, not what the server see's in the peer. I adjusted my config to match this new info and everything seems to be working correctly. wg command is not throwing out any errors. Will continue to test.
-
Is the allowedIPs treated as internal "endpoint" for a mobile peer (when setting it in PFSENSE)? I guess when doing site-site VPN this "problem" should not be faced since an external endpoint exists.
-
It doesn't include the external public IP if that's what you mean, no.
It would include the IP in the 'tunnel subnet' that mobile peer had been given.
Steve
-
@stephenw10
Yes, I realized this was quickly written. But when you have an external IP and an Endpoint, then this should not be an issue. PFsense peer knows how to route the traffic to Site B Peer.But with mobile peers, pfsense peer needs to have allowedIPs as Internal IPs to properly route the traffic.
Have I understood it correctly?
-
Yes. With multiple peers you need to set Allowed-IPs to determine which peer WG routes to.
https://www.wireguard.com/#cryptokey-routingBut to avoid confusion 'Endpoint' is a WG term the defines the external IP.
Steve