Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Wireguard Remote access : impossible to connect a 2nd user

    Scheduled Pinned Locked Moved WireGuard
    25 Posts 11 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      HuskerDu
      last edited by HuskerDu

      I've started playing with Wireguard, more for learning than anything else, but get stuck with my second remote access user.

      First setup on my mac using Wireguard client from App Store using 172.16.2.2/28, no issue on first shot.
      Second setup on my Android device with client from Play Store using 172.16.2.3/28.... no connectivity whatsoever.

      Long story short, I've ended up using the conf file from my Mac on Android, works on first shot. Using conf file from my Android on Mac, no connectivity

      I've done and redone the second config file at leat 5 or 6 times, with extensive attention on copy/paste working structure and keys... no matter what I'm doing, the second file never works.

      Any thoughts on where to look for ?

      A P 2 Replies Last reply Reply Quote 0
      • A
        AB5G @HuskerDu
        last edited by

        @huskerdu Pasting from my reply in another thread

        Assuming you have the basic setup completed like here - https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-ra.html

        Then you should

        Assign a wireguard interface (recommended) (detailed here) - https://docs.netgate.com/pfsense/en/latest/vpn/wireguard/assign.html
        Create a outbound NAT rule to NAT local LAN to the tunnel IP
        Your Android client should be able to connect. Look for logs in the Android client - in IOS there is a way to see the logs.

        Also your Android client should be setup as 172.16.2.3/32 not as a /28.

        H N 2 Replies Last reply Reply Quote 0
        • H
          HuskerDu @AB5G
          last edited by

          @ab5g Thanks for the tips, I'll take a look at them.

          1 Reply Last reply Reply Quote 0
          • P
            p1erre @HuskerDu
            last edited by

            @huskerdu Same issue here, after adding a second peer I get:

            wg show
            interface: wg0
              public key: xxxxxxxxx
              private key: (hidden)
              listening port: 51820
            
            peer: xxxxxxxxx
              endpoint: 1.2.3.4:51820
              allowed ips: ::/0, 0.0.0.0/0
            
            Unable to access interface wg1: Cannot allocate memory
            

            With just one peer

            wg show
            interface: wg0
              public key: xxxxxxxxx
              private key: (hidden)
              listening port: 51820
            
            peer: xxxxxxxxx
              endpoint: 1.2.3.4:51820
              allowed ips: ::/0, 0.0.0.0/0
            
            interface: wg1
              public key: xxxxxxxxx
              private key: (hidden)
              listening port: 51821
            
            peer: xxxxxxxxx
              allowed ips: 0.0.0.0/0
            
            H 1 Reply Last reply Reply Quote 0
            • H
              HuskerDu @p1erre
              last edited by

              I've added an interface, change all relevant ranges to /32 and NAT... the 2nd peer get connected but passes no traffic.

              Interestingly, I can connect twice with the same conf/address at the same time...

              M 1 Reply Last reply Reply Quote 0
              • tympomT
                tympom
                last edited by

                I have the same issue, after adding second connection wg responds "Unable to access interface wg0: Cannot allocate memory". Client connects but no traffic.

                I guess it has been tested only with one 😁

                1 Reply Last reply Reply Quote 0
                • P
                  p1erre
                  last edited by

                  Ticket: https://redmine.pfsense.org/issues/11460

                  1 Reply Last reply Reply Quote 0
                  • M
                    manicmoose @HuskerDu
                    last edited by

                    @huskerdu

                    Yep, my experience is exactly the same.

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      You cannot have multiple peers when one is using 0.0.0.0/0 and/or ::/0 -- It's an invalid configuration as WireGuard has no way to tell what traffic goes to which peer.

                      Input validation will prevent this in future releases: https://redmine.pfsense.org/issues/11465

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      P H M B 4 Replies Last reply Reply Quote 3
                      • P
                        p1erre @jimp
                        last edited by

                        @jimp said in Wireguard Remote access : impossible to connect a 2nd user:

                        You cannot have multiple peers when one is using 0.0.0.0/0 and/or ::/0 -- It's an invalid configuration as WireGuard has no way to tell what traffic goes to which peer.

                        Input validation will prevent this in future releases: https://redmine.pfsense.org/issues/11465

                        Thanks for clarification @jimp

                        Q 1 Reply Last reply Reply Quote 0
                        • H
                          HuskerDu @jimp
                          last edited by

                          @jimp Thanks for the info.

                          1 Reply Last reply Reply Quote 0
                          • N
                            noconnor @AB5G
                            last edited by noconnor

                            @ab5g said in Wireguard Remote access : impossible to connect a 2nd user:

                            Create a outbound NAT rule to NAT local LAN to the tunnel IP

                            Could you elaborate on that NAT rule? I've got an Android phone peer that will connect (I can see rx/tx packets) and I can see its DNS requests hit my firewall/tunnel IP but no connections ever return so I think that rule could be the key.

                            A 1 Reply Last reply Reply Quote 0
                            • M
                              manicmoose @jimp
                              last edited by

                              @jimp Aha! Thanks Jim!

                              G 1 Reply Last reply Reply Quote 0
                              • G
                                Griffo @manicmoose
                                last edited by Griffo

                                I get the same thing.

                                With the below config, nothing will flow. Delete the second peer, and peer 1 starts to work straight away.

                                interface: wg1
                                  public key: 6iEV/lkOxZTe7naSF3LvLl+M9KfMDqdxxxxx=
                                  private key: (hidden)
                                  listening port: 51821
                                
                                peer: 6GfLrKXZ8K1RMQGuh7ewJS7jaOj4K9wFz8fxxxxx=
                                  allowed ips: 192.168.70.67/32
                                
                                peer: tKr3Dow7LN9FWWAmBU1za9PHN2fiPANUUuxxxxx=
                                  allowed ips: 192.168.71.66/32
                                
                                
                                1 Reply Last reply Reply Quote 0
                                • Q
                                  quasides @p1erre
                                  last edited by

                                  @jimp
                                  your answer while technically correct created some confusion as the whole proposition is wrong.

                                  people think allowed IPs in the peerlist are equivalent to pushroutes in openvpn.

                                  THIS IS NOT THE CASE

                                  wireguard dont push routes (it cant) it also has no server or clients, it sees everything as a peer - even tough we see PFsense as a server and clients as clients.

                                  to clarify: allowed IPs in the peerlist is a routing table, route allowed ips to this peer.
                                  that also means every client that wants to route 0.0.0.0 via your pfsense (server) needs to set allwoed ips 0.0.0.0 in his local peerlist while the allowed ips on pfsense stays emtpy

                                  yes for connecting site to site this is a nightmare as you would need to set all subnets of all peers you wanna route from and to into every peer list of all clients.
                                  and you as a server have no control what client is doing.
                                  no push anything

                                  1 Reply Last reply Reply Quote 0
                                  • A
                                    AB5G @noconnor
                                    last edited by

                                    @noconnor Check

                                    • System > Routing > Default gateway IPv4 is set to WAN_DHCP (or whatever you are using)
                                    • Have you created the WG interface by going to Interface > Assignments and selecting wg0 tunnel ?
                                    • Next on this newly created interface. Goto Firewall > Rules > WG > select source WG interface then destination any allow. P.S you'll see another Menu for WireGuard when you goto Firewall > Rules. Don't enter rules there - leave that blank
                                    • Lastly for NAT - goto Firewall > NAT > outbound > select Hybrid Outbound NAT > Add new rule
                                      Interface WG, source LAN subnet of Firewall source port any dest any dest port any Nat address WG address

                                    4e188361-beb9-4a79-a054-9514dbf339e5-image.png

                                    N 1 Reply Last reply Reply Quote 1
                                    • N
                                      noconnor @AB5G
                                      last edited by

                                      @ab5g Thanks!

                                      I set the gateway and created the interface. Fwiw, I think it also seems to work if the FW rules are set on the "WireGuard" tab too. My understanding is that the "Wireguard" tab rules apply to all WG interfaces, and the WG# interface rules apply just to that interface/tunnel. For one tunnel I haven't seen a difference in function.

                                      Thanks for elaborating on the NAT rule. Helped a lot!

                                      1 Reply Last reply Reply Quote 0
                                      • B
                                        bruor @jimp
                                        last edited by bruor

                                        @jimp Just to make sure I don't get surprised by a change in config validation. In wireguard right now I've got 3 sites connected.

                                        in order to get things working, each peer's allowed list has: <peer_ip>/32,0.0.0.0/0

                                        Is this considered an invalid configuration?

                                        @jimp said in Wireguard Remote access : impossible to connect a 2nd user:

                                        You cannot have multiple peers when one is using 0.0.0.0/0 and/or ::/0 -- It's an invalid configuration as WireGuard has no way to tell what traffic goes to which peer.

                                        Input validation will prevent this in future releases: https://redmine.pfsense.org/issues/11465

                                        1 Reply Last reply Reply Quote 0
                                        • jimpJ
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by

                                          One tunnel with multiple peers on pfSense can't have 0.0.0.0/0 in the peer entries on the pfSense tunnel configuration.

                                          The remote peer configurations (not pfSense, but whatever the remote clients are) can each have 0.0.0.0/0 in their configurations to send all traffic through their VPN.

                                          The "Allowed IPs" list is "which IP address can I reach through this VPN?"

                                          It is not "What should this peer be told to reach though this VPN" since WireGuard has no mechanism to push settings to clients or tell them how to operate.

                                          A lot of people get confused by that last part since they are used to how OpenVPN and IPsec operate in various modes where they list things that get pushed to clients, but WireGuard doesn't work that way.

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          H 1 Reply Last reply Reply Quote 1
                                          • H
                                            HuskerDu @jimp
                                            last edited by HuskerDu

                                            @jimp Thanks, that was my misunderstanding.

                                            I've finally managed to setup remote access for several peers with one "instance" of wg on pFsense.

                                            Remote config file look like this

                                            [Interface]
                                            PrivateKey = PrivateRemote1234567890+++
                                            Address = 172.16.2.2/32
                                            DNS = 10.0.0.1
                                            
                                            [Peer]
                                            PublicKey = PublicPfSense0987654321----
                                            PresharedKey = PreSharedPfSense0987654321----
                                            AllowedIPs = 0.0.0.0/0
                                            Endpoint = 8.9.10.11:51820
                                            

                                            Centrally, the associated Allowed IP is

                                            172.16.2.2/32
                                            
                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.