Wireguard Remote access : impossible to connect a 2nd user

luisaraujo

Sorry guys, im stuck here also.
after creating more than one peer, on console if i query wg the answer is:

Unable to access interface wg0: Cannot allocate memory

also just able to transfer data with the 1st peer, all the others, the client connects to pfSense WG server, but doesnt transfer any data between client and pfSense network.

changing the allowed ips to 0.0.0.0/0 on the client its a no go for me because i just want to forward the Pfsense subnet traffic and nothing else, over the tunnel. Even so doesnt work also.

Who has more than a peer working, can please help, to explain, how did solved this?

thanks in adance, help is appreciated.

Griffo

@luisaraujo Can you show the configs on pfsense of the peers? Normally it errors when people have overlapping "allowed IP" ranges on different peers.

luisaraujo

@griffo thank you for the reply:

server side:

interface: wg0
  public key: xw+fQgc**************Hi7b2WRNVuGpnc=
  private key: (hidden)
  listening port: 51820

peer: OuQlCN2OTy********************epbr8kGIJhA=
  allowed ips: 192.168.168.0/24

peer: fBgCDQejJDET***********************4/YD4=
  allowed ips: 192.168.0.0/24

client side:

[Interface]
PrivateKey = qJec0SvTJ4**********************Um3bQ5W4=
Address = 192.168.168.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = xw+fQgcFPC***********************uGpnc=
AllowedIPs = 192.168.0.0/24
Endpoint = aaaaaaaaaaa.ddns.net:51820
PersistentKeepalive = 20

quasides

@luisaraujo
aaaaaaaaaaa.ddns.net is wrong thats my address

not but seriously

how often we have to write this here.
allowed IP´s is A ROUTING TABLE (crypto routing by wg) nad its a security table (both at the same time)

so that means: everting you put in allowed ips on the peer section will be routed to that peer.

so the client should have in his allowed IP list only the subnets on server side (0.0.0.0 only if server should also be internet gateway)
and on the server side you put only allowed IPs you want to go on the client side.

so lets say server has 192.168.0.x/24 subnet
peer (client) A has 172.16.20.x/24 subnet
peer (client) B has 172.16.50.x/24 subnet

so if we want all subnet communicating with each other we would have to put it like

server

peer: OuQlCN2OTy********************epbr8kGIJhA= (peer A)
  allowed ips: 172.16.20.0/24

peer: fBgCDQejJDET***********************4/YD4= (peer B)
  allowed ips: 172.16.50.0/24

client A

[Peer]
PublicKey = xw+fQgcFPC***********************uGpnc= (server)
AllowedIPs = 192.168.0.0/24, 172.16.50.0/24
Endpoint = aaaaaaaaaaa.ddns.net:51820
PersistentKeepalive = 20

client B

[Peer]
PublicKey = xw+fQgcFPC***********************uGpnc= (server)
AllowedIPs = 192.168.0.0/24, 172.16.20.0/24
Endpoint = aaaaaaaaaaa.ddns.net:51820
PersistentKeepalive = 20

quasides

@quasides
just a future warning, as we can see we basically define a static routing table on wireguard level.
that also means any change in topology has to be manually updated on each and every client.

automated updated of routing tables like with OSFP dont work, WG has still no implementation for that and while OSFP could change routers (pfsense) it would be overwritten or at least meaningless as WG is gonna override it and or at least use it internally based on manual config

edit: i do understand the confusion tough. not only is WG concept with like no pushiung config a very wierd one, but the naming of the parameter allowed IP is beyond stupid.
just translate it to something sane like "remote network" which what it basically means