One tunnel multiple peers?

swemattias

This might be a completely stupid question... but am I not supposed to have one tunnel and multiple peers?
Sure I need to new public key for every peer... or should I?
Let's say I want two of my computers to able to use this tunnel, not at the same time but at different times, should I share the conf file between them?

f.meunier

@swemattias
I shall advise using a specific peer config for each computer instead of sharing the same config file.

swemattias

@f-meunier That is what I want, but since the public server key will be the same pfSense throws that error when creating the second peer. I might do something wrong so please correct me.

f.meunier

@swemattias
wireguard white paper states : "This also means that two distinct peers should not share private keys, since in that situation a packet sent to one could be replayed to another, and the ensuing response would then cause the initiator to involuntarily roam from one peer to another. But one should not be sharing private keys in the ﬁrst place, anyway.)

I'm preparing a step-by-step procedure for you (but I'm flagged as spam by akismet !)

f.meunier

computer 1 will have it's own private key (P1privK)+ public key (P1pubK)
computer 2 will have P2privK+ P2pubK

pfSense will have FWprivK + FWpubK

the whole tunnel will use subnet 192.168.201.0/24, where :
pfSense will have 192.168.201.254
computer 1 will have 192.168.201.1
computer 2 will have 192.168.201.2

f.meunier

(sorry I have to post piece by piece)

on computer 1, begin creating a tunnel. You will get P1pubK (at this point, config is not complete, we will append things later)
on computer 2, begin creating a tunnel. You will get P2pubK

in pfSense :
create tunnel, generate New keys and get/copy FWpubK (to be used in each computer config)
save this and it will pre-generate a non assigned interface (tun_wg0)
Go to interface assignments and "add" the pseudo-interface (OPTx) using tun-wg0
Now you have an interface for the tunnel

f.meunier

Edit interfaces > OPTx and set a static IPv4 as 192.168.201.254/24

edit the tunnel
create a first peer using P1pubK as "Public Key" (WireGuard public key for this peer.) and allowed IPs is 192.168.201.1/32 (be sure it's a /32, not /24)
create a second peer using P2pubK and allowed IPs is 192.168.201.2/32

the tunnel is ready, as well as its peers references.

Now we have to set the firewall > rules > OPTx
You may start with permit IPv4 - any source - any destnation (restrict if needed)

Now we have to set the firewall > rules > WAN to accept connections from outside
Add rule IPv4 - UDP - any source to "this firewall (self)" on wireguard port (51820 for example)

f.meunier

On computer 1, edit config :

[Interface]
PrivateKey =[do not change what has been automatically generated]
Address = 192.168.201.1/24
DNS = 192.168.201.254

[Peer]
PublicKey = [FWpubK]
AllowedIPs = 192.168.201.0/24, any subnet behind the target pfSense
Endpoint = [pfSense public IP or FQDN]:51820

On computer 2, edit config :

[Interface]
PrivateKey =[do not change what has been automatically generated]
Address = 192.168.201.2/24
DNS = 192.168.201.254

[Peer]
PublicKey = [FWpubK]
AllowedIPs = 192.168.201.0/24, any subnet behind the target pfSense
Endpoint = [pfSense public IP or FQDN]:51820

Now you should be able to ping from computer 1 to 192.168.201.254 (pfSense) and any machine in "subnet behind the target pfSense"

Note that you can't ping a machine by it's name : DNS resolver in pfSense may not accept it.
Go to Services > DNS Resolver and add OPTx to the list of "Nework Interfaces" (Interface IPs used by the DNS Resolver for responding to queries from clients.)

f.meunier

that's all (sorry, could'nt post all in once due to AKISMET, reputation restrictions and "new user" 120 seconds delay between 2 posts !)

swemattias

@f-meunier THANK YOU!

f.meunier

@swemattias
Happy to be helpful !
Have a nice day (or night !)

f.meunier

@f-meunier
OK, for archive, I put the whole procedure back in one single thread (now that I'm not flagged as spammer by AKISMET anymore !...)

wireguard white paper states : "This also means that two distinct peers should not share private keys, since in that situation a packet sent to one could be replayed to another, and the ensuing response would then cause the initiator to involuntarily roam from one peer to another. But one should not be sharing private keys in the ﬁrst place, anyway.)

computer 1 will have it's own private key (P1privK)+ public key (P1pubK)
computer 2 will have P2privK+ P2pubK

pfSense will have FWprivK + FWpubK

the whole tunnel will use subnet 192.168.201.0/24, where :
pfSense will have 192.168.201.254
computer 1 will have 192.168.201.1
computer 2 will have 192.168.201.2

on computer 1, begin creating a tunnel. You will get P1pubK (at this point, config is not complete, we will append things later)
on computer 2, begin creating a tunnel. You will get P2pubK

in pfSense :
create tunnel, generate New keys and get/copy FWpubK (to be used in each computer config)
save this and it will pre-generate a non assigned interface (tun_wg0)
Go to interface assignments and "add" the pseudo-interface (OPTx) using tun-wg0
Now you have an interface for the tunnel

Edit interfaces > OPTx and set a static IPv4 as 192.168.201.254/24

edit the tunnel
create a first peer using P1pubK as "Public Key" (WireGuard public key for this peer.) and allowed IPs is 192.168.201.1/32 (be sure it's a /32, not /24)
create a second peer using P2pubK and allowed IPs is 192.168.201.2/32

the tunnel is ready, as well as its peers references.

Now we have to set the firewall > rules > OPTx
You may start with permit IPv4 - any source - any destnation (restrict if needed)

Now we have to set the firewall > rules > WAN to accept connections from outside
Add rule IPv4 - UDP - any source to "this firewall (self)" on wireguard port (51820 for example)

On computer 1, edit config :

[Interface]
PrivateKey =[do not change what has been automatically generated]
Address = 192.168.201.1/24
DNS = 192.168.201.254

[Peer]
PublicKey = [FWpubK]
AllowedIPs = 192.168.201.0/24, any subnet behind the target pfSense
Endpoint = [pfSense public IP or FQDN]:51820

On computer 2, edit config :

[Interface]
PrivateKey =[do not change what has been automatically generated]
Address = 192.168.201.2/24
DNS = 192.168.201.254

[Peer]
PublicKey = [FWpubK]
AllowedIPs = 192.168.201.0/24, any subnet behind the target pfSense
Endpoint = [pfSense public IP or FQDN]:51820

Now you should be able to ping from computer 1 to 192.168.201.254 (pfSense) and any machine in "subnet behind the target pfSense"

Note that you can't ping a machine by it's name : DNS resolver in pfSense may not accept it.
Go to Services > DNS Resolver and add OPTx to the list of "Nework Interfaces" (Interface IPs used by the DNS Resolver for responding to queries from clients.)

Now you can ping by names, not only IPs.

swemattias

@swemattias So @f-meunier I read your posts twice, compared to what I have setup so far, saw one mistake. Than I rebuilt my peer setup from scratch.
So this is my Device 1s wg-conf:

[Interface]
PrivateKey = <Device 1 private key>
Address = 172.16.16.1/24
DNS = 172.16.16.254

[Peer]
PublicKey = <Server/pfSense public key or in your words FWpubk>
AllowedIPs = 172.16.16.0/24, 10.0.0.0/24
Endpoint = wg.domain.io:58220

The connections works and I get a handshake but I cannot reach anything on the inside or ping .254.

Skärmavbild 2022-02-25 kl. 19.46.39.png

f.meunier

@swemattias
you can check "dynamic endpoint" if you have a "computer to network" situation,

(give an endpoint address or fqdn only in "site to site" configuration)

what is the WG_INTERFACE (OPT3) configuration ?
what is the rule on WAN ?
what is the rule on WG_INTERFACE ?

Also, show the peer status if you can.

f.meunier

@swemattias
I see on tunnel config : listen port 55120
but you set the other side's "Endpoint = wg.domain.io:58220"
This should be the same port.
Thus, should be "Endpoint = wg.domain.io:55120"

swemattias

@f-meunier said in One tunnel multiple peers?:

@swemattias
I see on tunnel config : listen port 55120
but you set the other side's enpoint port as 58220
This should be the same port

That is just mistake from my side during preparing the post. Ofc I have the same port.

swemattias

@f-meunier Here are those configs:

f.meunier

@swemattias
please try checking "dynamic"
Doing so, you only have to set parameters on the "fixed" side...
(client side will "use" these params in the [Peer] section)

f.meunier

@swemattias

according to your screenshots, you should have :

[Interface]
PrivateKey = <Device 1 private key>
Address = 172.16.16.1/24
DNS = 172.16.16.254

[Peer]
PublicKey = <Server/pfSense public key or in your words FWpubk>
AllowedIPs = 172.16.16.0/24, 10.0.0.0/24
Endpoint = wg.domain.io:55120

pinging 172.16.16.254 from client works ?

swemattias

@f-meunier That didn't help, setting it to Dynamic, I can surf and write this through this tunnel, but I cannot reach the inside.