Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    One tunnel multiple peers?

    Scheduled Pinned Locked Moved WireGuard
    41 Posts 2 Posters 8.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      swemattias
      last edited by

      This might be a completely stupid question... but am I not supposed to have one tunnel and multiple peers?
      Sure I need to new public key for every peer... or should I?
      Let's say I want two of my computers to able to use this tunnel, not at the same time but at different times, should I share the conf file between them?

      F 1 Reply Last reply Reply Quote 0
      • F
        f.meunier @swemattias
        last edited by

        @swemattias
        I shall advise using a specific peer config for each computer instead of sharing the same config file.

        (mostly ZOTAC CI or CA nano barebones)

        S 1 Reply Last reply Reply Quote 0
        • S
          swemattias @f.meunier
          last edited by

          @f-meunier That is what I want, but since the public server key will be the same pfSense throws that error when creating the second peer. I might do something wrong so please correct me. 😃

          F 1 Reply Last reply Reply Quote 0
          • F
            f.meunier @swemattias
            last edited by

            @swemattias
            wireguard white paper states : "This also means that two distinct peers should not share private keys, since in that situation a packet sent to one could be replayed to another, and the ensuing response would then cause the initiator to involuntarily roam from one peer to another. But one should not be sharing private keys in the first place, anyway.)

            I'm preparing a step-by-step procedure for you (but I'm flagged as spam by akismet !)

            (mostly ZOTAC CI or CA nano barebones)

            F 1 Reply Last reply Reply Quote 1
            • F
              f.meunier @f.meunier
              last edited by

              computer 1 will have it's own private key (P1privK)+ public key (P1pubK)
              computer 2 will have P2privK+ P2pubK

              pfSense will have FWprivK + FWpubK

              the whole tunnel will use subnet 192.168.201.0/24, where :
              pfSense will have 192.168.201.254
              computer 1 will have 192.168.201.1
              computer 2 will have 192.168.201.2

              (mostly ZOTAC CI or CA nano barebones)

              F 1 Reply Last reply Reply Quote 1
              • F
                f.meunier @f.meunier
                last edited by

                (sorry I have to post piece by piece)

                on computer 1, begin creating a tunnel. You will get P1pubK (at this point, config is not complete, we will append things later)
                on computer 2, begin creating a tunnel. You will get P2pubK

                in pfSense :
                create tunnel, generate New keys and get/copy FWpubK (to be used in each computer config)
                save this and it will pre-generate a non assigned interface (tun_wg0)
                Go to interface assignments and "add" the pseudo-interface (OPTx) using tun-wg0
                Now you have an interface for the tunnel

                (mostly ZOTAC CI or CA nano barebones)

                F 1 Reply Last reply Reply Quote 1
                • F
                  f.meunier @f.meunier
                  last edited by

                  Edit interfaces > OPTx and set a static IPv4 as 192.168.201.254/24

                  edit the tunnel
                  create a first peer using P1pubK as "Public Key" (WireGuard public key for this peer.) and allowed IPs is 192.168.201.1/32 (be sure it's a /32, not /24)
                  create a second peer using P2pubK and allowed IPs is 192.168.201.2/32

                  the tunnel is ready, as well as its peers references.

                  Now we have to set the firewall > rules > OPTx
                  You may start with permit IPv4 - any source - any destnation (restrict if needed)

                  Now we have to set the firewall > rules > WAN to accept connections from outside
                  Add rule IPv4 - UDP - any source to "this firewall (self)" on wireguard port (51820 for example)

                  (mostly ZOTAC CI or CA nano barebones)

                  1 Reply Last reply Reply Quote 1
                  • F
                    f.meunier
                    last edited by

                    On computer 1, edit config :

                    [Interface]
                    PrivateKey =[do not change what has been automatically generated]
                    Address = 192.168.201.1/24
                    DNS = 192.168.201.254
                    
                    [Peer]
                    PublicKey = [FWpubK]
                    AllowedIPs = 192.168.201.0/24, any subnet behind the target pfSense
                    Endpoint = [pfSense public IP or FQDN]:51820
                    

                    On computer 2, edit config :

                    [Interface]
                    PrivateKey =[do not change what has been automatically generated]
                    Address = 192.168.201.2/24
                    DNS = 192.168.201.254
                    
                    [Peer]
                    PublicKey = [FWpubK]
                    AllowedIPs = 192.168.201.0/24, any subnet behind the target pfSense
                    Endpoint = [pfSense public IP or FQDN]:51820
                    

                    Now you should be able to ping from computer 1 to 192.168.201.254 (pfSense) and any machine in "subnet behind the target pfSense"

                    Note that you can't ping a machine by it's name : DNS resolver in pfSense may not accept it.
                    Go to Services > DNS Resolver and add OPTx to the list of "Nework Interfaces" (Interface IPs used by the DNS Resolver for responding to queries from clients.)

                    (mostly ZOTAC CI or CA nano barebones)

                    1 Reply Last reply Reply Quote 1
                    • F
                      f.meunier
                      last edited by

                      that's all (sorry, could'nt post all in once due to AKISMET, reputation restrictions and "new user" 120 seconds delay between 2 posts !)

                      (mostly ZOTAC CI or CA nano barebones)

                      S 1 Reply Last reply Reply Quote 1
                      • S
                        swemattias @f.meunier
                        last edited by

                        @f-meunier THANK YOU! 😃

                        F S 2 Replies Last reply Reply Quote 0
                        • F
                          f.meunier @swemattias
                          last edited by

                          @swemattias
                          Happy to be helpful !
                          Have a nice day (or night !)

                          (mostly ZOTAC CI or CA nano barebones)

                          F 1 Reply Last reply Reply Quote 0
                          • F
                            f.meunier @f.meunier
                            last edited by f.meunier

                            @f-meunier
                            OK, for archive, I put the whole procedure back in one single thread (now that I'm not flagged as spammer by AKISMET anymore !...)

                            wireguard white paper states : "This also means that two distinct peers should not share private keys, since in that situation a packet sent to one could be replayed to another, and the ensuing response would then cause the initiator to involuntarily roam from one peer to another. But one should not be sharing private keys in the first place, anyway.)

                            computer 1 will have it's own private key (P1privK)+ public key (P1pubK)
                            computer 2 will have P2privK+ P2pubK

                            pfSense will have FWprivK + FWpubK

                            the whole tunnel will use subnet 192.168.201.0/24, where :
                            pfSense will have 192.168.201.254
                            computer 1 will have 192.168.201.1
                            computer 2 will have 192.168.201.2


                            on computer 1, begin creating a tunnel. You will get P1pubK (at this point, config is not complete, we will append things later)
                            on computer 2, begin creating a tunnel. You will get P2pubK

                            in pfSense :
                            create tunnel, generate New keys and get/copy FWpubK (to be used in each computer config)
                            save this and it will pre-generate a non assigned interface (tun_wg0)
                            Go to interface assignments and "add" the pseudo-interface (OPTx) using tun-wg0
                            Now you have an interface for the tunnel


                            Edit interfaces > OPTx and set a static IPv4 as 192.168.201.254/24

                            edit the tunnel
                            create a first peer using P1pubK as "Public Key" (WireGuard public key for this peer.) and allowed IPs is 192.168.201.1/32 (be sure it's a /32, not /24)
                            create a second peer using P2pubK and allowed IPs is 192.168.201.2/32

                            the tunnel is ready, as well as its peers references.

                            Now we have to set the firewall > rules > OPTx
                            You may start with permit IPv4 - any source - any destnation (restrict if needed)

                            Now we have to set the firewall > rules > WAN to accept connections from outside
                            Add rule IPv4 - UDP - any source to "this firewall (self)" on wireguard port (51820 for example)


                            On computer 1, edit config :

                            [Interface]
                            PrivateKey =[do not change what has been automatically generated]
                            Address = 192.168.201.1/24
                            DNS = 192.168.201.254
                            
                            [Peer]
                            PublicKey = [FWpubK]
                            AllowedIPs = 192.168.201.0/24, any subnet behind the target pfSense
                            Endpoint = [pfSense public IP or FQDN]:51820
                            

                            On computer 2, edit config :

                            [Interface]
                            PrivateKey =[do not change what has been automatically generated]
                            Address = 192.168.201.2/24
                            DNS = 192.168.201.254
                            
                            [Peer]
                            PublicKey = [FWpubK]
                            AllowedIPs = 192.168.201.0/24, any subnet behind the target pfSense
                            Endpoint = [pfSense public IP or FQDN]:51820
                            

                            Now you should be able to ping from computer 1 to 192.168.201.254 (pfSense) and any machine in "subnet behind the target pfSense"

                            Note that you can't ping a machine by it's name : DNS resolver in pfSense may not accept it.
                            Go to Services > DNS Resolver and add OPTx to the list of "Nework Interfaces" (Interface IPs used by the DNS Resolver for responding to queries from clients.)

                            Now you can ping by names, not only IPs.

                            (mostly ZOTAC CI or CA nano barebones)

                            1 Reply Last reply Reply Quote 1
                            • S
                              swemattias @swemattias
                              last edited by

                              @swemattias So @f-meunier I read your posts twice, compared to what I have setup so far, saw one mistake. Than I rebuilt my peer setup from scratch.
                              So this is my Device 1s wg-conf:

                              [Interface]
                              PrivateKey = <Device 1 private key>
                              Address = 172.16.16.1/24
                              DNS = 172.16.16.254
                              
                              [Peer]
                              PublicKey = <Server/pfSense public key or in your words FWpubk>
                              AllowedIPs = 172.16.16.0/24, 10.0.0.0/24
                              Endpoint = wg.domain.io:58220
                              

                              The connections works and I get a handshake but I cannot reach anything on the inside or ping .254.

                              tunnel-setup.png Skärmavbild 2022-02-25 kl. 19.46.39.png

                              F 2 Replies Last reply Reply Quote 0
                              • F
                                f.meunier @swemattias
                                last edited by f.meunier

                                @swemattias
                                you can check "dynamic endpoint" if you have a "computer to network" situation,

                                (give an endpoint address or fqdn only in "site to site" configuration)

                                what is the WG_INTERFACE (OPT3) configuration ?
                                what is the rule on WAN ?
                                what is the rule on WG_INTERFACE ?

                                Also, show the peer status if you can.

                                (mostly ZOTAC CI or CA nano barebones)

                                S 1 Reply Last reply Reply Quote 0
                                • F
                                  f.meunier @swemattias
                                  last edited by f.meunier

                                  @swemattias
                                  I see on tunnel config : listen port 55120
                                  but you set the other side's "Endpoint = wg.domain.io:58220"
                                  This should be the same port.
                                  Thus, should be "Endpoint = wg.domain.io:55120"

                                  (mostly ZOTAC CI or CA nano barebones)

                                  S 1 Reply Last reply Reply Quote 0
                                  • S
                                    swemattias @f.meunier
                                    last edited by

                                    @f-meunier said in One tunnel multiple peers?:

                                    @swemattias
                                    I see on tunnel config : listen port 55120
                                    but you set the other side's enpoint port as 58220
                                    This should be the same port

                                    That is just mistake from my side during preparing the post. Ofc I have the same port.

                                    F 1 Reply Last reply Reply Quote 0
                                    • S
                                      swemattias @f.meunier
                                      last edited by

                                      @f-meunier Here are those configs:
                                      wg_interface.png wg_iface_rule.png wan-rule.png

                                      F 2 Replies Last reply Reply Quote 0
                                      • F
                                        f.meunier @swemattias
                                        last edited by

                                        @swemattias
                                        please try checking "dynamic"
                                        Doing so, you only have to set parameters on the "fixed" side...
                                        (client side will "use" these params in the [Peer] section)

                                        (mostly ZOTAC CI or CA nano barebones)

                                        S 1 Reply Last reply Reply Quote 0
                                        • F
                                          f.meunier @swemattias
                                          last edited by

                                          @swemattias

                                          according to your screenshots, you should have :

                                          [Interface]
                                          PrivateKey = <Device 1 private key>
                                          Address = 172.16.16.1/24
                                          DNS = 172.16.16.254
                                          
                                          [Peer]
                                          PublicKey = <Server/pfSense public key or in your words FWpubk>
                                          AllowedIPs = 172.16.16.0/24, 10.0.0.0/24
                                          Endpoint = wg.domain.io:55120
                                          

                                          pinging 172.16.16.254 from client works ?

                                          (mostly ZOTAC CI or CA nano barebones)

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            swemattias @f.meunier
                                            last edited by swemattias

                                            @f-meunier That didn't help, setting it to Dynamic, I can surf and write this through this tunnel, but I cannot reach the inside.

                                            F 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.