One tunnel multiple peers?
-
@swemattias
sorry, I did not understand the situation.
You have a computer connecting to the pfSense through the WG tunnel, you manage to surf through but can't access internal network 10.0.0.x /24 ?according to your config, it's not a "catch all" tunnel. Your computer access to the internet will not use the tunnel, but its local router/gateway directly...
-
@f-meunier Yes I am testing with my computer to see if it works.
First question - yes. Switching to 4G network activating the tunnel.
I cannot ping anything on either 172.16.16.0/24 or 10.0.0.0/24. -
let's summarize.
Your computer client should have 2 interfaces :
LAN interface (let's say 192.168.1.1/24)
wireguard interface : 172.16.16.1/24client config is
[Interface] PrivateKey = <Device 1 private key> Address = 172.16.16.1/24 DNS = 172.16.16.254 [Peer] PublicKey = <Server/pfSense public key or in your words FWpubk> AllowedIPs = 172.16.16.0/24, 10.0.0.0/24 Endpoint = wg.domain.io:55120
pfsense has public IP wg.domain.io
LAN interface IP is 10.0.0.254/24
wireguard tunnel (tun_wg0) is bound to interface WG_INTERFACE
WG_INTERFACE has static IPv4 172.16.16.254/24
tunnel listen port = 55120 -
On the client computer side, what is the output of "route print -4" ?
-
@f-meunier route is available in OS X but not like that... :) No idea what do you want outputted? ;)
-
@swemattias
let me check the equivalent command in OSX... -
netstat -rn
-
the routes to 172.16.16.0/24 and 10.0.0.0/24 should appear in the list
-
@f-meunier This is what I get out cut out the lines with the right info in them:
10.0.0/24 link#16 UCS utun5 127 127.0.0.1 UCS lo0 127.0.0.1 127.0.0.1 UH lo0 172.16.16/24 172.16.16.1 UGSc utun5 172.16.16.1 172.16.16.1 UH utun5
-
@swemattias
well, your tunnel seems effectively up, and the routes are there.
what is the pfSense config of LAN interface ? 4th byte of 10.0.0.x address ? -
can you give the pfSense STATUS > Wireguard
(click on Show peers to see the details) -
One last check on WG_INTERFACE
Verify that "Block private networks and loopback addresses" and "Block bogon networks" are UNCHECKED
-
nevertheless, ping 172.16.16.254 should work...
-
what is curious :
route 10.0.0.0/24 should be accessible through a gateway -> flag " G" missing.really need to know your macOSX LAN IP...
also can you explain "I can surf and write this through this tunnel, but I cannot reach the inside."
-
set up a debian client to check
Got a route to wg subnet and pfSense (172.16.16.254 in your case)
Had no route to the remote LAN subnet (10.0.0.0/24 in your case)
(bizarre since it's in the WG client config !)Eventually, I manually added the route to 10.0.0.0/24
ip route add 10.0.0.0/24 dev wg0Now I can ping a machine in subnet 10.0.0.0/24
I will check why the route is not automatically added in the routing table even though it is present in AllowedIPs list...
It IS automatically added on windows client... -
Succeeded (on linux) using wg-quick tool
(it creates the interfaces, assigns IP and creates routes)fm@debian11:~$ wg-quick up /home/fm/wg0.conf [#] ip link add wg0 type wireguard [#] wg setconf wg0 /dev/fd/63 [#] ip -4 address add 192.168.201.3/24 dev wg0 [#] ip link set mtu 1420 up dev wg0 [#] ip -4 route add 10.0.0.0/24 dev wg0
-
@f-meunier Thanks for all the help! It took days before I had time to return to this by then I remembered a video I watched that really explained this to me... and I found it. So now I have a working Wireguard setup using pfSense as the server.
This is the video:
Lawrence system on Wireguard remote home -
@swemattias
Glad to sse you got through !For the record (and the community) could you tell us what was wrong initially ?
-
@f-meunier I wish I knew... some miss config from my part. If I had to guess I would say I mixed up the keys...
The video also shows how do do the original question of this thread, one tunnel multiple peers. -
@swemattias
Yes, multiple peers with the same goal / security rules = 1 tunnel, x peersI shall advise multiple tunnels only when you have different populations of peers (let's say internal users, external users or customers, etc.)
Have a nice day !