• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

roaming peer fails

WireGuard
2
4
340
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    marksmeets
    last edited by Jun 3, 2024, 6:14 PM

    I've set up wireguard on pfsense and added two peers: a mobile and a linux laptop. I thought I did a good job because at first everything was working. Unfortunately I noticed that the peers would not be able to connect to the internet after they got a change of IP addresses. This is 100% reproducible: if I switch wifi hotspots on the laptop the problem occurs. It's a bit strange because the netgate documentation explicitly states
    WireGuard supports roaming automatically, and can detect when a peer has changed IP addresses. WireGuard will recognize that authenticated data is coming from a new address and update itself accordingly.

    I think it has to do with how the server is set up since both the mobile phone and the laptop show this problem. Any hints how I can fix this, or narrow down the problem?

    Here's a bit more about my pfsense config:
    login-to-view

    login-to-view

    login-to-view

    login-to-view

    And here's the config of one of the peers:
    login-to-view

    On the linux laptop I use networkmanager to handle the wireguard connection. The config file looks like this:
    login-to-view

    On the laptop I'm connected to the internet via (for instance) ethernet, then activate wireguard. Everything is fine. I keep a ping to google running. Then I switch to a different wifi, and see that the ping stops. Visiting a web page no longer works (it times out). If I now deactivate wireguard on the laptop, the ping starts running again. If I then reactivate wireguard initially the ping stops. It will take a couple of seconds but then it starts running again. My question is: what do I need to adjust in order to get roaming to work?

    J 1 Reply Last reply Jun 3, 2024, 8:32 PM Reply Quote 0
    • J
      Jarhead @marksmeets
      last edited by Jun 3, 2024, 8:32 PM

      @marksmeets When using a Dynamic Endpoint you should enable the keep alive. Try 25 seconds.
      Also on the peer, you're only allowing the tunnel, add 0.0.0.0/0 as allowed.

      M 1 Reply Last reply Jun 4, 2024, 8:26 AM Reply Quote 0
      • M
        marksmeets @Jarhead
        last edited by Jun 4, 2024, 8:26 AM

        @Jarhead Thanks for your help, although I am confused. In the peer configuration I have
        allowed-ips=0.0.0.0/0
        so I didnt understand what you meant by "on the peer, you're only allowing the tunnel, add 0.0.0.0/0 as allowed"

        I had a feeling this wasn't about allowed-ips, but about address1. I've changed that line to
        address1=10.200.0.6/24
        (removing the gateway), and now it seems to work!

        I'm still confused, I thought specifying the gateway was correct. Maybe I'm misinterpreting your post. If so, could you explain a bit more? In both cases: many thanks!

        J 1 Reply Last reply Jun 4, 2024, 10:05 AM Reply Quote 0
        • J
          Jarhead @marksmeets
          last edited by Jun 4, 2024, 10:05 AM

          @marksmeets The allowed IP's are the networks on the other side of the tunnel that will be allowed to traverse the tunnel.
          On the peer config in pfSense, not the actual peer, you're only allowing the tunnel IP. You should also add 0.0.0.0/0 as allowed.
          My thinking was this was causing the problem when the AP changed since you said the laptop would then have a different IP.

          1 Reply Last reply Reply Quote 0
          2 out of 4
          • First post
            2/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.