Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    roaming peer fails

    Scheduled Pinned Locked Moved WireGuard
    4 Posts 2 Posters 343 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marksmeets
      last edited by

      I've set up wireguard on pfsense and added two peers: a mobile and a linux laptop. I thought I did a good job because at first everything was working. Unfortunately I noticed that the peers would not be able to connect to the internet after they got a change of IP addresses. This is 100% reproducible: if I switch wifi hotspots on the laptop the problem occurs. It's a bit strange because the netgate documentation explicitly states
      WireGuard supports roaming automatically, and can detect when a peer has changed IP addresses. WireGuard will recognize that authenticated data is coming from a new address and update itself accordingly.

      I think it has to do with how the server is set up since both the mobile phone and the laptop show this problem. Any hints how I can fix this, or narrow down the problem?

      Here's a bit more about my pfsense config:
      b502f618-0ce0-418b-abec-6cec52e9b4e5-image.png

      d1b9ab09-ec72-42da-be12-587f0a6652ad-image.png

      21c5d1f1-fd0c-4a63-a70c-5e8e958b3f9b-image.png

      007ad953-6f5a-4308-89c3-e39b03722495-image.png

      And here's the config of one of the peers:
      0ad0d5b2-b655-40ee-be4b-c6017a608e22-image.png

      On the linux laptop I use networkmanager to handle the wireguard connection. The config file looks like this:
      Screenshot at 2024-06-03 20-00-55.png

      On the laptop I'm connected to the internet via (for instance) ethernet, then activate wireguard. Everything is fine. I keep a ping to google running. Then I switch to a different wifi, and see that the ping stops. Visiting a web page no longer works (it times out). If I now deactivate wireguard on the laptop, the ping starts running again. If I then reactivate wireguard initially the ping stops. It will take a couple of seconds but then it starts running again. My question is: what do I need to adjust in order to get roaming to work?

      J 1 Reply Last reply Reply Quote 0
      • J
        Jarhead @marksmeets
        last edited by

        @marksmeets When using a Dynamic Endpoint you should enable the keep alive. Try 25 seconds.
        Also on the peer, you're only allowing the tunnel, add 0.0.0.0/0 as allowed.

        M 1 Reply Last reply Reply Quote 0
        • M
          marksmeets @Jarhead
          last edited by

          @Jarhead Thanks for your help, although I am confused. In the peer configuration I have
          allowed-ips=0.0.0.0/0
          so I didnt understand what you meant by "on the peer, you're only allowing the tunnel, add 0.0.0.0/0 as allowed"

          I had a feeling this wasn't about allowed-ips, but about address1. I've changed that line to
          address1=10.200.0.6/24
          (removing the gateway), and now it seems to work!

          I'm still confused, I thought specifying the gateway was correct. Maybe I'm misinterpreting your post. If so, could you explain a bit more? In both cases: many thanks!

          J 1 Reply Last reply Reply Quote 0
          • J
            Jarhead @marksmeets
            last edited by

            @marksmeets The allowed IP's are the networks on the other side of the tunnel that will be allowed to traverse the tunnel.
            On the peer config in pfSense, not the actual peer, you're only allowing the tunnel IP. You should also add 0.0.0.0/0 as allowed.
            My thinking was this was causing the problem when the AP changed since you said the laptop would then have a different IP.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.