Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sharing my Wireguard S2S VPN configuration

    Scheduled Pinned Locked Moved
    WireGuard
    2
    4
    139
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CapitanBlack
      last edited by CapitanBlack

      I've created HA S2S Wireguard VPN configuration between pairs of HA'ed pfSense's HA on each side.
      pfSense HA must be setup and work also CARP default gateways must be setup for all pfSense interfaces.

      WG Peers:

      Site_1
      pfSense1 HA paired with pfSense2

      • pfSense-1 == wg_tun0 ==> pfSense-3 [Tier1]
      • pfSense-1 == wg_tun1 ==> pfSense-4 [Tier2]
      • pfSense-2 == wg_tun0 ==> pfSense-3 [Tier1]
      • pfSense-2 == wg_tun1 ==> pfSense-4 [Tier2]

      Site_2
      pfSense3 HA paired with pfSense4

      • pfSense-3 == wg_tun0 ==> pfSense-1 [Tier1]
      • pfSense-3 == wg_tun1 ==> pfSense-2 [Tier2]
      • pfSense-4 == wg_tun0 ==> pfSense-1 [Tier1]
      • pfSense-4 == wg_tun1 ==> pfSense-2 [Tier2]

      Each pfSense has two Wireguard gateways in a gateway group (see the tiers setup above)

      c1a92cb2-2937-4f20-944e-e99c1999df30-image.png

      pfSense static routes don't allow using gateway groups as gateways - therefore each firewall has one floating rule, forwarding traffic to another site's subnets (listed in an alias) through above wireguard gateway group.

      It works great - i.e. connection between sites survives, if there at least one firewall left on each side. Switching is almost instant - if Tier1 gateway goes down - all new connections are routed through Tier2 gateway. The only one issue(or feature?) - firewalls themselves can't talk to their counterparts at another site. I guess it's because floating rules do not include localhost interface.So far I don't know how to solve this. Any ideas how to do that?

      17fdc7c2-5a55-4d5d-9837-8c95424f522e-image.png

      1 Reply Last reply Reply Quote 0
      • N
        Neverstopdreaming
        last edited by

        Hi,
        I'm trying to setup the same HAtoHA setup with 3 sites.
        Basic setup is working fine, so pf1 to pf3 in your example.

        It's not clear to me how you setup the site-to-site tunnels including pf2 and pf4.
        You cannot assign the same subnet on different interfaces so I didn't get how you manage the subnets.
        May I ask you to elaborate a bit more about Assigned Interfaces, IP and gateways? I would be really handy.

        For the routing I'd use the same policy routing on each interface. It seems to be more specific and you can use the gateway group as well.
        It doesn't solve your issue though, sorry.

        thanks

        C 1 Reply Last reply Reply Quote 0
        • C
          CapitanBlack @Neverstopdreaming
          last edited by CapitanBlack

          @Neverstopdreaming

          Interfaces: pfSense1

          Each WG tunnel uses own /24 network - i.e. 10.10.10.0/24 and 10.10.11.0/24

          f8d65066-84d2-4ff2-b8e7-15d6e7700429-image.png

          14cc3ee4-2fcd-4826-9df8-fa91c05a9944-image.png

          Wireguard Tunnels and peers (status screen)

          208b96e6-1a58-4805-bfa9-d3ace2646008-image.png

          pfSense1 Gateways

          78f80f5c-cecd-415e-9877-9e307a74e7d8-image.png

          **pfSense1 Wireguard Gateway group **

          5d7f7251-1652-472b-9040-22a4efa6777f-image.png

          Wireguard Status pfSense1 (left) vs. pfSense3 (right)

          85279878-f461-4676-b69d-cdc63e75b37e-image.png

          Wireguard Status pfSense2 (left) vs. pfSense4 (right)

          fbb00a12-91e0-4d2d-8cac-9f578cea1330-image.png

          N 1 Reply Last reply Reply Quote 0
          • N
            Neverstopdreaming @CapitanBlack
            last edited by

            @CapitanBlack Thank you! that's is what I needed.
            I didn't realize I could assign the same IP on pf1 and pf2 wg interfaces.
            Now I need to test the failover.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post