Show Posts
1
21.1 Legacy Series / Re: Wireguard with three interfaces (wg0, wg1 and wg2) has issues on OPNSense
« on: April 29, 2021, 06:09:59 pm »
Thanks for your question and here are the details.
OPNSense Wireguard "Endpoints" that are being testing are addressed as follows:
10.10.10.2/32, 10.10.10.3/32, 10.10.10.4/32, 10.10.10.5/32
10.20.20.2/32, 10.20.20.3/32, 10.20.20.4/32, 10.20.20.5/32
10.30.30.2/32, 10.30.30.3/32, 10.30.30.4/32, 10.30.30.5/32
All these devices function properly when only their "Local" configuration is enabled in OPNSense, or if all three "Local" configurations are enabled in OPNSense, then only the 10.10.10.x subnet works as expected.
OPNSense Wireguard "Local Configuration" for each subnet is as follows:
For instance "0" the following items are filled in, Name, Public Key, Private Key, Listen Port (51820), Tunnel Address (10.10.10.1/24), Peers (Selected endpoints), Disabled Routes (checked)
For instance "1" the following items are filled in, Name, Public Key, Private Key, Listen Port (51821), Tunnel Address (10.20.20.1/24), Peers (Selected endpoints), Disabled Routes (checked)
For instance "2" the following items are filled in, Name, Public Key, Private Key, Listen Port (51822), Tunnel Address (10.30.30.1/24), Peers (Selected endpoints), Disabled Routes (checked)
Incoming firewall rules, each "Listen Port" is assigned to a specific IP Address for incoming traffic and that works as expected. (51820 --> aa.bb.cc.dd), (51821 --> aa.bb.cc.ee), (51822 --> aa.bb.cc.ff).
Each client that uses a 10.10.10.xx/32 address is configured to send its Wireguard traffic to aa.bb.cc.dd
Each client that uses a 10.20.20.xx/32 address is configured to send its Wireguard traffic to aa.bb.cc.ee
Each client that uses a 10.30.30.xx/32 address is configured to send its Wireguard traffic to aa.bb.cc.ff
Outbound NAT firewall rules, each Wireguard interface is assigned to a specific IP Address for outgoing traffic and that works as expected. (wg0 --> aa.bb.cc.dd), (wg1 --> aa.bb.cc.ee), (wg2 --> aa.bb.cc.ff)
Outgoing Firewall Rules for each Wireguard interface's (wg0 10.10.10.0/24), (wg1 10.20.20.0/24), (wg2 10.30.30.0/24) network allow Wireguard traffic to go to the appropriate subnets and works as expected
OPNSense "Gateway" configuration for each Interface is as follows:
wg0: IP address (dynamic), everything else is default
wg1: IP address (dynamic), everything else is default
wg2: IP address (dynamic), everything else is default
All gateways show up with "Online" status and are green.
As stated previously, individually the three interfaces (wg0, wg1, wg2) all function as expected. Any other ideas or settings that could be modified to enable all three interfaces (wg0, wg1, wg2) to function simultaneously as expected?
OPNSense Wireguard "Endpoints" that are being testing are addressed as follows:
10.10.10.2/32, 10.10.10.3/32, 10.10.10.4/32, 10.10.10.5/32
10.20.20.2/32, 10.20.20.3/32, 10.20.20.4/32, 10.20.20.5/32
10.30.30.2/32, 10.30.30.3/32, 10.30.30.4/32, 10.30.30.5/32
All these devices function properly when only their "Local" configuration is enabled in OPNSense, or if all three "Local" configurations are enabled in OPNSense, then only the 10.10.10.x subnet works as expected.
OPNSense Wireguard "Local Configuration" for each subnet is as follows:
For instance "0" the following items are filled in, Name, Public Key, Private Key, Listen Port (51820), Tunnel Address (10.10.10.1/24), Peers (Selected endpoints), Disabled Routes (checked)
For instance "1" the following items are filled in, Name, Public Key, Private Key, Listen Port (51821), Tunnel Address (10.20.20.1/24), Peers (Selected endpoints), Disabled Routes (checked)
For instance "2" the following items are filled in, Name, Public Key, Private Key, Listen Port (51822), Tunnel Address (10.30.30.1/24), Peers (Selected endpoints), Disabled Routes (checked)
Incoming firewall rules, each "Listen Port" is assigned to a specific IP Address for incoming traffic and that works as expected. (51820 --> aa.bb.cc.dd), (51821 --> aa.bb.cc.ee), (51822 --> aa.bb.cc.ff).
Each client that uses a 10.10.10.xx/32 address is configured to send its Wireguard traffic to aa.bb.cc.dd
Each client that uses a 10.20.20.xx/32 address is configured to send its Wireguard traffic to aa.bb.cc.ee
Each client that uses a 10.30.30.xx/32 address is configured to send its Wireguard traffic to aa.bb.cc.ff
Outbound NAT firewall rules, each Wireguard interface is assigned to a specific IP Address for outgoing traffic and that works as expected. (wg0 --> aa.bb.cc.dd), (wg1 --> aa.bb.cc.ee), (wg2 --> aa.bb.cc.ff)
Outgoing Firewall Rules for each Wireguard interface's (wg0 10.10.10.0/24), (wg1 10.20.20.0/24), (wg2 10.30.30.0/24) network allow Wireguard traffic to go to the appropriate subnets and works as expected
OPNSense "Gateway" configuration for each Interface is as follows:
wg0: IP address (dynamic), everything else is default
wg1: IP address (dynamic), everything else is default
wg2: IP address (dynamic), everything else is default
All gateways show up with "Online" status and are green.
As stated previously, individually the three interfaces (wg0, wg1, wg2) all function as expected. Any other ideas or settings that could be modified to enable all three interfaces (wg0, wg1, wg2) to function simultaneously as expected?