Wireguard with three interfaces (wg0, wg1 and wg2) has issues on OPNSense

Started by quakdoc, April 28, 2021, 11:40:31 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 28, 2021, 11:40:31 PM Last Edit: April 29, 2021, 12:35:34 AM by quakdoc
Having an issue with wireguard, three interfaces (wg0, wg1 & wg2) are setup and configured.
When all three interfaces are enabled, only wg0 passes traffic, the other interfaces (wg1 & wg2) do not pass traffic. 

To use wg1, we disable wg0 and wg2 and then traffic flows as it should using wg1.  Interface wg1 is verified to work when its the only interface selected

To use wg2, we disable wg0 and wg1 and then traffic flows as it should using wg2. Interface wg2 is verified to work when its the only interface selected

Since the interfaces (wg0, wg1, wg2) have been verified individually to work, is there a configuration setting that is required to ensure all three (wg0, wg1, wg2)  interfaces pass traffic when all three (wg0, wg1, wg2) are enabled?

Update: added ifconfig information for wg0, wg1 & wg2

wg0: flags=43<UP,BROADCAST,RUNNING> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
        groups: tun wireguard
        nd6 options=101<PERFORMNUD,NO_DAD>
        Opened by PID 85885
wg1: flags=43<UP,BROADCAST,RUNNING> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 10.20.20.1 netmask 0xffffff00 broadcast 10.20.20.255
        groups: tun wireguard
        nd6 options=101<PERFORMNUD,NO_DAD>
        Opened by PID 73711
wg2: flags=43<UP,BROADCAST,RUNNING> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 10.30.30.1 netmask 0xffffff00 broadcast 10.30.30.255
        groups: tun wireguard
        nd6 options=101<PERFORMNUD,NO_DAD>
        Opened by PID 50939

April 29, 2021, 02:06:17 AM #1
Sounds like your endpoints may have overlapping or identical allowed IPs?

Cheers

Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
April 29, 2021, 06:09:59 PM #2
Thanks for your question and here are the details.

OPNSense Wireguard "Endpoints" that are being testing are addressed as follows:

10.10.10.2/32, 10.10.10.3/32, 10.10.10.4/32, 10.10.10.5/32
10.20.20.2/32, 10.20.20.3/32, 10.20.20.4/32, 10.20.20.5/32
10.30.30.2/32, 10.30.30.3/32, 10.30.30.4/32, 10.30.30.5/32

All these devices function properly when only their "Local" configuration is enabled in OPNSense, or if all three "Local" configurations are enabled in OPNSense, then only the 10.10.10.x subnet works as expected.


OPNSense Wireguard "Local Configuration" for each subnet is as follows:

For instance "0" the following items are filled in, Name, Public Key, Private Key, Listen Port (51820), Tunnel Address (10.10.10.1/24), Peers (Selected endpoints), Disabled Routes (checked)

For instance "1" the following items are filled in, Name, Public Key, Private Key, Listen Port (51821), Tunnel Address (10.20.20.1/24), Peers (Selected endpoints), Disabled Routes (checked)

For instance "2" the following items are filled in, Name, Public Key, Private Key, Listen Port (51822), Tunnel Address (10.30.30.1/24), Peers (Selected endpoints), Disabled Routes (checked)

Incoming firewall rules, each "Listen Port" is assigned to a specific IP Address for incoming traffic and that works as expected. (51820 --> aa.bb.cc.dd), (51821 --> aa.bb.cc.ee), (51822 --> aa.bb.cc.ff). 
Each client that uses a 10.10.10.xx/32 address is configured to send its Wireguard traffic to aa.bb.cc.dd
Each client that uses a 10.20.20.xx/32 address is configured to send its Wireguard traffic to aa.bb.cc.ee
Each client that uses a 10.30.30.xx/32 address is configured to send its Wireguard traffic to aa.bb.cc.ff


Outbound NAT firewall rules, each Wireguard interface is assigned to a specific IP Address for outgoing traffic and that works as expected. (wg0 --> aa.bb.cc.dd), (wg1 --> aa.bb.cc.ee), (wg2 --> aa.bb.cc.ff)

Outgoing Firewall Rules for each Wireguard interface's (wg0 10.10.10.0/24), (wg1 10.20.20.0/24), (wg2 10.30.30.0/24) network allow Wireguard traffic to go to the appropriate subnets and works as expected


OPNSense "Gateway" configuration for each Interface is as follows:

wg0:  IP address (dynamic), everything else is default
wg1:  IP address (dynamic), everything else is default
wg2:  IP address (dynamic), everything else is default
All gateways show up with "Online" status and are green.



As stated previously, individually the three interfaces (wg0, wg1, wg2) all function as expected.  Any other ideas or settings that could be modified to enable all three interfaces (wg0, wg1, wg2) to function simultaneously as expected? 
Print
Go Up Pages1
User actions