Question for Best Practice/Wireguard

Started by PotatoCarl, April 29, 2026, 08:51:25 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 29, 2026, 08:51:25 AM
Hi

I have successfully setup one Wireguard VPN. It works inside out network and outside. So Yay!
However, I copied this VPN to a second one, differences are: Different port, different IP range.
I cannot get this to work, i.e. my client does not show "handshake".

Few things:
- We have two WAN, so both Wireguard clients have 2 peers
- The WAN is coming via a fritz box and exposed host to the OPNSense port
- The different IP ranges are necessary as in our experience from time to time e.g. Hotels use the same internal IP range as we do, so no routing is possible. Therefore we have multiple VPN instances to make sure "one of them works"

I know, I know "I copied everything but..." usually means "but forgot something". I have checked mutiple times all settings (gateways, interfaces, rules, NAT, shaping, Wireguard) and cannot find a difference.
Basically I am asking where to look protocol wise to do debugging. Or any other tip if this is fundamentally wrong what I was thinking.
Today at 12:10:06 PM #1
Well maybe show the configuration for Instances and peers which would help to T-shoot.

But in general, if you have more than one instance of Wireguard you need 4 essential things to make sure connection is established:
1. Unique port per Instance
2. Unique Private and Public Keys per instance (thus unique keys for peers)
3. Unique network per Instance & Peers
4. Proper Rules on WAN interfaces to permit the specific instance (per Instance port rule)

To establish the Wireguard connect this is essential + the Ingress Underlay interface rule.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
N355 - i226-V | AQC113C | 16G | 500G - PROD

PRXMX
N5105 - i226-V | 2x8G | 512G - NODE #1
N100 - i226-V | 16G | 1T - NODE #2
Print
Go Up Pages1
User actions