Wireguard Connections

[spetrillo]

Hello all,

I am an old school VPN tunnel guy, so I always think in a tunnel being a one to one situation. In the connection based world can one connection have multiple different remote connections running against it? For example my Site A OPNsense firewall has a Wireguard connection. Can this connection support multiple remote connections at the same time, being a combination of client and site connections?

Thanks,
Steve

[Monviech (Cedrik)]

Yes.

You can add as many wireguard peers (site2site and clients) as you want to a single endpoint (instance).

[spetrillo]

Yes.

You can add as many wireguard peers (site2site and clients) as you want to a single endpoint (instance).

If I have an endpoint that will have client and site connection can they all use the same port or do I need a separate port for clients and sites? I can get the client connections to go on port 51820 but I cannot seem to get the S2S connected.

[Monviech (Cedrik)]

It works all on the same port. Any peer can connect to any endpoint. Wireguard doesn't seperate s2s or roadwarrior. They're all the same peers.

[spetrillo]

It works all on the same port. Any peer can connect to any endpoint. Wireguard doesn't seperate s2s or roadwarrior. They're all the same peers.

Ok new question...

How big of a subnet should I use for the site to site peers, knowing that client connections will also be a part of this. Typically if this were a traditional S2S connection I would use a /31 since there is no need for a broadcast. Can this work for S2S and C2S connections? Could the client IP side be in a different subnet?