ANSWERED OPNSense WireGuard Multiple Connections

astorm

I am trying to set up multiple connections to AirVPN in my OPNSense firewall for redundant/failover routing. I have a single connection functioning well but struggling on the second one. I want the second one to be connected to a different AirVPN endpoint than the first. I have created a second WireGuard instance in OPNSense, created a second device in the AirVPN Client area, and downloaded a config for each device. My problem is that when I add a second peer to OPNSense, the public key for both AirVPN Clients in the [peer] section of the config file is the same. OPNSense is unhappy because it states "Public keys should be unique". Is it possible to add a second peer that connects to a different AirVPN endpoint? I'm hoping I'm just missing something simple here.

cheapsheep

Have you also added a second Instance so that another wg interface is created..for which you have to create another gateway as well?

You need a peer, an instance and a gateway for each wg connection. Don't forget to create the outbound NAT rule as well.

Also don't forget to "Disable routes" in the Instance settings. Otherwise all traffic will get routed automatically.

Please check https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html

astorm

I did create a new peer, instance, and gateway for each wg connection and associated rules. My problem is that the second peer doesn't like having the same public key as the first peer so it won't accept the configuration.

astorm

Is this perhaps an issue with OPNSense? It seems they have restricted the use of a private key to a single peer: https://github.com/opnsense/core/issues/7110
Since AirVPN seems to re-use the private key of the peer even in different "client" profiles, it seems that I'm unable to connect to more than a single endpoint at a time via WireGuard.

Staff

14 hours ago, astorm said:

Is this perhaps an issue with OPNSense? It seems they have restricted the use of a private key to a single peer: https://github.com/opnsense/core/issues/7110
Since AirVPN seems to re-use the private key of the peer even in different "client" profiles, it seems that I'm unable to connect to more than a single endpoint at a time via WireGuard.

Hello!

With AirVPN you may have multiple keys per account and you may use unique keys per profile, please see here:
https://airvpn.org/forums/topic/26209-how-to-manage-client-certificatekey-pairs/

Kind regards

astorm

I have followed that guide and created a separate key for a different client. The Wireguard config file still uses the same public key in the [peer] section all clients configured. The client key pair is different as expected, and is updated in the [interface] section of the config file.

Edited ... by astorm
Additional details

benfitita

I vaguely remember you need to create a separate AirVPN Device and select it when generating Wireguard config. You’ll then get a new private key which results in a new public key for your second instance. OPNSense should be happy.

Staff

1 hour ago, astorm said:

The Wireguard config file still uses the same public key in the [peer] section all clients configured

Hello!

Well, of course... that's the servers' public key, you can't change it!

Kind regards

astorm

OPNSense won't let me use that same public key for the server in a second peer that connects to a different AirVPN endpoint.

Staff

2 minutes ago, astorm said:

OPNSense won't let me use that same public key for the server in a second peer that connects to a different AirVPN endpoint.

Hello!

That's a pity, and apparently an unnecessary limitation. In our infrastructure WireGuard lives in one 10.128.0.0/16 subnet to make the key <> IP address static correspondence more manageable (WireGuard can't assign addresses dynamically), no need to change subnets and public key on each server.

Kind regards

astorm

Thanks for the replies. I now believe this is solely a OPNSense problem. I was able to modify the configuration backend file within OPNSense to bypass the duplicate public key check and successfully added a peer with the duplicate key. This allowed me to connect to two endpoints simultaneously and set up load balancing/failover. I have submitted a bug report to OPNSense.

For anyone who comes across this issue while OPNSense still has this superfluous requirement, you can bypass the check: (make backups of files/configurations!)
1) /usr/local/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
2) remove the lines below from the <pubkey type="Base64Field"> entry (current version starts on line 18).

<Constraints>
	<check001>
		<ValidationMessage>Public keys should be unique.</ValidationMessage>
		<type>UniqueConstraint</type>
	</check001>
</Constraints>

3) Save the file. You may have to restart the firewall and/or reload the web GUI for the change to take effect, not sure.

Gliglue

On 2/7/2024 at 5:24 PM, astorm said:
Thanks for the replies. I now believe this is solely a OPNSense problem. I was able to modify the configuration backend file within OPNSense to bypass the duplicate public key check and successfully added a peer with the duplicate key. This allowed me to connect to two endpoints simultaneously and set up load balancing/failover. I have submitted a bug report to OPNSense.

For anyone who comes across this issue while OPNSense still has this superfluous requirement, you can bypass the check: (make backups of files/configurations!)
1) /usr/local/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
2) remove the lines below from the <pubkey type="Base64Field"> entry (current version starts on line 18).
<Constraints>
	<check001>
		<ValidationMessage>Public keys should be unique.</ValidationMessage>
		<type>UniqueConstraint</type>
	</check001>
</Constraints>
3) Save the file. You may have to restart the firewall and/or reload the web GUI for the change to take effect, not sure.

I can confirm the issue. Thanks for your workaround.

The issue is, we're required to create copy of each peer (because each WG device has their own PresharedKey) - for each AirVPN wg's interface we'd like to use at the same time, but OPNsense doesn't allow us to create two peers sharing the same public key. I think, ideally, PresharedKey should be the same accross all devices of the same account. IIRC, that's what Mullvad does.

On OPNsense 24.7.12, same file:

/usr/local/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml

Edited ... by Gliglue

Air4141841

I am not sure I have missed this thread with my fellow opnsense users
here is my method:
open a previous working peers , click clone, and update the endpoint address ONLY>. leave everything else the same.

this is what I am assuming would let it round robin connect on failure. but it doesn't seem to work anymore

save and then make sure its enabled and added under peers for that instance.

Air4141841

after much. troubleshooting. and even jumping ships and purchasing trials of 2-3 other providers. 2 are well known on here
this is not a Opnsense issue. this is isolated to airvpn.

I don't want to get banned so I won't say whom unless I am approved too.

if I follow the above directions. and add a 2nd peer with 2 other providers. an additional tunnel is created and traffic Does pass if fact in most instances it switches to it without me restarting the tunnel, this does Not happen with airvpn.

are we limited to somehow only one connection with wireguard, even though it states 5?

with airvpn. is it required to create a new device Key? it sounds like it was done above and it still didn't work

flat4

1 hour ago, Air4141841 said:

after much. troubleshooting. and even jumping ships and purchasing trials of 2-3 other providers. 2 are well known on here
this is not a Opnsense issue. this is isolated to airvpn.

I don't want to get banned so I won't say whom unless I am approved too.

if I follow the above directions. and add a 2nd peer with 2 other providers. an additional tunnel is created and traffic Does pass if fact in most instances it switches to it without me restarting the tunnel, this does Not happen with airvpn.

are we limited to somehow only one connection with wireguard, even though it states 5?

with airvpn. is it required to create a new device Key? it sounds like it was done above and it still didn't work

No i run at least 3 connections throughout the day no issues

Air4141841

34 minutes ago, flat4 said:

No i run at least 3 connections throughout the day no issues

off of one instance by adding just additional peers?

or are you creating multiple airvpn devices. and creating 2 instances with a different "peer aka location". and doing a gateway group to balance them?

flat4

3 different devices, so you are trying to use the same device profile and have multiple different connections?

Air4141841

24 minutes ago, flat4 said:

3 different devices, so you are trying to use the same device profile and have multiple different connections?

ill try devices.

correct. it works with other providers.

with opnsense, are you using gateway groups? or how are you redirecting traffic to the new server if one fails/ goes offline?

Air4141841

same issue as the original poster. but this is not a opnsense issue. the public key can't be reused even with a new device on my account created

other providers work

flat4

15 minutes ago, Air4141841 said:

ill try devices.

correct. it works with other providers.

with opnsense, are you using gateway groups? or how are you redirecting traffic to the new server if one fails/ goes offline?

I'm using pfsense but almost the same firewall, yes i am using gateway groups
if one fails kills the states and moves to the next one.

I had stop tho because of my isp they were having issues and it was a constant connect/reconnect issues

afroeagle

On 2/7/2024 at 9:24 AM, astorm said:
Thanks for the replies. I now believe this is solely a OPNSense problem. I was able to modify the configuration backend file within OPNSense to bypass the duplicate public key check and successfully added a peer with the duplicate key. This allowed me to connect to two endpoints simultaneously and set up load balancing/failover. I have submitted a bug report to OPNSense.

For anyone who comes across this issue while OPNSense still has this superfluous requirement, you can bypass the check: (make backups of files/configurations!)
1) /usr/local/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
2) remove the lines below from the <pubkey type="Base64Field"> entry (current version starts on line 18).
<Constraints>
	<check001>
		<ValidationMessage>Public keys should be unique.</ValidationMessage>
		<type>UniqueConstraint</type>
	</check001>
</Constraints>
3) Save the file. You may have to restart the firewall and/or reload the web GUI for the change to take effect, not sure.

I also experience this issue. Will implement your solution now. Thank you very much.

Running OPNsense 25.7.a_36-amd64 this is what my unaltered Constraints section looks like:

<Constraints>
  <check001>
    <ValidationMessage>Public keys should be unique.</ValidationMessage>
    <type>UniqueConstraint</type>
    <addFields>
      <field1>serveraddress</field1>
      <field2>serverport</field2>
    </addFields>
  </check001>
</Constraints>

Edited ... by afroeagle

farquaad

On 2/7/2024 at 5:24 PM, astorm said:
Thanks for the replies. I now believe this is solely a OPNSense problem. I was able to modify the configuration backend file within OPNSense to bypass the duplicate public key check and successfully added a peer with the duplicate key. This allowed me to connect to two endpoints simultaneously and set up load balancing/failover. I have submitted a bug report to OPNSense.

For anyone who comes across this issue while OPNSense still has this superfluous requirement, you can bypass the check: (make backups of files/configurations!)
1) /usr/local/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
2) remove the lines below from the <pubkey type="Base64Field"> entry (current version starts on line 18).
<Constraints>
	<check001>
		<ValidationMessage>Public keys should be unique.</ValidationMessage>
		<type>UniqueConstraint</type>
	</check001>
</Constraints>
3) Save the file. You may have to restart the firewall and/or reload the web GUI for the change to take effect, not sure.

First off, thanks @Gliglue

For those still interested in this, as of 25.1 the fix is still on line 18 but I made a slight change replacing the 'Required' filed fro a "Y" to an "N".

<pubkey type="Base64Field">
  <Required>N</Required>
  <Constraints>
    <check001>
      <ValidationMessage>Public keys should be unique.</ValidationMessage>
      <type>UniqueConstraint</type>
      <addFields>
        <field1>serveraddress</field1>
        <field2>serverport</field2>
      </addFields>
    </check001>
  </Constraints>
</pubkey>

A simple reload of the GUI was enough.

Hope this helps.

ANSWERED OPNSense WireGuard Multiple Connections

Recommended Posts

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Share this post

Link to post

Join the conversation