Jump to content
Not connected, Your IP: 3.144.4.50
astorm

ANSWERED OPNSense WireGuard Multiple Connections

Recommended Posts

I am trying to set up multiple connections to AirVPN in my OPNSense firewall for redundant/failover routing. I have a single connection functioning well but struggling on the second one. I want the second one to be connected to a different AirVPN endpoint than the first. I have created a second WireGuard instance in OPNSense, created a second device in the AirVPN Client area, and downloaded a config for each device. My problem is that when I add a second peer to OPNSense, the public key for both AirVPN Clients in the [peer] section of the config file is the same. OPNSense is unhappy because it states "Public keys should be unique". Is it possible to add a second peer that connects to a different AirVPN endpoint? I'm hoping I'm just missing something simple here. 

Share this post


Link to post

Have you also added a second Instance so that another wg interface is created..for which you have to create another gateway as well?

You need a peer, an instance and a gateway for each wg connection. Don't forget to create the outbound NAT rule as well.

Also don't forget to "Disable routes" in the Instance settings. Otherwise all traffic will get routed automatically.

Please check https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html


 

Share this post


Link to post

I did create a new peer, instance, and gateway for each wg connection and associated rules. My problem is that the second peer doesn't like having the same public key as the first peer so it won't accept the configuration.

Share this post


Link to post

Is this perhaps an issue with OPNSense? It seems they have restricted the use of a private key to a single peer: https://github.com/opnsense/core/issues/7110
Since AirVPN seems to re-use the private key of the peer even in different "client" profiles, it seems that I'm unable to connect to more than a single endpoint at a time via WireGuard.

Share this post


Link to post
14 hours ago, astorm said:

Is this perhaps an issue with OPNSense? It seems they have restricted the use of a private key to a single peer: https://github.com/opnsense/core/issues/7110
Since AirVPN seems to re-use the private key of the peer even in different "client" profiles, it seems that I'm unable to connect to more than a single endpoint at a time via WireGuard.


Hello!

With AirVPN you may have multiple keys per account and you may use unique keys per profile, please see here:
https://airvpn.org/forums/topic/26209-how-to-manage-client-certificatekey-pairs/

Kind regards
 

Share this post


Link to post
Posted ... (edited)

I have followed that guide and created a separate key for a different client. The Wireguard config file still uses the same public key in the [peer] section all clients configured. The client key pair is different as expected, and is updated in the [interface] section of the config file. 

Edited ... by astorm
Additional details

Share this post


Link to post

I vaguely remember you need to create a separate AirVPN Device and select it when generating Wireguard config. You’ll then get a new private key which results in a new public key for your second instance. OPNSense should be happy. 

Share this post


Link to post
1 hour ago, astorm said:

The Wireguard config file still uses the same public key in the [peer] section all clients configured


Hello!

Well, of course... that's the servers' public key, you can't change it!

Kind regards
 

Share this post


Link to post

OPNSense won't let me use that same public key for the server in a second peer that connects to a different AirVPN endpoint.

Share this post


Link to post
2 minutes ago, astorm said:

OPNSense won't let me use that same public key for the server in a second peer that connects to a different AirVPN endpoint.


Hello!

That's a pity, and apparently an unnecessary limitation. In our infrastructure WireGuard lives in one 10.128.0.0/16 subnet to make the key <> IP address static correspondence more manageable (WireGuard can't assign addresses dynamically), no need to change subnets and public key on each server.

Kind regards
 

Share this post


Link to post

Thanks for the replies. I now believe this is solely a OPNSense problem. I was able to modify the configuration backend file within OPNSense to bypass the duplicate public key check and successfully added a peer with the duplicate key. This allowed me to connect to two endpoints simultaneously and set up load balancing/failover. I have submitted a bug report to OPNSense. 

For anyone who comes across this issue while OPNSense still has this superfluous requirement, you can bypass the check: (make backups of files/configurations!)
1) /usr/local/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
2) remove the lines below from the  <pubkey type="Base64Field"> entry (current version starts on line 18). 

<Constraints>
	<check001>
		<ValidationMessage>Public keys should be unique.</ValidationMessage>
		<type>UniqueConstraint</type>
	</check001>
</Constraints>
3) Save the file. You may have to restart the firewall and/or reload the web GUI for the change to take effect, not sure. 

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...