ANSWERED OPNSense WireGuard Multiple Connections

[astorm 0]

I am trying to set up multiple connections to AirVPN in my OPNSense firewall for redundant/failover routing. I have a single connection functioning well but struggling on the second one. I want the second one to be connected to a different AirVPN endpoint than the first. I have created a second WireGuard instance in OPNSense, created a second device in the AirVPN Client area, and downloaded a config for each device. My problem is that when I add a second peer to OPNSense, the public key for both AirVPN Clients in the [peer] section of the config file is the same. OPNSense is unhappy because it states "Public keys should be unique". Is it possible to add a second peer that connects to a different AirVPN endpoint? I'm hoping I'm just missing something simple here. 

[cheapsheep 6]

Have you also added a second Instance so that another wg interface is created..for which you have to create another gateway as well?

You need a peer, an instance and a gateway for each wg connection. Don't forget to create the outbound NAT rule as well.

Also don't forget to "Disable routes" in the Instance settings. Otherwise all traffic will get routed automatically.

Please check https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html


 

[astorm 0]

I did create a new peer, instance, and gateway for each wg connection and associated rules. My problem is that the second peer doesn't like having the same public key as the first peer so it won't accept the configuration.

[astorm 0]

Is this perhaps an issue with OPNSense? It seems they have restricted the use of a private key to a single peer: https://github.com/opnsense/core/issues/7110
Since AirVPN seems to re-use the private key of the peer even in different "client" profiles, it seems that I'm unable to connect to more than a single endpoint at a time via WireGuard.

[Staff 9972]

14 hours ago, astorm said:

Is this perhaps an issue with OPNSense? It seems they have restricted the use of a private key to a single peer: https://github.com/opnsense/core/issues/7110
Since AirVPN seems to re-use the private key of the peer even in different "client" profiles, it seems that I'm unable to connect to more than a single endpoint at a time via WireGuard.

Hello!

With AirVPN you may have multiple keys per account and you may use unique keys per profile, please see here:
https://airvpn.org/forums/topic/26209-how-to-manage-client-certificatekey-pairs/

Kind regards
 

[astorm 0]

I have followed that guide and created a separate key for a different client. The Wireguard config file still uses the same public key in the [peer] section all clients configured. The client key pair is different as expected, and is updated in the [interface] section of the config file. 

Edited ... by astorm
Additional details

[benfitita 39]

I vaguely remember you need to create a separate AirVPN Device and select it when generating Wireguard config. You’ll then get a new private key which results in a new public key for your second instance. OPNSense should be happy. 

[Staff 9972]

1 hour ago, astorm said:

The Wireguard config file still uses the same public key in the [peer] section all clients configured

Hello!

Well, of course... that's the servers' public key, you can't change it!

Kind regards
 

[astorm 0]

OPNSense won't let me use that same public key for the server in a second peer that connects to a different AirVPN endpoint.

[Staff 9972]

2 minutes ago, astorm said:

OPNSense won't let me use that same public key for the server in a second peer that connects to a different AirVPN endpoint.

Hello!

That's a pity, and apparently an unnecessary limitation. In our infrastructure WireGuard lives in one 10.128.0.0/16 subnet to make the key <> IP address static correspondence more manageable (WireGuard can't assign addresses dynamically), no need to change subnets and public key on each server.

Kind regards
 

[astorm 0]

Thanks for the replies. I now believe this is solely a OPNSense problem. I was able to modify the configuration backend file within OPNSense to bypass the duplicate public key check and successfully added a peer with the duplicate key. This allowed me to connect to two endpoints simultaneously and set up load balancing/failover. I have submitted a bug report to OPNSense. 

For anyone who comes across this issue while OPNSense still has this superfluous requirement, you can bypass the check: (make backups of files/configurations!)
1) /usr/local/opnsense/mvc/app/models/OPNsense/Wireguard/Client.xml
2) remove the lines below from the  <pubkey type="Base64Field"> entry (current version starts on line 18). 

<Constraints>
	<check001>
		<ValidationMessage>Public keys should be unique.</ValidationMessage>
		<type>UniqueConstraint</type>
	</check001>
</Constraints>

3) Save the file. You may have to restart the firewall and/or reload the web GUI for the change to take effect, not sure.