Can't add more than one peer to wireguard when acting as a server

Sleuth · June 13, 2023, 8:27pm

I’m somewhat new to Vyos so it’s possible that it’s user error but from my testing I believe it’s not.

I have my Vyos router setup to allow remote devices to connect from the internet via wireguard to get access to internal devices on the lan side of the router. Just your typical wireguard setup nothing special.

I got one peer working just fine. I can connect with my linux laptop, desktop and android phone just fine. When I add a second peer to that wireguard interface the second peer doesn’t work on any of my devices but the first peer still works just fine.

When I remove the working peer from the Vyos config the second non working peer starts working. I don’t think this is intended behavior. If I setup a second wireguard interface I can get both the peers working at the same time. Pretty sure that you should be able to have more than one peer per network interface.

Not working config

wireguard wg0 {
        address 10.10.10.1/24
        peer test {
            address 10.10.10.16
            allowed-ips 0.0.0.0/0
            port 51820
            public-key gUT6sbL1IMvWTLIHOlOVfPIvqM6ctCQUuPnlI8z39jg=
        }
        peer thinkpad {
            address 10.10.10.11
            allowed-ips 0.0.0.0/0
            port 51820
            public-key pCiEqAtbpbSkOgomBSsyY9S8liLhBcVNfJcVhU1IOFc=
        }
        port 51820
        private-key PRIVATE_KEY    }

Working config

 wireguard wg0 {
     address 10.10.10.1/24
     peer test {
         address 10.10.10.11
         allowed-ips 0.0.0.0/0
         port 51820
         public-key pCiEqAtbpbSkOgomBSsyY9S8liLhBcVNfJcVhU1IOFc=
     }
     port 51820
     private-key PRIVATE_KEY
 }
 wireguard wg1 {
     address 10.10.11.1/24
     peer test2 {
         address 10.10.11.16
         allowed-ips 0.0.0.0/0
         port 51821
         public-key gUT6sbL1IMvWTLIHOlOVfPIvqM6ctCQUuPnlI8z39jg=
     }
     port 51821
     private-key PRIVATE_KEY
 }

Vyos Version

Version:          VyOS 1.4-rolling-202305240317
Release train:    current

Built by:         autobuild@vyos.net
Built on:         Wed 24 May 2023 03:17 UTC
Build UUID:       b76ddaca-9929-4958-a527-5fa523530975
Build commit ID:  6a582926856584

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  Dell Inc.
Hardware model:
Hardware S/N:
Hardware UUID:

Copyright:        VyOS maintainers and contributors

tjh · June 13, 2023, 9:13pm

Hello!
Welcome to the Vyos forums

You are misunderstanding how “allowed-ips” works. I know this, because I made this exact mistake when I setup Wireguard on my Vyos instance a couple of years ago.

You can’t have two with 0.0.0.0/0

Working examine from my side:

    wireguard wg0 {
        address 192.168.10.1/24
        description "Example Wireguard"
        peer X{
            allowed-ips 192.168.10.16/32
            persistent-keepalive 25
            preshared-key ****************
            pubkey ****************
        }
        peer X {
            allowed-ips 192.168.10.20/32
            persistent-keepalive 25
            preshared-key ****************
            pubkey ****************
        }

Allowed IP’s says “I will let traffic with this source IP address enter from this peer”

If you are expecting to route the Internet INTO your Wireguard instance, sure, use 0.0.0.0/0.
But for a road-warrior type config, you’re only expecting the IP you assign to the remote end to ingress into your Wireguard instance, so a /32 is enough.

Hope this helps.

Sleuth · June 13, 2023, 9:47pm

I think that the wireguard docs are pretty out of date. Would contributing an updated page here be the correct way of getting updated wireguard docs on to docs.vyos.io? https://github.com/vyos/vyos-documentation

tjh · June 13, 2023, 9:53pm

Personally I think the docs are pretty clear on this:

They also link to this Wireguard mailing list post.

That said, all documentation updates and clarifications are more than welcome, so please, do feel more than free to contribute if you think they can be clearer

Sleuth · June 13, 2023, 9:54pm

Looks like the docs are up to date when you actually change over to the latest tag, my bad. But I’d still like to add a short “get a basic wireguard server running” guide.

tjh · June 13, 2023, 9:57pm

This would be great, your contributition would be welcomed with open arms! Thank you in advance!

system · June 15, 2023, 9:58pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.