Multiple WireGuard clients (peers) connect to one WireGuard service.
My purpose is trying to allow wireguard clients to communicate each others. If I create one WG service and connect to 1 peer then everything works well.
If I create two WG services, allow one peer connect to each service and creating routing rule to allow communication between wireguard peers, then everything is work as expected too.
But if only one service is created and allow 2 peers to connect, the service seems crash every time when the second peer try to connect.
I am not sure whether multiple peers per Wireguard service is allowed, if yes, how to config it. Please advice and thx in advance.
Hello! I am facing this issue too, on latest ROS 7.1beta6.
1 peer - working perfectly
2 or more peers - after first one connect, others are unable to receive data from ROS. In rare situation, it can even drop connection for first peer (one that is successfully connected)
Help in this situation is to restart service (maybe), but only thing that work for me now, is to change peer’s config (anything, just to re-save whole peer config). Only this peer can be connected afterwards without issue.
Interesting. All I can say is using Beta5, I can connect an external PC and my iphone.
I am using two different wg interfaces however for the two peers (not two peers to one interface,).
In my case I have an RBG router acting as a server behind an MT CCR primary router.
At the client end I have an RB4011 router acting as a client behind a Consumer Router.
The iphone uses my cellular data for example.
With the IPHONE I can access the RB4011 with my MT application and configure/manage the RB4011 (as well as both MT routers on the server side)
This tells me I can go from one tunnel to the other.
Since I have a destination route on the router SERVER for internet return packets (to the client PC at the other end), all I had to do was to use the IP on the MT APP for the client router.
On the client router of course on the input chain I had to include the IP address of the cell phone to allow access to the router.
The RBG looking at the traffic coming out of the iphone wireguard tunnel and seeing the destination address was for the other end of the WG tunnel on the other wg interface just ported it out the appropriate other wireguard interface.
Therefore suggesting that if you need to access something from one client or another, the routing may already be in place for each client subnet and thus accessible. Client A reaching Client B PC or vice versa. Here it would be a case at the client end to ensure forward filter rules allows access… I think, but not sure what is being asked,
However if you are talking about both clients accessing a specific subnet on the server router that is a different matter.
Ensuring the requirements are crystal clear will point the right path.
Hi.
I have same problem.
I want to connect 5 Mikrotik routers as peers to RB450gx4.
Only one working from 5
Some times if i close the peer from 450 other one connect.
Did you find any solution?
4 different peers connected on the same WG interface.
It just works.
subnet 10.255.255.0/24 reserved for WG interface.
10.255.255.1 - Hex (home: 192.168.2.0/24)
10.255.255.2 - mAP (with subnet 192.168.90.0/24)
10.255.255.3 - laptop (no subnet)
10.255.255.4 - SXT LTE 930km further South in France (with subnet 192.168.88.0/24, also cAP and cAP AC on that network)
10.255.255.5 - mAP Lite (with subnet 192.168.91.0/24)
Be careful though:
on “server” side (peer) set allowed address to ip/32 address of the endpoint (or it will not know where to go to), you can add subnet if needed
on “client” side the easiest is to set 10.255.255.0/24 as allowed address and the subnets you want to be able to contact. E.g. I did not bother to go beyond home network for mAPLite. I did set all on mAP for educational purposes
For laptop I set 0.0.0.0/0 so everything goes home when WG is fired up.
We have Hex S with v7rc4.
we specifically updated to v7 because of wireguard.
from day one multiple peers are not working.
i think it is understandable that reseting the whole router just to test IF it works is not acceptable considering time and downtime.
i am even blocked right now because i tried to add second peer and wireguard interface now accept connection but there is no internet.
probably i have to go to office to reboot whole router and hope return it to normal.
all peers can be anywhere , even at same place at same time.
right now workaround is each peer to be wireguard interface and have its own /30 network.
i just deployed (today) AWS EC2 instance with ubuntu and wireguard using popular wireguard-install.sh and it is just adding peers to same wireguard interface . so from wireguard point of view it is supported case.
EDIT: i just restarted router two times.
my wireguard interface is not working. so that second peer i tried to add just to confirm if commrnts here are correct and issue disappeared .. ruin whole setup.
will confirm with other collegues if their are working at least
Sorry to bring back this topic, but I just wanted to thank this user for the info on the “allowed address to ip/32” on the server side. This totally helped me get multiple wg peers for just one interface.
No, why should it ?
It’s the responsibility of the admin to make sure the port to be used is available and filled in correctly when setting up a new WG-interface.
There is no way ROS can know which port you plan to use so it simply fills in a default (which on itself should be an indication that you need to change it to something else).
