pfSense / WireGuard Mesh Recommendation

I am hoping to get some guidance / recommendation on whether to change my pfSense / WireGuard approach. I currently have separate point-to-point connections between 3 sites, all with pfSense / Netgate appliances. I also have a road-warrior remote WireGuard interface to one of the 3 sites. Here is a brief summary of the current connections at all 3 site:

  • Site A: two independent WireGuard tunnels to Site B and C, and a 3rd WG interface for 3 road-warrior clients (phones)

  • Site B: two independent WireGuard tunnels to Site A and C

  • Site C: tow independent WireGuard tunnels to Site A and B

Everything is working, but I keep wondering if it is preferable to have all 3 sites on the same WireGuard sub-net all listening on the same port. I would like to be able to route between all 3 sites, so there is no need to maintain separate point-to-point interfaces. Further, if I do go through the effort to replace my current separate tunnels with a single, 3-way mesh tunnel, should I add the road warrior peers to the same tunnel (as a 4th, 5th and 6th peer), or keep the road warrior interface separate as it is currently to only siute A.

Ideally I want all 3 sites to route certain sub-nets between the 3, and ideally have the ability to use private DNS / pfSense DNS Resolver entries to allow for DNS-based routing instead of IP entries.

I experimented with a replacement using Tailscale, but had issues with Linux clients reaching the local LAN and the Tailscale network, and I prefer to remain self-sufficient with no 3rd party.

Is it work returing the independent WG point-to-point in favor of a single 3-way tunnel? Are there benefits I am missin gother than retiring a 2nd open port on each of the 3 sites?

As always, I appreciate the input, guidance, and recommendations.

Here’s my $0.02

When I set this up I had more of a hub and spoke method (which is what you are asking about I think). All my infrastructure was at the hub site (for my sanity & efficiency). So I only had two wg tunnels to think about. The pros/cons of this setup depend on how much east-west traffic you expect to push. If you need max throughput between site B-C, then setup a direct link (as you already have). But for most east-west traffic, if you have everything centralized like I did, then they only really need to get to the hub.

I would say no. It makes firewalling these guys off easier. If that is something care about. Giving them each their own tunnel sounds like overkill, but if it floats your boat go for it.

Routing should handle this. For my DNS I had the master at the hub and salves at the satellite sites, with the hub slave acting as backup to the satellites (hidden master setup). Most people just do forwarding, so the satellites sites just need to point the domain to the DNS box resolving that domain at your hub (or my hub in my example). All other services basically traversed the tunnels directly.

Good on you. That is so refreshing to hear.

@liquidjoe (Joe): Thank you very much for your thoughtful reply. I appreciate your taking the time to help!

Your answer inspired me to both stay the course and finally correct a nagging DNS issue I was having between the sites.

I do have enough east-to-west traffic that I will keep the two point-to-point (CIDR /31) networks, as well as an independent road warrior interface to the hub site.

Your answer for DNS got me looking more closely at the DNS Resolver entries, and I was able ti utilize the Domain Override section of the DNS Resolver (at the bottom) to direct the proper port 53 DNS queries to the correct site based on domain name (e.g.

I am quite happy with how I have this working now via point-to-point WireGuard and accompanying DNS Domain Overrides. Thanks again for taking the time to reply. It helped me a great deal.