Pfsense Wireguard StarTopology (replacing existing ipsec)

I’m investigating replacing the existing configured ipsec tunnels I have in place with Wireguard.

iPsec works pretty well, sometime there are some weird reconnection issues but in the whole ok.

I believe Wireguard could be a more stable alternative however i’m confused about the site to site using a one ‘instance of wireguard per site to site’ or it appears that you can use one instance on the ‘central’ server’ supporting many different sites. (This seems easier to manage) are there any guides or benefits to one way or the other?

The other bit i didn’t quite understand is that if we were to use one connection/interface per site to site why do we need a /24 for the tunnel interface? (if we had many interfaces could we use /32 for each and keep in ‘neater’)

  • So far ive zero problems upgrading in place on HyperV, standalone white boxs and APU2 boards.

I am still working on making some Wireguard tutorials, but it should work in a star topology and yes you can use smaller tunnel networks.

Can you sanity check this anyone? (It seems to be working fine just want to know im going in the right direction)

2 sites both have subnets all other sites (20) want access to
On each of these 2 sites I create ONE wireguard instance each

Site A Site B

Under each of these 2 main sites I create peers to each site i want to connect to.

I create an IP address for the remote site which sits within the remote sites IP range (each site has Site A & Site B subnets ,

Site C
Has range ,
and under the peers it connects to site A using Peer WireGuard Address 10.6.210.XX (xx being in my case subnet ID)

So in summary:
Both Site A and Site C in the peers back to A have the SAME “Peer WireGuard Address”

Sorry I wish there was a better way to explain this :slight_smile: Anyone up for Teamviewer lookover?

(Oh and what weirder I dont seem to need to enable the Wireguard interface - so long as wireguard is enabled its routing. When I do enable the interface I dont see any traffic on it)

Oh no! I just watched the Wireguard update - whats the problem?

The code needs some review.