Hello everyone,
I saw Mr. Tom’s video on youtube for Site to Site WireGuard. How about site to multisite ? Anyone knows what’s needed to setup 1 central and 3 sites configuration ? Different tunnel for each site, different port for each site or both ?
Seems that there is a problem with 3 peers on same tunnel, it routes always to the first peer. (There is no route through the WireGuard virtual interface to all peers.
Build separate WG tunnels for each site.
Hi, I tried to do that too. I had site A, site B and site C. Site A to B was OK, But then suddenly the ‘internet’ even went down on site C… !!!
Have a look at this video https://www.youtube.com/watch?v=7_gLPyipFkk
I have configured a main site with two remote sites, using the same wireguard tunnel at the main site, with two peers.
One thing, on reboot the wireguard service does not always start - you have to create a cron job, and setup watchdog (last post)
How to fix broken site-to-site Wireguard tunnels on 2.7/22.05 and onwards | Netgate Forum
Try Tailscale
Even a primate like me can set it up. Works automagically!
Slightly related but was trying to get Tailscale to work with PFSense 23.09 and there’s a current bug that’s meaning Outbound NAT for Tailscale will not work.
Tailscale Address option is missing in Translation Address section under Firewall/NAT/Outbound
I don’t seem to have an issue on 2.7.1, but then I downgraded from 23.05.1 to 2.7.0
Any reason why separate tunnels are better? I have a multi site client, and each site is a peer on a common fireguard tunnel. It’s been working fine so far. Its also worked great for transitioning them from a hub and spoke setup to a partial mesh.
Granted… it’s 3 years later now 
I didn’t build this setup until 23.01 came out. Perhaps Wireguard in pfSense works better now than it used to.
So you are using the same cert for each peer? And I guess the same AllowedIPs list?
I am curious what other people think about this setup. It’s not how I have done it (nor would do now), but I guess it would work. You could still fw things off based on the gateway IP in the wg tunnel, so I guess the common cert might not be that big of deal.