ER605 V2 WireGuard - Cannot add multiple peers to one interface
Hello,
I have a WireGuard interface set up on my ER605 through Omada. I have one peer working well (allowed IP: 10.0.0.1/24, 192.168.8.0/24) [192.168.8.0/24 range is for LAN access] and I have added a second peer (10.0.0.2/24, 192.168.8.0/24). The second peer can connect using WireGuard client software, but no data is ever transferred.
All other configuration settings are identical (except public key for peer and interface on the WG peer side, which matches the allowed IP from peer setup e.g. 10.0.0.1/24). I have tried giving each peer a specific endpoint with no change. I have also tried giving different LAN IPs for each e.g. 192.168.8.0/24 and 192.168.8.1/24 ensuring no conflicts with other devices, again no change.
What am I doing wrong here?
Thanks
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I have multiple peers on one interface, but try 192.168.88.10/32 and 192.168.88.11/32 in allowed address, then edit wireguard client file to match with /32
- Copy Link
- Report Inappropriate Content
Hi @Sam_CS
Thanks for posting in our business forum.
Post your config here and your test results here with screenshots. Mosaic your sensitive information.
I need to know how you tested it. What commands did you use?
- Copy Link
- Report Inappropriate Content
@Clive_A Hi Clive,
Please find screenshots of the config and WireGuard log attached. I did not use any commands to test it - The peer Pete_WG works, peer Sam_WG does not. Sam_WG only ever receives keepalive packets from the ER605; no internet, no LAN, no ability to ping anything either LAN or WAN.
Sam
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi Clive
If Pete_WG is disabled and only Sam_WG is enabled, Sam_WG still does not work. You can see the settings for the device WireGuard client - the settings are identical except the keys and the allowed IP.
I am running this test on the same device; I just have 2 tunnels set up in the same WireGuard client application and switching between the 2 to do the tests.
*** EDIT AND UPDATE ***
With Pete_WG diabled and Sam_WG enabled, if I click the 'edit' button for Sam_WG and click 'apply' without making any changes, Sam_WG begins working. As soon as I enable Pete_WG again, it stops working.
If both peers are enabled and then I disable Sam_WG, I must click 'edit' then 'apply' on Pete_WG to get Pete_WG to work.
I believe there must be some issue with having 2 peers enabled, but I can't see where there are any conflicts between the 2 peers.
- Copy Link
- Report Inappropriate Content
I have multiple peers on one interface, but try 192.168.88.10/32 and 192.168.88.11/32 in allowed address, then edit wireguard client file to match with /32
- Copy Link
- Report Inappropriate Content
Instant success, thank you very much!! Both peers are now working absolutely fine. It makes sense I guess as /32 will constrain it to a single IP address. But why the ER605 can't handle this itself I don't know.
Especially as the instructions here: https://community.tp-link.com/en/business/forum/topic/619652 use /24 as CIDR.
- Copy Link
- Report Inappropriate Content
the person who wrote the guide was probably a bit hasty and did not test with several peers.
same thing with unifi routers, always /32 on ip in vpn tunnel.
- Copy Link
- Report Inappropriate Content
Hi @Sam_CS
Sam_CS wrote
Instant success, thank you very much!! Both peers are now working absolutely fine. It makes sense I guess as /32 will constrain it to a single IP address. But why the ER605 can't handle this itself I don't know.
Especially as the instructions here: https://community.tp-link.com/en/business/forum/topic/619652 use /24 as CIDR.
So, here's the thing, if you have multiple peers, each peer will have a different public key and the IP overlaps. That's the reason why it does not work. If you are configuring the peer to multiple peers, you need to set the peer > allowed-ips to a specific one.
If you don't overlap the IP in 192.168.88.1/24, setting its interface to 192.168.89.1/24 on the other peer, and allowed-ips on the ER605, you would not experience the issue.
The guide was only creating one for illustration. I did not take this into consideration at that time. Just thought about peer-to-peer instead of peer to multi peer. Will add one note to that for extra reference.
- Copy Link
- Report Inappropriate Content
Hi Clive,
Apologies, I didn't realise that you wrote the guide. The same CIDR value is also used in the guide for the ER605 in standalone mode (https://www.tp-link.com/uk/support/faq/3559/) which would also benefit from an update.
As a 'small business' product line, many users are just like me - I have a reasonable idea of networking setup, but definitely not in a professional capacity! Such guides are really key to getting the network setup correctly as we don't have the funds for employing/contracting another party to do it for us.
Thank you for your help and I am glad it was a simple fix in the end.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1535
Replies: 10
Voters 0
No one has voted for it yet.