WireGuard VPN server on pfSense November 26, 2023
FirewallNetworkingWindows
0 Comment

Setting up VPN server using WireGuard on pfSense firewall

Intro

In this example I’m going to show you how to install and configure a VPN server using WireGuard software (pfSense-pkg-WireGuard 0.2.0_2) on pfSense (2.7.0-RELEASE) firewall. And for our client we will use Windows 10 with WireGuard client installed. You can also configure the client on macOS, BSD, Linux, Android and iPhone devices.

Install

On pfSense firewall WireGuard server can be installed using System > Package Manager. Select Available Packages and find WireGuard. Click on the green + install button. WireGuard software can be downloaded from here. Also it also can be installed from the app store.

Configuration

Server tunnel

WireGuard server configuration on pfSense can be found in VPN > WireGuard. Click on Tunnels and +Add Tunnel. Give it a description and generate new keys. I’m assuming you already know your VPN network, if not now is the time to make up your mind. I’ll be using 10.0.12.0/24. Enter an IP address and give it description. I’ll be using 10.0.12.1 address for my example. Now you can save the tunnel configuration.

Client tunnel

Download and install the WireGuard client. Open the software and add a blank tunnel. Give it a name and save it.

Server peer

Now it is time to add a peer in WireGuard on pfSense. VPN > WireGuard > Peers and click on +Add Peer button. In peer configuration, assign the tunnel that you just created. Copy the Public Key from the empty tunnel that you created on the client side and past it into the Public Key field. And finally provide an IP address that will be used by your client. I will be using 10.0.12.34/32 to keep the clients from talking to each other but you can use /24 as well. Save the peer. At this point you can enable WireGuard in Settings. Save apply the changes.

Client peer

Now edit the tunnel on the client side and add the rest of the configuration and peer settings. Under Interface add Address and DNS. I’ll be using 10.0.12.34/24 for the address. Same subnet as the server address. And DNS of 1.1.1.1 address. Can be an internal address as well. The Peer section of the config needs PublicKey, AllowedIPs and Endpoint. Copy the PublicKey from the WireGuard server. For AllowedIPs I’m using 0.0.0.0/0 to route everything through this tunnel. And Endpoint is the IP address or host name of your WireGuard server with port number included. Here is the sample of my client’s configuration:

[Interface]
PrivateKey = qCH3hXXF9S/dMXXy5rXXNnDkcu0eNXX4Czrs5Rd8B1A=
Address = 10.0.12.34/24
DNS = 1.1.1.1

[Peer]
PublicKey = XX1hGBASOPwQS08wBbZUxGAP+GNaXXT65+uE82PXXTI=
AllowedIPs = 0.0.0.0/0
Endpoint = vpn.example.com:51820

Final thoughts

At this point you should be able to Activate the tunnel on your client. Check the status of the connection on the server side. Latest Handshake will tell you when the last handshake occurred. And a successful connection will turn the red handshake into green 🙂