( Photo by Sander Weeteling )
⚠️ Update 18 March 2021: Netgate announcement ⚠️
Looks like Wireguard support in pfSense is being removed pending a review/audit
We introduced a kernel-mode version of WireGuard to our most recent pfSense software releases - pfSense® Plus Version 21.02 (which has since been superseded by Version 21.02-p1), and pfSense Community Edition (CE) software version 2.5.0. As noted in a follow-on blog, questions and concerns with the implementation have surfaced that require attention.
Given that kernel-mode WireGuard has been removed from FreeBSD, and out of an abundance of caution, we are removing WireGuard from pfSense software pending a thorough review and audit.
We will follow the FreeBSD developments on kernel-mode WireGuard. Should WireGuard again be accepted into FreeBSD, we will re-evaluate it for inclusion in a future version of pfSense software.
Recently, Pfsense released version 2.5.0 which was a long-awaited update containing several improvements (OS upgrade to FreeBSD 12.2-STABLE, OpenSSL upgrade to 1.1.1 and a few others which you can read in the above link).
One awaited feature (at least from my side) was the out of box support of the Wireguard VPN protocol. Wireguard is a modern VPN tunnel protocol that has a superior performance (see here, here and here for example) when compared to OpenVPN or IPsec.
In this article, I will explain step by step how to set up your Wireguard VPN tunnel on Pfsense, and how to connect to it from your (Android) phone.
Setup Wireguard on Pfsense
Before you start, ensure that your Pfsense installation has been upgraded to version 2.5.0 or greater. At the time of writing, 2.5.0 is the latest and greatest so you cannot go wrong here!
In the top menu, go to "VPN" and then select "Wireguard". Next, we will select "Add Tunnel".
The form has a few entries to complete:
- Enabled & Description: self-explanatory.
- Address: this will be the address of your tunnel interface. For example, let's use
10.0.1.1/24(make sure the range you pick does not overlap with others you already defined)
- Listen Port: this is the port that will be used to listen for incoming Wireguard traffic on your WAN interface. Any in the ephemeral range will be OK (we will assume
51820for this tutorial)
- Interface Keys: to establish a connection, you will need to generate a keypair. Note down the Interface public key as it will be needed after.
Once you have completed this, save your configuration. We now need to configure the interface itself and the firewall so that the traffic is allowed in the first place.
Go in "Interfaces > Assignments" and "Add" your Wireguard interface. You can give it a description (such as
WG0) that will be inline with your other existing interfaces.
Next, we need to open up the "Listen Port" picked above on our WAN interface. Go in "Firewall > Rules" and select your WAN interface. It will look like this
To note, the destination port will be
51820 (as in our configuration). You can adjust the Source
any to something more suitable if you want to restrict it to specific IP addresses.
Now, we need to add a rule in our
WG0 interface. This is to allow the traffic from the Wireguard network to reach what is needed:
Again, this rule is fairly permissive. You may want to adjust the
Destination part to limit the traffic to specific areas of your network.
Lastly, in my case, I have configured the DNS Resolver of Pfsense to only respond to queries coming from specific interfaces. So, if you are doing something similar, and assuming you want your Wireguard traffic to use your Pfsense box for DNS resolution, remember to add
WG0 to the list of "Network Interfaces" listed in the "General Settings" of the DNS Resolver.
We now need to configure our device (for example, a mobile phone) that will be connecting to our Wireguard tunnel as a peer. We will need to come back to add it on Pfsense as well to complete the setup.
Setup Wireguard on your (Android) phone
The following section is specifically for Android phones but I'd expect the steps will be very similar on an iPhone. Generally speaking, platform support is very broad (as you can see on the official site)
For Android, you can use the Wireguard app from the Google Play Store. Once installed, it is quite simple.
First, we Create from Scratch our configuration. We are asked similar details as before:
For the "Interface"
- Name: your choice, whatever makes sense for you
- Private / Public Key: same as before, take note of the public key of your peer device.
- Addresses: this should reflect the network that we have configured earlier. In our example, we can use
- Port / MTU: we will leave these blank
- DNS Servers: In my case, I want to use the Pfsense box for DNS resolution so I will put
We then add a "Peer":
- Public Key: add the (Pfsense) Interface public key we saved at the start of the tutorial. This is needed to establish secure communication between our phone and our router.
- Pre-Shared Key (PSK): this is an optional (symmetric) key that can enhance the security of your setup (See: post-quantum resistance for additional information). You can generate it on Pfsense in the last step and then add this later on your phone.
- Endpoint: this will be the
IP:PORTcombination of your router (WAN interface).
- Allowed IPs: To route all traffic to the Wireguard tunnel when active, set this to
0.0.0.0/0. I'm still looking at a way to just route the traffic for my home network here, but I ran into some configuration issues when I tried to do so. Feel free to reply in the comments if you know some more tricks than I do!
The phone side of our configuration is done (except for the PSK - which is optional anyway). Let's jump back to Pfsense to complete our configuration.
Complete Wireguard configuration on Pfsense
The last step needed is to set up the Peer on our existing Wireguard Tunnel in Pfsense.
Hop back to "VPN" > "Wireguard" and edit your existing Tunnel. Then select "Add Peer"
Here is the drill:
- Endpoint / Endpoint Port can be left blank
- Public Key: you probably guessed it, this is the Public Key of the interface you set up on your phone and which you noted earlier.
- Allowed IPs: in our case, there is only one peer IP expected to connect to our Tunnel,
- Pre-Shared Key: here, you can generate the value as discussed earlier. If you add this, make sure to copy and configure it on your phone as well otherwise the encryption will fail.
Update and save all the changes. If you haven't done it already, also remember to reload the Firewall Rules and any other key configuration done earlier (Interfaces, DNS Resolver, etc...)
Run our Wireguard tunnel
We are now ready to connect to our tunnel. From the phone, we can flip the switch tied to our tunnel configuration and ... voilà! We should be connected to our Wireguard Tunnel and able to access all our favourite home network toys from afar.
Let me know if this worked for you, and leave any tips and tricks in the comments!