Wireguard VPN tunnel with Pfsense 2.5.0+

How to set up a Wireguard VPN Tunnel and securely connect to your home network from your mobile phone with the latest Pfsense release.

Wireguard VPN tunnel with Pfsense 2.5.0+

A quick tutorial explaining how to configure your Pfsense (2.5.0+) installation to support a Wireguard tunnel.

( Photo by Sander Weeteling )


⚠️ Update 18 March 2021: Netgate announcement ⚠️

Looks like Wireguard support in pfSense is being removed pending a review/audit

We introduced a kernel-mode version of WireGuard to our most recent pfSense software releases - pfSense® Plus Version 21.02 (which has since been superseded by Version 21.02-p1), and pfSense Community Edition (CE) software version 2.5.0. As noted in a follow-on blog, questions and concerns with the implementation have surfaced that require attention.

Given that kernel-mode WireGuard has been removed from FreeBSD, and out of an abundance of caution, we are removing WireGuard from pfSense software pending a thorough review and audit.

We will follow the FreeBSD developments on kernel-mode WireGuard. Should WireGuard again be accepted into FreeBSD, we will re-evaluate it for inclusion in a future version of pfSense software.

Recently, Pfsense released version 2.5.0 which was a long-awaited update containing several improvements (OS upgrade to FreeBSD 12.2-STABLE, OpenSSL upgrade to 1.1.1 and a few others which you can read in the above link).

One awaited feature (at least from my side) was the out of box support of the Wireguard VPN protocol. Wireguard is a modern VPN tunnel protocol that has a superior performance (see here, here and here for example) when compared to OpenVPN or IPsec.

In this article, I will explain step by step how to set up your Wireguard VPN tunnel on Pfsense, and how to connect to it from your (Android) phone.

Wireguard Logo

Setup Wireguard on Pfsense

Before you start, ensure that your Pfsense installation has been upgraded to version 2.5.0 or greater. At the time of writing, 2.5.0 is the latest and greatest so you cannot go wrong here!

In the top menu, go to "VPN" and then select "Wireguard". Next, we will select "Add Tunnel".

Add a Wireguard tunnel
Add a Wireguard tunnel

The form has a few entries to complete:

  • Enabled & Description: self-explanatory.
  • Address: this will be the address of your tunnel interface. For example, let's use 10.0.1.1/24 (make sure the range you pick does not overlap with others you already defined)
  • Listen Port: this is the port that will be used to listen for incoming Wireguard traffic on your WAN interface. Any in the ephemeral range will be OK (we will assume 51820 for this tutorial)
  • Interface Keys: to establish a connection, you will need to generate a keypair. Note down the Interface public key as it will be needed after.

Once you have completed this, save your configuration. We now need to configure the interface itself and the firewall so that the traffic is allowed in the first place.

Go in "Interfaces > Assignments" and "Add" your Wireguard interface. You can give it a description (such as WG0) that will be inline with your other existing interfaces.

Next, we need to open up the "Listen Port" picked above on our WAN interface. Go in "Firewall > Rules" and select your WAN interface. It will look like this

WAN firewall rule for incoming Wireguard traffic
WAN firewall rule for incoming Wireguard traffic

To note, the destination port will be 51820 (as in our configuration). You can adjust the Source any to something more suitable if you want to restrict it to specific IP addresses.

Now, we need to add a rule in our WG0 interface. This is to allow the traffic from the Wireguard network to reach what is needed:

WG0 firewall rule for Wireguard traffic
WG0 firewall rule for Wireguard traffic

Again, this rule is fairly permissive. You may want to adjust the Destination part to limit the traffic to specific areas of your network.

Lastly, in my case, I have configured the DNS Resolver of Pfsense to only respond to queries coming from specific interfaces. So, if you are doing something similar, and assuming you want your Wireguard traffic to use your Pfsense box for DNS resolution, remember to add WG0 to the list of "Network Interfaces" listed in the "General Settings" of the DNS Resolver.

We now need to configure our device (for example, a mobile phone) that will be connecting to our Wireguard tunnel as a peer. We will need to come back to add it on Pfsense as well to complete the setup.

Setup Wireguard on your (Android) phone

The following section is specifically for Android phones but I'd expect the steps will be very similar on an iPhone. Generally speaking, platform support is very broad (as you can see on the official site)

For Android, you can use the Wireguard app from the Google Play Store. Once installed, it is quite simple.

First, we Create from Scratch our configuration. We are asked similar details as before:

Setup Wireguard on Android
Setup Wireguard on Android

For the "Interface"

  • Name: your choice, whatever makes sense for you
  • Private / Public Key: same as before, take note of the public key of your peer device.
  • Addresses: this should reflect the network that we have configured earlier. In our example, we can use 10.0.1.2/24
  • Port / MTU: we will leave these blank
  • DNS Servers: In my case, I want to use the Pfsense box for DNS resolution so I will put 10.0.1.1 here

We then add a "Peer":

  • Public Key: add the (Pfsense) Interface public key we saved at the start of the tutorial. This is needed to establish secure communication between our phone and our router.
  • Pre-Shared Key (PSK): this is an optional (symmetric) key that can enhance the security of your setup (See: post-quantum resistance for additional information). You can generate it on Pfsense in the last step and then add this later on your phone.
  • Endpoint: this will be the IP:PORT combination of your router (WAN interface).
  • Allowed IPs: To route all traffic to the Wireguard tunnel when active, set this to 0.0.0.0/0. I'm still looking at a way to just route the traffic for my home network here, but I ran into some configuration issues when I tried to do so. Feel free to reply in the comments if you know some more tricks than I do!

The phone side of our configuration is done (except for the PSK - which is optional anyway). Let's jump back to Pfsense to complete our configuration.

Complete Wireguard configuration on Pfsense

The last step needed is to set up the Peer on our existing Wireguard Tunnel in Pfsense.

Hop back to "VPN" > "Wireguard" and edit your existing Tunnel. Then select "Add Peer"

Add Peer in Wireguard Tunnel
Add Peer in Wireguard Tunnel

Here is the drill:

  • Endpoint / Endpoint Port can be left blank
  • Public Key: you probably guessed it, this is the Public Key of the interface you set up on your phone and which you noted earlier.
  • Allowed IPs: in our case, there is only one peer IP expected to connect to our Tunnel, 10.0.1.2/32
  • Pre-Shared Key: here, you can generate the value as discussed earlier. If you add this, make sure to copy and configure it on your phone as well otherwise the encryption will fail.

Update and save all the changes. If you haven't done it already, also remember to reload the Firewall Rules and any other key configuration done earlier (Interfaces, DNS Resolver, etc...)

Run our Wireguard tunnel

We are now ready to connect to our tunnel. From the phone, we can flip the switch tied to our tunnel configuration and ... voilà! We should be connected to our Wireguard Tunnel and able to access all our favourite home network toys from afar.

Let me know if this worked for you, and leave any tips and tricks in the comments!

If you liked this article, follow me on Twitter for more updates!

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments are moderated so there will be a delay before your comment is published.