Wireguard with pfSense CE 2.5.2+

How to install the Wireguard add-on package on pfSense CE 2.5.2+ and set up a Wireguard tunnel from a device to your router.

Tunnel

How to install the Wireguard add-on package on pfSense CE 2.5.2+ and set up a Wireguard tunnel from a device to your router.

(Photo by Hugues de BUYER-MIMEURE)

This post is a quick follow up to my earlier tutorial explaining the setup process for Wireguard when it was still integrated directly in Pfsense (v2.5.0). Since then, Netgate announced its removal from the CE and Plus edition, and shortly after an experimental, add-on package was made available (see the source code on Github) so that those users still interested could install it and continue experimenting with it in pfSense.

Here, we will quickly revisit the setup process. There are some minor differences with the new package but the process is largely the same. At the time of writing, the package is at v0.1.5, as seen below:

Wireguard Experimental Package
Wireguard Experimental Package

When you click to install it, a disclaimer is laid out in front of you so that you are aware of the status of this feature & code:

At this time this code is new, unvetted, possibly buggy, and should be
considered "experimental". It might contain security issues. We gladly
welcome your testing and bug reports, but do keep in mind that this code
is new, so some caution should be exercised at the moment for using it
in mission-critical environments.

So, consider yourself warned! "Lasciate ogni speranza, o voi che entrate..." 😈

For the tutorial, the scenario here is to create a Wireguard tunnel between your device (say, a phone) and your pfSense router. I will base the tunnel on the 10.0.2.0/24 subnet but you might need to vary if this is overlapping an existing configuration on your side.

Following, a diagram showing the setup. In other words, we want to allow our phone (on the left) to connect with the private subnets inside our home network (on the right) via the router's WAN interface.

Network diagram

pfSense setup

After having installed the Wireguard package, head to VPN > Wireguard in the top menu. Let's start by adding a tunnel:

Add a Tunnel Button

Tunnel

The settings for your tunnel will be:

  • Enable: ✅
  • Description: Pick what works for you
  • Listen Port: 51820 (default, you can change it if you wish)
  • Interface Keys: Generate and then save the Public Key

Save your Tunnel configuration.

Interface Assignments

Let's move to Interfaces > Assignments. You should find an Available network port such as tun_wg0 in the dropdown. Add the interface and Save. Click on your new interface and let's configure it:

  • Enable: ✅
  • Description: you can rename it, for example, WG0
  • IPv4 Configuration Type: Static IPv4 (we are using an IPv4 configuration for our tutorial)

Leave the other fields empty and move to Static IPv4 Configuration. Set it up with your interface addres:  10.0.2.1/24. Leave IPv4 Upstream gateway empty and just Save then Apply Changes.

Firewall Rules

Time to move to the Firewall section! Firewall > Rules then pick your WAN interface. Add a Pass rule for IPv4 UDP traffic from any source to port 51820 (or whatever port you used for your Wireguard tunnel setup).

Assuming your mobile phone IP address is dynamic, the allowed source address and port should be any.

Save your Rule and Apply the changes.

Now, you also need to add rules for your WG0 interface.

Create a Pass rule for any traffic with source WG0 Net and destination WG0 Net (this will allow your phone to communicate with pfSense).

Create another Pass rule to allow traffic from WG0 Net to your local subnets. This will allow you to reach the home network services that you might want to be able of accessing remotely. I personally use an alias that includes all the required subnets so that the rules would look like this:

Firewall rules configuration for WG0

In this section of course use your discretion, you can always refine and create more strict rules in a 2nd stage, once you have verified that your Wireguard connection is up and running and that you can reach what you need.

Peer

Now, go back to Wireguard and Peers.

It's time to start describing to our router what our mobile phone (Peer) will look like, so that it will be allowed to connect to our tunnel. Click Add Peer and then use the following values:

  • Enable: ✅
  • Tunnel: Select the tunnel you have just configured
  • Description: what makes sense for you
  • Dynamic Endpoint: leave unchecked
  • Endpoint: let's give our phone a static address and port 10.0.2.2:51820
  • Keepalive: leave empty
  • Public Key: ⌚ we will add this later, once we start working on the phone
  • Pre-Shared Key: generate one and save it, you will need to set this in your phone. This is optional but it will be an added security feature for your connection.
  • Allowed IPs: 10.0.2.2/32 - this peer (the mobile phone) will accept traffic only directed to itself.

Do not attempt to save your peer, it requires the Public Key to be specified. So, now we need to continue the setup on our phone to create the keypair and get the required value to be added above.

Phone setup

If you are on Android, head to the Google Play store and install Wireguard.  You have the same app for iOS in the App Store and I assume the setup will be similar on an Apple device.

Launch the app, click the Add icon and select Create from scratch. The setup will be very similar to what we have already done.

Interface

  • Name: let your imagination go wild!
  • Generate a key pair, save the public key. This is the key that you will need to copy in the Router peer configuration that we have left suspended earlier.
  • Addresses: 10.0.2.2/24, Listen port leave empty
  • DNS servers 10.0.2.1 (this will be your pfSense).

Add a Peer:

  • Public Key: copy & paste the same public key you generated earlier on your pfSense tunnel configuration.
  • Pre Shared Key: copy & paste the value you generated on the pfSense tunnel Peer set up earlier.
  • Endpoint: This will be the WAN address of your router, with the port you configured on the Firewall (51280 if you left the default setting)
  • Allowed IPs: Here I specify my Home network subnets that I want to be sent on the Wireguard tunnel. If we look at the diagram we had at the start, here we would enter 10.0.2.0/24, 192.168.1.0/24, 192.168.2.0/24 and add any other subnet as required. By doing this, we will let all the other traffic on the phone (for example web browsing etc...) to be routed as normal.

Save your configuration.

Putting it all together

Now you need to go back to your pfSense Peer configuration and add the public key you generated on the phone Wireguard Interface. Save your configuration.

That's it! You should be able to test your configuration by doing the following:

  1. If your phone is connected already to your local network (for example via WIFI), disable the WIFI and enable your mobile data connection, so that you are sure you will be connecting to the WAN pfSense interface.
  2. Enable the Wireguard tunnel you just configured on the phone

You should now be able to reach your pfSense router, either via IP or just using your local FQDN. Similarly, you should be able to reach your other local services on their subnets.

Mr.Robot Win

I hope this worked for you! Any questions or something not quite right? Leave me a comment below!

If you liked this article, follow me on Twitter for more updates!
Buy me a slice of pizza

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments are moderated so there will be a delay before your comment is published.