Here, we will quickly revisit the setup process. There are some minor differences with the new package but the process is largely the same. At the time of writing, the package is at v0.1.5, as seen below:
When you click to install it, a disclaimer is laid out in front of you so that you are aware of the status of this feature & code:
At this time this code is new, unvetted, possibly buggy, and should be considered "experimental". It might contain security issues. We gladly welcome your testing and bug reports, but do keep in mind that this code is new, so some caution should be exercised at the moment for using it in mission-critical environments.
For the tutorial, the scenario here is to create a Wireguard tunnel between your device (say, a phone) and your pfSense router. I will base the tunnel on the 10.0.2.0/24 subnet but you might need to vary if this is overlapping an existing configuration on your side.
Following, a diagram showing the setup. In other words, we want to allow our phone (on the left) to connect with the private subnets inside our home network (on the right) via the router's WAN interface.
After having installed the Wireguard package, head to VPN > Wireguard in the top menu. Let's start by adding a tunnel:
The settings for your tunnel will be:
Description: Pick what works for you
Listen Port: 51820 (default, you can change it if you wish)
Interface Keys: Generate and then save the Public Key
Save your Tunnel configuration.
Let's move to Interfaces > Assignments. You should find an Available network port such as tun_wg0 in the dropdown. Add the interface and Save. Click on your new interface and let's configure it:
Description: you can rename it, for example, WG0
IPv4 Configuration Type: Static IPv4 (we are using an IPv4 configuration for our tutorial)
Leave the other fields empty and move to Static IPv4 Configuration. Set it up with your interface addres: 10.0.2.1/24. Leave IPv4 Upstream gateway empty and just Save then Apply Changes.
Time to move to the Firewall section! Firewall > Rules then pick your WAN interface. Add a Pass rule for IPv4 UDP traffic from any source to port 51820 (or whatever port you used for your Wireguard tunnel setup).
Assuming your mobile phone IP address is dynamic, the allowed source address and port should be any.
Save your Rule and Apply the changes.
Now, you also need to add rules for your WG0 interface.
Create a Pass rule for any traffic with source WG0 Net and destination WG0 Net (this will allow your phone to communicate with pfSense).
Create another Pass rule to allow traffic from WG0 Net to your local subnets. This will allow you to reach the home network services that you might want to be able of accessing remotely. I personally use an alias that includes all the required subnets so that the rules would look like this:
In this section of course use your discretion, you can always refine and create more strict rules in a 2nd stage, once you have verified that your Wireguard connection is up and running and that you can reach what you need.
Now, go back to Wireguard and Peers.
It's time to start describing to our router what our mobile phone (Peer) will look like, so that it will be allowed to connect to our tunnel. Click Add Peer and then use the following values:
Tunnel: Select the tunnel you have just configured
Description: what makes sense for you
Dynamic Endpoint: leave unchecked
Endpoint: let's give our phone a static address and port 10.0.2.2:51820
Keepalive: leave empty
Public Key: ⌚ we will add this later, once we start working on the phone
Pre-Shared Key: generate one and save it, you will need to set this in your phone. This is optional but it will be an added security feature for your connection.
Allowed IPs: 10.0.2.2/32 - this peer (the mobile phone) will accept traffic only directed to itself.
Do not attempt to save your peer, it requires the Public Key to be specified. So, now we need to continue the setup on our phone to create the keypair and get the required value to be added above.
If you are on Android, head to the Google Play store and install Wireguard. You have the same app for iOS in the App Store and I assume the setup will be similar on an Apple device.
Launch the app, click the Add icon and select Create from scratch. The setup will be very similar to what we have already done.
Name: let your imagination go wild!
Generate a key pair, save the public key. This is the key that you will need to copy in the Router peer configuration that we have left suspended earlier.
Addresses: 10.0.2.2/24, Listen port leave empty
DNS servers10.0.2.1 (this will be your pfSense).
Add a Peer:
Public Key: copy & paste the same public key you generated earlier on your pfSense tunnel configuration.
Pre Shared Key: copy & paste the value you generated on the pfSense tunnel Peer set up earlier.
Endpoint: This will be the WAN address of your router, with the port you configured on the Firewall (51820 if you left the default setting)
Allowed IPs: Here I specify my Home network subnets that I want to be sent on the Wireguard tunnel. If we look at the diagram we had at the start, here we would enter 10.0.2.0/24, 192.168.1.0/24, 192.168.2.0/24 and add any other subnet as required. By doing this, we will let all the other traffic on the phone (for example web browsing etc...) to be routed as normal.
Save your configuration.
Putting it all together
Now you need to go back to your pfSense Peer configuration and add the public key you generated on the phone Wireguard Interface. Save your configuration.
That's it! You should be able to test your configuration by doing the following:
If your phone is connected already to your local network (for example via WIFI), disable the WIFI and enable your mobile data connection, so that you are sure you will be connecting to the WAN pfSense interface.
Enable the Wireguard tunnel you just configured on the phone
You should now be able to reach your pfSense router, either via IP or just using your local FQDN. Similarly, you should be able to reach your other local services on their subnets.
I hope this worked for you! Any questions or something not quite right? Leave me a comment below!