How to install the Wireguard add-on package on pfSense CE 2.5.2+ and set up a Wireguard tunnel from a device to your router.
(Photo by Hugues de BUYER-MIMEURE)
This post is a quick follow up to my earlier tutorial explaining the setup process for Wireguard when it was still integrated directly in Pfsense (v2.5.0). Since then, Netgate announced its removal from the CE and Plus edition, and shortly after an experimental, add-on package was made available (see the source code on Github) so that those users still interested could install it and continue experimenting with it in pfSense.
Here, we will quickly revisit the setup process. There are some minor differences with the new package but the process is largely the same. At the time of writing, the package is at
v0.1.5, as seen below:
When you click to install it, a disclaimer is laid out in front of you so that you are aware of the status of this feature & code:
At this time this code is new, unvetted, possibly buggy, and should be
considered "experimental". It might contain security issues. We gladly
welcome your testing and bug reports, but do keep in mind that this code
is new, so some caution should be exercised at the moment for using it
in mission-critical environments.
So, consider yourself warned! "Lasciate ogni speranza, o voi che entrate..." 😈
For the tutorial, the scenario here is to create a Wireguard tunnel between your device (say, a phone) and your pfSense router. I will base the tunnel on the
10.0.2.0/24 subnet but you might need to vary if this is overlapping an existing configuration on your side.
Following, a diagram showing the setup. In other words, we want to allow our phone (on the left) to connect with the private subnets inside our home network (on the right) via the router's WAN interface.
After having installed the Wireguard package, head to
VPN > Wireguard in the top menu. Let's start by adding a tunnel:
The settings for your tunnel will be:
- Enable: ✅
- Description: Pick what works for you
- Listen Port:
51820(default, you can change it if you wish)
- Interface Keys:
Generateand then save the Public Key
Save your Tunnel configuration.
Let's move to
Interfaces > Assignments. You should find an
Available network port such as
tun_wg0 in the dropdown. Add the interface and
Save. Click on your new interface and let's configure it:
- Enable: ✅
- Description: you can rename it, for example,
- IPv4 Configuration Type:
Static IPv4(we are using an IPv4 configuration for our tutorial)
Leave the other fields empty and move to
Static IPv4 Configuration. Set it up with your interface addres:
IPv4 Upstream gateway empty and just
Time to move to the Firewall section!
Firewall > Rules then pick your
WAN interface. Add a Pass rule for
IPv4 UDP traffic from any source to port
51820 (or whatever port you used for your Wireguard tunnel setup).
Assuming your mobile phone IP address is dynamic, the allowed source address and port should be
Apply the changes.
Now, you also need to add rules for your
Create a Pass rule for any traffic with source
WG0 Net and destination
WG0 Net (this will allow your phone to communicate with pfSense).
Create another Pass rule to allow traffic from
WG0 Net to your local subnets. This will allow you to reach the home network services that you might want to be able of accessing remotely. I personally use an alias that includes all the required subnets so that the rules would look like this:
In this section of course use your discretion, you can always refine and create more strict rules in a 2nd stage, once you have verified that your Wireguard connection is up and running and that you can reach what you need.
Now, go back to
It's time to start describing to our router what our mobile phone (Peer) will look like, so that it will be allowed to connect to our tunnel. Click
Add Peer and then use the following values:
- Enable: ✅
- Tunnel: Select the tunnel you have just configured
- Description: what makes sense for you
- Dynamic Endpoint: leave unchecked
- Endpoint: let's give our phone a static address and port
- Keepalive: leave empty
- Public Key: ⌚ we will add this later, once we start working on the phone
- Pre-Shared Key: generate one and save it, you will need to set this in your phone. This is optional but it will be an added security feature for your connection.
- Allowed IPs:
10.0.2.2/32- this peer (the mobile phone) will accept traffic only directed to itself.
Do not attempt to save your peer, it requires the
Public Key to be specified. So, now we need to continue the setup on our phone to create the keypair and get the required value to be added above.
Launch the app, click the
Add icon and select
Create from scratch. The setup will be very similar to what we have already done.
- Name: let your imagination go wild!
- Generate a key pair, save the public key. This is the key that you will need to copy in the Router peer configuration that we have left suspended earlier.
10.0.2.2/24, Listen port leave empty
- DNS servers
10.0.2.1(this will be your pfSense).
Add a Peer:
- Public Key: copy & paste the same public key you generated earlier on your pfSense tunnel configuration.
- Pre Shared Key: copy & paste the value you generated on the pfSense tunnel Peer set up earlier.
- Endpoint: This will be the WAN address of your router, with the port you configured on the Firewall (
51280if you left the default setting)
- Allowed IPs: Here I specify my Home network subnets that I want to be sent on the Wireguard tunnel. If we look at the diagram we had at the start, here we would enter
10.0.2.0/24, 192.168.1.0/24, 192.168.2.0/24and add any other subnet as required. By doing this, we will let all the other traffic on the phone (for example web browsing etc...) to be routed as normal.
Save your configuration.
Putting it all together
Now you need to go back to your pfSense Peer configuration and add the public key you generated on the phone Wireguard Interface.
Save your configuration.
That's it! You should be able to test your configuration by doing the following:
- If your phone is connected already to your local network (for example via WIFI), disable the WIFI and enable your mobile data connection, so that you are sure you will be connecting to the WAN pfSense interface.
- Enable the Wireguard tunnel you just configured on the phone
You should now be able to reach your pfSense router, either via IP or just using your local FQDN. Similarly, you should be able to reach your other local services on their subnets.
I hope this worked for you! Any questions or something not quite right? Leave me a comment below!