How to Configure WireGuard VPN Server in pfSense

WireGuard VPN Server in pfSense

WireGuard VPN is a new robust and very fast protocol for creating virtual private networks, in this article we have seen how it is capable of doubling and even tripling OpenVPN or IPsec in speed. This new VPN protocol is ideal for remote access configurations with mobile clients, be they smartphones, tablets or laptops, since it consumes very few resources and the connection is really fast. The pfSense operating system in version 2.5.0 has officially incorporated this new VPN, along with IPsec, L2TP and also OpenVPN. Today we are going to show you how to configure the WireGuard VPN from scratch in pfSense 2.5.0 to connect remotely.

WireGuard VPN Features

WireGuard VPN is a very lightweight software that will allow us to quickly and easily configure a VPN tunnel, by default, it makes use of the most modern cryptography, without the need to choose different asymmetric, asymmetric or hash encryption algorithms, by default we have a secure suite by default, unlike other VPN protocols. WireGuard’s goal is to become the best VPN for both home and business users, and it is succeeding because it has already been integrated into the Linux Kernel to provide us with the best possible performance.

Regarding the cryptography used, we have ChaCha20 for symmetric encryption, authenticated with Poly1305 , so we have AEAD. It also makes use of Curve25519 for ECDH, BLAKE2 for hashing, SipHash24 for hashtable keys, and HKDF for key derivation. As you have seen, we have the most modern cryptographic algorithms used by default, and we cannot change it for others at the moment, they must be these yes or yes.

With this new VPN we will not need to manage the connections or make difficult configurations, it only works in tunneling mode because it is an L3 VPN, and uses the UDP protocol as a transport layer and does not allow selecting TCP, what we can do is modify the port of listen for whoever we want. Of course, the WireGuard server can be behind the NAT without problems, only a port forwarding would have to be done. Other interesting features are that it allows roaming between networks quickly and easily, to always be connected from any WiFi or 4G / LTE network without interrupting the connection. In addition, we can also enable the Kill-Switch to prevent data leaks if the VPN goes down.

Lastly, this new VPN is compatible with multiple operating systems like Windows, Linux, MacOS, FreeBSD, Android, and also iOS . Now the pfSense 2.5.0 development team have incorporated WireGuard into their system by default, although previously we could also install it, but we did not have official support.

WireGuard VPN Server Configuration

Before the release of pfSense 2.5.0, if we wanted to have WireGuard on this complete firewall, we had to manually install it on the system by downloading some FreeBSD-compatible packages. Thanks to the pfSense development team, as of version 2.5.0 it is already integrated into the graphical user interface by default.

The first thing we must do is go to the ” VPN / WireGuard ” section to enter the configuration of this new VPN protocol. As soon as we enter the menu, we click on «Add Tunnel».

In the tunnel configuration, we must enable the tunnel, give it a description and put the following:

  • Address: IPv4 or IPv6 address of the VPN server for the tunnel interface.
  • Port: by default it is 51820 UDP, but we can change to any UDP port.

pfSense incorporates a public / private key generator for the VPN server with WireGuard, our recommendation is that you generate some keys for the VPN client, and that we click again on “Generate” so that the second ones that are generated are those of the VPN server. For example, the following keys are the ones that we will use later in the VPN client. You can help yourself with a notepad or Notepad ++ to record the configuration.

To facilitate the configuration of WireGuard with public and private keys, you can also use the wireguardconfig tool that will allow us to automatically generate both the server and the clients, to later adapt it to pfSense.

And the second ones generated are those of the VPN server itself with WireGuard.

Once we have the keys, we must click on “Save” and we will have created the VPN server with the previous configuration:

Once we have it, now we have to register the “peers”, that is, the VPN clients. We go back to the WireGuard server configuration, and click on “Add Peer” which is in green. Here we will have to fill in some settings, but it is not necessary to fill all of them.

Now we are going to explain what each of the options are for:

  • Description: we put a description to this client, for example, our name.
  • Endpoint: we put the public IP address of the VPN client.
  • Endpoint port: we put the port of the VPN client.

If you are going to configure a VPN client, where the client’s public IP and port change, then we must leave the “Endpoint” and “Endpoint Port” options empty . These options must be filled in if we are going to configure a Site-to-Site VPN, but in remote access (Roadwarrior) it is not necessary to fill them in.

  • Keep alive: a value in seconds, every so often it verifies that the tunnel is still up, by default it is disabled.

Now come the most important settings:

  • Public Key: we must put the public key of the VPN client, previously you have seen how it is generated for the client, because here we will put the public key.
  • Alloweds IPs: if we want there to be internet redirection and access to all networks, we put 0.0.0.0/0. The most normal thing is that remote access VPN clients go to the Internet through the VPN itself, but here we can configure specific access to different networks.
  • Peer WireGuard Address: the IP address of the registered peer.
  • Pre-shared key: optional, you can add a pre-shared key to further enhance security.

In our case, we have not put a pre-shared key, but if you put it, both in the pfSense and in the VPN client it must be exactly the same, and we must generate this key with the blue button that comes in the pfSense. We cannot put the pre-shared key “12345678” for example, we must use the pfSense generator.

Once we have correctly configured the WireGuard VPN server in pfSense 2.5.0, we are going to configure the firewall part, because by default it is always in block everything mode.

Firewall Configuration on WAN and WireGuard

Before connecting the first VPN client, we must go to “Firewall / Rules” and add a new rule on the Internet WAN interface. We add a new rule with the following information:

  • Action: Pass
  • Interface: WAN
  • Address Family: IPv4, IPv6 or both
  • Protocol: UDP
  • Source: any (if you are going to set up a Site-to-Site with WireGuard, you could put the source public IP here to improve security).
  • Destination: WAN Address on port 51820

Once configured, we click on «Save» to save this rule, and apply changes, as always when we add a new rule to the firewall.

Once this is done, we must now go to the «WireGuard» interface that has been created automatically in the « Firewall / Rules « section, here we will have to allow all communications once it has been connected, or only what we want, just like OpenVPN or IPsec.

In the following configuration, you can see that we have a rule with the following configuration:

  • Action: Pass
  • Interface: WireGuard
  • Address Family: IPv4, IPv6 or both
  • Protocol: Any
  • Source: any
  • Destination: any

We click on “Save” and apply changes, as usual. At this point we are ready to configure the VPN clients with WireGuard.

Configure WireGuard VPN Clients and Connect to pfSense

The configuration of the VPN clients with WireGuard is the same on all platforms, we will need exactly the same information. In our case, we have used an Android smartphone, you can download the official WireGuard app for Android and iOS below:

But we also have it for other operating systems such as Windows, directly from the official website of this VPN protocol. Once we have installed it, we will be able to configure the client easily.

As we have said before, our recommendation is that, when generating the keys in pfSense, you copy these keys into a notepad, both the public key and the private key. In addition, you also have to copy the public key of the server. Once this is done, we open WireGuard and proceed to add a new VPN tunnel, we have three options:

  • Import all the configuration from file, if you are going to configure several clients such as Windows, Linux etc, it is normal to have a template with the different configurations.
  • Scan from QR code: if we use the WireGuardConfig tool we can do it easily.
  • Create from scratch: this is the option we have chosen.

When adding a new VPN, we must fill in all or almost all the information that it asks us, it is the VPN client:

  • Name: we will put a description to the VPN tunnel, a descriptive name in case we have several.
  • Private key: we put the private key that we have previously copied from the notepad.
  • Public key: when entering the private key, it generates it automatically
  • Addresses: the client’s IPv4 or IPv6, in this case, we have previously configured 10.9.0.2/32, we put this.
  • Port: we leave it blank
  • DNS servers: we can put a specific DNS server, or directly that resolves the tunnel.
  • MTU: we leave it blank.

Now we click on add pair, and more configurations will be displayed, these configurations are those of the VPN server.

  • Peers – The public key of the VPN server.
  • Pre-shared key: if we have not configured, we leave it blank, if we have configured we copy it exactly the same.
  • Persistent maintenance: keep alive, it is recommended to leave it blank.
  • Final point: we must put “IP: port” syntax, therefore, we can put: “vpn.redeszone.net:51820”.
  • Allowed IPs: if we want to put all of them, we put 0.0.0.0/0. We also have a button to exclude private IPs.

Once we have done it, we click on save, and we will be able to see all the settings made.

Once added and verified that everything is correct, we proceed to connect and we will see that there is traffic exchange and that the VPN is working perfectly.

If we do not have received packets, that means there is something wrong and the WireGuard VPN tunnel has not been established correctly. If this happens to you, you will have to review all the configuration made, and review the pfSense logs to see what is happening.

We hope that with this tutorial you have been able to configure the WireGuard VPN server in your magnificent pfSense 2.5.0