Warning

WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.

If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes

WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.

Note

The WireGuard package is still under active development. Follow the development progress on the developer’s YouTube channel

WireGuard Site-to-Multisite VPN Configuration Example

This recipe explains how to setup a VPN tunnel between three firewalls in a site-to-multisite configuration using WireGuard.

This example is a minimal configuration, more complicated scenarios are possible, see WireGuard for details.

../_images/diagrams-wireguard-site-to-multisite.png

WireGuard Example Site-to-Multisite Network

Required Information

General Values

Item

Value

Design

Site-to-Multisite, one peer per tunnel (spokes), multiple peers per tunnel (hubs)

Tunnel Subnet

172.16.0.0/30

HQ:

Item

Value

WAN IP Address

198.51.100.10

Tunnel Address

172.16.0.1/30

Listen Port

51820

Remote Office A:

Item

Value

WAN IP Address

198.51.100.100

Tunnel Address

172.16.0.2/30

Listen Port

51820

LAN Subnet

10.0.100.0/24

Remote Office B:

Item

Value

WAN IP Address

198.51.100.200

Tunnel Address

172.16.0.3/30

Listen Port

51820

LAN Subnet

10.0.200.0/24

WireGuard Configuration

  • Navigate to VPN > WireGuard > Settings

  • Fill in the following options:

    Enable

    Checked

    Interface Group Membership

    Only Unassigned Tunnels

  • Click fa-save Save

Tip

When allowing inbound connections from arbitrary remote networks, use rules only on assigned WireGuard interface tabs only to ensure proper return routing.

Note

Rules on assigned WireGuard interface tabs get reply-to which ensures that traffic entering a specific assigned WireGuard interface exits back out the same interface. Without that, return traffic will follow the default gateway.

Tunnel Configuration

First, create the WireGuard tunnel on all three sites:

  • Navigate to VPN > WireGuard > Tunnels

  • Click fa-plus Add Tunnel

  • Fill in the options using the information determined earlier, with variations noted for each site:

    Enabled

    Checked

    HQ Settings
    Description

    Remote Sites VPN

    Remote Office A Settings
    Description

    HQ VPN

    Remote Office B Settings
    Description

    HQ VPN

    Listen Port

    51820

    Interface Keys

    Click Generate to create a new set of keys.

  • Copy the public key from each firewall and note which is which

  • Click fa-save Save Tunnel

Peer Configuration

The peer entry for the server can be added when editing the tunnel. Follow these steps on both sites, with the differences in settings noted inline.

Edit the tunnel:

  • Navigate to VPN > WireGuard > Tunnels

  • Locate the WireGuard tunnel for this VPN

  • Click fa-pencil at the end of the row for the tunnel

From the tunnel editing page, add a peer:

  • Click fa-plus Add Peer

  • Fill in the options using the information determined earlier, with variations noted for each site:

    HQ Settings
    Description

    Remote Office A Peer

    Endpoint

    198.51.100.100 (the WAN IP address of Remote Site A)

    Endpoint Port

    51820

    Public Key

    The public key from the Remote Office A firewall

    Allowed IPs

    172.16.0.2/32 and 10.0.100.0/24 (Remote Site A Tunnel Interface and LAN)

    HQ Settings
    Description

    Remote Office B Peer

    Endpoint

    198.51.100.200 (the WAN IP address of Remote Site B)

    Endpoint Port

    51820

    Public Key

    The public key from the Remote Office B firewall

    Allowed IPs

    172.16.0.3/32 and 10.0.200.0/24 (Remote Site B Tunnel Interface and LAN)

    Remote Office A Settings
    Description

    HQ Peer

    Endpoint

    198.51.100.10 (the WAN IP address of HQ)

    Endpoint Port

    51820

    Public Key

    The public key from the HQ firewall

    Allowed IPs

    172.16.0.0/30 and 10.0.200.0/24 (Tunnel Network and Remote Site B LAN)

    Remote Office B Settings
    Description

    HQ Peer

    Endpoint

    198.51.100.10 (the WAN IP address of HQ)

    Endpoint Port

    51820

    Public Key

    The public key from the HQ firewall

    Allowed IPs

    172.16.0.0/30 and 10.0.100.0/24 (Tunnel Network and Remote Site A LAN)

  • Click fa-save Save Peer

Assign Interface

These steps should be done on all sites.

First, fix the default gateway so WireGuard isn’t automatically selected before it’s ready:

  • Navigate to System > Routing

  • Set Default Gateway IPv4 to a specific gateway (e.g. WANGW) or group

  • Set Default Gateway IPv6 in a similar manner if this VPN will also carry IPv6 traffic

  • Click fa-save Save

  • Click fa-check Apply Changes

Next, assign the interface (Assign a WireGuard Interface):

  • Navigate to Interfaces > Assignments

  • Select the appropriate tun_wg<number> interface in the Available network ports list

  • Click fa-plus Add to assign the interface as a new OPT interface (e.g. OPT1)

  • Navigate to the Interface configuration page, Interfaces > OPTx

  • Check Enable

  • Enter an appropriate Description which will become the interface name (e.g. VPN_HQ, VPN_SITEA, or VPN_SITEB)

  • Fill in the options using the information determined earlier, with variations noted for each site:

    HQ Settings (VPN_HQ)
    IPv4 Configuration Type

    Static IPV4

    IPv4 Address

    172.16.0.1/30

    Remote Office A Settings (VPN_SITEA)
    IPv4 Configuration Type

    Static IPV4

    IPv4 Address

    172.16.0.2/30

    Remote Office B Settings (VPN_SITEB)
    IPv4 Configuration Type

    Static IPV4

    IPv4 Address

    172.16.0.3/30

  • Click fa-save Save

  • Click fa-check Apply Changes

Firewall Rules

First, add a rule to the WAN on both firewalls to allow traffic to reach WireGuard:

Note

Traffic flowing between peers is subject to firewall rules on the associated WireGuard interface.

  • Navigate to Firewall > Rules, WAN tab

  • Click fa-level-up Add to create a new firewall rule at the top of the list so that it matches before other rules

  • Configure the firewall rule as follows:

    Action

    Pass

    Protocol

    UDP

    Source

    This can typically be left at Any, but it is more secure to fill in the IP address of the opposing firewall.

    Destination

    WAN Address

    Destination Port Range

    (other), 51820

    Description

    Pass traffic to WireGuard

  • Click fa-save Save

  • Click fa-check Apply Changes

Next, add a rule to pass traffic inside the WireGuard tunnel on both firewalls:

  • Navigate to Firewall > Rules

  • Click the tab for the assigned WireGuard interface (e.g. VPN_HQ, VPN_SITEA, or VPN_SITEB)

  • Click fa-level-up Add to add a new rule to the top of the list

  • Use the following settings:

    Action

    Pass

    Protocol

    Any

    Source

    any

    Destination

    any

    Description

    Pass VPN traffic from WireGuard peers

    Note

    This rule allows all traffic between sites, which is easy but not a secure practice. Traffic between the sites can be restricted as needed with less permissive rules.

  • Click fa-save Save

  • Click fa-check Apply Changes

Routing

These steps should be performed on all sites:

  • Navigate to System > Routing > Gateways

  • Click fa-plus Add

  • Fill in the options using the information determined earlier, with variations noted for each site:

    HQ Settings
    Interface

    tun_wg<number>

    Address Family

    IPv4

    Name

    WG_SITEA_GW4

    Gateway

    172.16.0.2

    HQ Settings
    Interface

    tun_wg<number>

    Address Family

    IPv4

    Name

    WG_SITEB_GW4

    Gateway

    172.16.0.3

    Remote Office A/B
    Interface

    tun_wg<number>

    Address Family

    IPv4

    Name

    WG_HQ_GW4

    Gateway

    172.16.0.1

  • Click fa-save Save

  • Click fa-check Apply Changes

Specific networks can be routed across the VPN by adding a static route for the network(s) under System > Routing on the Static Routes tab.

These steps should be done on all sites.

  • Navigate to System > Routing > Static Routes

  • Click fa-plus Add

  • Fill in the options using the information determined earlier, with variations noted for each site:

    HQ Settings
    Destinaton Network

    10.0.100.0/24 (e.g. Remote Office A LAN segment)

    Gateway

    WG_SITEA_GW4

    HQ Settings
    Destinaton Network

    10.0.200.0/24 (e.g. Remote Office B LAN segment)

    Gateway

    WG_SITEB_GW4

    Remote Office A Settings
    Destinaton Network

    10.0.200.0/24 (e.g. Remote Office B LAN segment)

    Gateway

    WG_HQ_GW4

    Remote Office B Settings
    Destinaton Network

    10.0.100.0/24 (e.g. Remote Office A LAN segment)

    Gateway

    WG_HQ_GW4

  • Click fa-save Save

  • Click fa-check Apply Changes

See also

As an alternative to static routing in this way, dynamic routing protocols can also work with WireGuard. See WireGuard Routing for more information.

Tip

These gateways can also be used for policy routing if needed.

Finish Up

The configuration is now complete! The two remote office sites should now have full LAN-to-LAN connectivity via HQ.

See also