Warning

WireGuard has been removed from releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.

If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes

WireGuard Site-to-Site VPN Configuration Example

This recipe explains how to setup a VPN tunnel between two firewalls using WireGuard.

This example is a minimal configuration, more complicated scenarios are possible, see WireGuard for details.

Required Information

General Values

Item	Value
Design	Site-to-Site, one peer per tunnel
Tunnel Subnet	10.6.210.0/24

HQ:

Item	Value
WAN IP Address	198.51.100.15
Tunnel Address	10.15.210.1/24
Listen Port	51820
LAN Subnet	10.15.0.0/24

Satellite Office:

Item	Value
WAN IP Address	198.51.100.23
Tunnel Address	10.15.210.2/24
Listen Port	51820
LAN Subnet	10.23.0.0/24

Tunnel Configuration

First create the WireGuard tunnel on both sites:

• Navigate to VPN > WireGuard

• Click Add Tunnel

• Fill in the options using the information determined earlier, with variations noted for each site:

  Enabled

  Checked

  HQ Settings

  Description

  Satellite Office VPN

  Address

  10.15.210.1/24

  Satellite Office Settings

  Description

  HQ VPN

  Address

  10.15.210.2/24

  Listen Port

  51820

  Interface Keys

  Click Generate to create a new set of keys.

• Copy the public key from each firewall and note which is which

• Click Save

Peer Configuration

The peer entry for the server can be added when editing the tunnel. Follow these steps on both sites, with the differences in settings noted inline.

Edit the tunnel:

• Navigate to VPN > WireGuard

• Locate the WireGuard tunnel for this VPN provider

• Click at the end of the row for the tunnel

From the tunnel editing page, add a peer:

• Click Add Peer

• Fill in the options using the information determined earlier:

  HQ Settings

  Description

  Satellite Office Peer

  Endpoint

  198.51.100.23 (the WAN IP address of the Satellite Office)

  Endpoint Port

  51820

  Public Key

  The public key from the Satellite Office firewall

  Allowed IPs

  10.15.210.2/32, 10.23.0.0/24 (Satellite office tunnel address and LAN)

  Peer WireGuard Address

  10.15.210.2 (Satellite office tunnel address)

  Satellite Office Settings

  Description

  HQ VPN Peer

  Endpoint

  198.51.100.15 (the WAN IP address of HQ)

  Endpoint Port

  51820

  Public Key

  The public key from the HQ firewall

  Allowed IPs

  10.15.210.1/32, 10.15.0.0/24 (HQ tunnel address and LAN)

  Peer WireGuard Address

  10.15.210.1 (HQ tunnel address)

• Click Update

• Click Save

Assign Interface

These steps should be done on both sites.

First, fix the default gateway so WireGuard isn’t automatically selected before it’s ready:

• Navigate to System > Routing

• Set Default Gateway IPv4 to a specific gateway (e.g. WANGW) or group

• Set Default Gateway IPv6 in a similar manner if this VPN will also carry IPv6 traffic

• Click Save

• Click Apply Changes

Next, assign the interface so the automatic gateway can be used for policy routing (Assign a WireGuard Interface).

• Navigate to Interfaces > Assignments

• Select the appropriate wg<number> interface in the Available network ports list

• Click Add to assign the interface as a new OPT interface (e.g. OPT1)

• Navigate to the Interface configuration page, Interfaces > OPTx

• Check Enable

• Enter an appropriate Description which will become the interface name (e.g. VPN_HQ or VPN_Satellite)

• Click Save

• Click Apply Changes

Firewall Rules

First, add a rule to the WAN on both firewalls to allow traffic to reach WireGuard:

• Navigate to Firewall > Rules, WAN tab

• Click Add to create a new firewall rule at the top of the list so that it matches before other rules

• Configure the firewall rule as follows:

  Action

  Pass

  Protocol

  UDP

  Source

  This can typically be left at Any, but it is more secure to fill in the IP address of the opposing firewall.

  Destination

  WAN Address

  Destination Port Range

  (other), 51820

  Description

  Pass traffic to WireGuard

• Click Save

• Click Apply Changes

Next, add a rule to pass traffic inside the WireGuard tunnel on both firewalls:

• Navigate to Firewall > Rules

• Click the tab for the assigned WireGuard interface (e.g. VPN_Satellite or VPN_HQ)

• Click Add to add a new rule to the top of the list

• Use the following settings:

  Action

  Pass

  Protocol

  Any

  Source

  any

  Destination

  any

  Description

  Pass VPN traffic from WireGuard peers

  Note

  This rule allows all traffic between sites, which is easy but not a secure practice. Traffic between the sites can be restricted as needed with less permissive rules.

• Click Save

• Click Apply Changes

Routing

Since the networks for the peers were entered in the Allowed IPs field, the firewall will automatically handle setting up routes to the peer, so no additional routing work should be needed.

See also

As an alternative to static routing in this way, dynamic routing protocols can also work with WireGuard. See WireGuard Routing for more information.

The interface assignment also creates an automatic gateway which can be used for policy routing if needed.

Finish Up

The configuration is now complete! The two sites should now have full LAN-to-LAN connectivity.

See also

• WireGuard

• Routing

• WireGuard Remote Access VPN Configuration Example

• WireGuard VPN Client Configuration Example