Warning

WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.

If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes

WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.

Assign a WireGuard Interface

Some functionality for WireGuard interfaces depends upon them being assigned as their own interfaces on the firewall. Benefits of assignment include:

  • Adds a firewall tab under Firewall > Rules

  • Allows the interface to be selected for use with NAT rules

  • Allows the interface to be selected throughout the GUI and packages for various purposes

  • Adds an automatic dynamic gateway for use with routing, policy routing, gateway groups, etc.

  • Rules on assigned interface tabs get reply-to which ensures return routing will exit back the expected interface for inbound connections.

Automatic WireGuard Gateway Behavior

By default the automatic gateway for an assigned WireGuard interface uses the address of the WireGuard interface itself to nudge traffic into the tunnel. If the Peer WireGuard Address value is defined on a peer, and it lies within the WireGuard Address subnet, that value will be used for the gateway instead.

In the case of single peer tunnels, using the peer address for the gateway makes more sense as it enables monitoring end-to-end connectivity of the tunnel. It does not make as much sense for tunnels with multiple peers as no one single peer will reflect the connectivity of the tunnel as a whole.

Note

Manual gateways can be defined as needed in addition to the automatic gateway.

Assignment Procedure

To assign the interface:

  • Navigate to Interfaces > Assignments

  • Select the appropriate wg<number> interface in the Available network ports list

    The description of the tunnel is printed next to the interface name in the list.

  • Click fa-plus Add to assign the interface as a new OPT interface (e.g. OPT1)

  • Navigate to the Interface configuration page, Interfaces > OPTx

  • Check Enable

  • Enter an appropriate Description which will become the interface name (e.g. WG_S2S)

  • Click Save

  • Click Apply Changes