Warning

WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.

If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes

WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.

Note

The WireGuard package is still under active development. Follow the development progress on the developer’s YouTube channel

Assign a WireGuard Interface

Some functionality for WireGuard interfaces depends upon them being assigned as their own interfaces on the firewall. Benefits of assignment include:

  • Adds a firewall tab under Firewall > Rules

  • Allows the interface to be selected for use with NAT rules

  • Allows the interface to be selected throughout the GUI and packages for various purposes

  • Rules on assigned interface tabs get reply-to which ensures return routing will exit back the expected interface for inbound connections.

Assignment Procedure

To assign the interface:

  • Navigate to Interfaces > Assignments

  • Select the appropriate tun_wg<number> interface in the Available network ports list

    The description of the tunnel is printed next to the interface name in the list.

  • Click fa-plus Add to assign the interface as a new OPT interface (e.g. OPT1)

  • Navigate to the Interface configuration page, Interfaces > OPTx

  • Check Enable

  • Enter an appropriate Description which will become the interface name (e.g. WG_S2S)

  • Configure interface addresses and gateways as necessary

  • Click Save

  • Click Apply Changes