Warning

WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.

If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes

WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.

Note

The WireGuard package is still under active development. Follow the development progress on the developer’s YouTube channel

Assign a WireGuard Interface

Some functionality for WireGuard interfaces depends upon them being assigned as their own interfaces on the firewall. Benefits of assignment include:

  • Adds a firewall tab under Firewall > Rules

  • Allows the interface to be selected for use with NAT rules

  • Allows the interface to be selected throughout the GUI and packages for various purposes

  • Rules on assigned interface tabs get reply-to which ensures return routing will exit back the expected interface for inbound connections.

Assignment Procedure

To assign the interface:

  • Navigate to System > Routing

  • Set the Default gateway options to a specific gateway or group, as long as they are not left at Automatic (Managing the Default Gateway)

    Warning

    If the default gateway remains set to Automatic the firewall may end up using the WireGuard interface as the default gateway, which is unlikely to be the desired outcome.

  • Navigate to Interfaces > Assignments

  • Select the appropriate tun_wg<number> interface in the Available network ports list

    The description of the tunnel is printed next to the interface name in the list.

  • Click fa-plus Add to assign the interface as a new OPT interface (e.g. OPT1)

  • Navigate to the Interface configuration page, Interfaces > OPTx

  • Check Enable

  • Enter an appropriate Description which will become the interface name (e.g. WG_S2S)

  • Configure interface addresses and gateways as necessary

  • Click Save

  • Click Apply Changes