WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.
If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes
WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.
Configure a WireGuard Tunnel¶
To configure a WireGuard Tunnel:
Navigate to VPN > WireGuard
Click Add Tunnel
Fill in the WireGuard Tunnel settings as described in WireGuard Tunnel Settings
Click Add Peer
Fill in the WireGuard Peer settings as described in WireGuard Peer Settings
Repeat the add/configure steps for peers if there are multiple peers
Add firewall rules on Firewall > Rules, WAN tab to allow UDP traffic to the port for this WireGuard tunnel (WireGuard and Rules / NAT)
Add firewall rules on the common Firewall > Rules, WireGuard tab to pass traffic inside the VPN (WireGuard and Rules / NAT)
After configuring the WireGuard instance, there are a few more optional steps depending on the requirements of the use case:
Navigate to System > Routing
Set the Default gateway options to a specific gateway or group, as long as they are not left at Automatic
If the default gateway remains set to Automatic the firewall may end up using the WireGuard interface as the default gateway, which is unlikely to be the desired outcome.
Assign the WireGuard interface as a new OPTx interface (Assign a WireGuard Interface)
Add firewall rules specific to this tunnel on Firewall > Rules, OPTx tab to pass traffic inside the VPN (WireGuard and Rules / NAT)
Setup one of the alternate routing methods as described in WireGuard Routing, if needed.