Warning

WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.

If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes

WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.

Note

The WireGuard package is still under active development. Follow the development progress on the developer’s YouTube channel

Configure a WireGuard Tunnel

To configure a WireGuard Tunnel:

  • Navigate to VPN > WireGuard > Tunnels

  • Click fa-plus Add Tunnel

  • Fill in the WireGuard Tunnel settings as described in WireGuard Package Settings

  • Click Save Tunnel

  • Add firewall rules on Firewall > Rules, WAN tab to allow UDP traffic to the port for this WireGuard tunnel (WireGuard and Rules / NAT)

  • Add firewall rules on the common Firewall > Rules, WireGuard tab to pass traffic inside the VPN (WireGuard and Rules / NAT)

Configure a WireGuard Peer

To configure a WireGuard peer:

  • Navigate to VPN > WireGuard > Peers

  • Click fa-plus Add Peer

  • Fill in the WireGuard Peer settings as described in WireGuard Peer Settings

  • Click Save Peer

  • Repeat the add/configure steps if there are multiple peers

Additional Configuration Steps

After configuring the WireGuard tunnel, there are a few more optional steps depending on the requirements of the use case:

  • Navigate to System > Routing

  • Set the Default gateway options to a specific gateway or group, as long as they are not left at Automatic (Managing the Default Gateway)

    Warning

    If the default gateway remains set to Automatic the firewall may end up using the WireGuard interface as the default gateway, which is unlikely to be the desired outcome.

  • Assign the WireGuard interface as a new OPTx interface (Assign a WireGuard Interface)

  • Add firewall rules specific to this tunnel on Firewall > Rules, OPTx tab to pass traffic inside the VPN (WireGuard and Rules / NAT)

  • Setup one of the alternate routing methods as described in WireGuard Routing, if needed.