Warning

WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.

If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes

WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.

Configure a WireGuard Tunnel

To configure a WireGuard Tunnel:

  • Navigate to VPN > WireGuard

  • Click fa-plus Add Tunnel

  • Fill in the WireGuard Tunnel settings as described in WireGuard Tunnel Settings

  • Click fa-plus Add Peer

  • Fill in the WireGuard Peer settings as described in WireGuard Peer Settings

  • Repeat the add/configure steps for peers if there are multiple peers

  • Click Save

  • Add firewall rules on Firewall > Rules, WAN tab to allow UDP traffic to the port for this WireGuard tunnel (WireGuard and Rules / NAT)

  • Add firewall rules on the common Firewall > Rules, WireGuard tab to pass traffic inside the VPN (WireGuard and Rules / NAT)

After configuring the WireGuard instance, there are a few more optional steps depending on the requirements of the use case:

  • Navigate to System > Routing

  • Set the Default gateway options to a specific gateway or group, as long as they are not left at Automatic

    Warning

    If the default gateway remains set to Automatic the firewall may end up using the WireGuard interface as the default gateway, which is unlikely to be the desired outcome.

  • Assign the WireGuard interface as a new OPTx interface (Assign a WireGuard Interface)

  • Add firewall rules specific to this tunnel on Firewall > Rules, OPTx tab to pass traffic inside the VPN (WireGuard and Rules / NAT)

  • Setup one of the alternate routing methods as described in WireGuard Routing, if needed.