WireGuard has been removed from the base system in releases after pfSense Plus 21.02-p1 and pfSense CE 2.5.0, when it was removed from FreeBSD.

If upgrading from a version that has WireGuard active, the upgrade will abort until all WireGuard tunnels are removed. For more details, see the Release Notes

WireGuard is available as an experimental add-on package on pfSense Plus 21.05, pfSense CE 2.5.2, and later versions. The settings for the WireGuard add-on package are not compatible with the older base system configuration.


The WireGuard package is still under active development. Follow the development progress on the developer’s YouTube channel

WireGuard Overview

WireGuard is a new VPN Layer 3 protocol designed for speed and simplicity. It performs nearly as fast as hardware-accelerated IPsec and has only a small number of options in its configuration.

Due to this simplicity, WireGuard lacks many of the conveniences of more complicated VPN types which can help automate large deployments. Thus, while its performance scales well, the management can become cumbersome for large numbers of peers.

WireGuard behaves unlike other traditional VPN types in several ways:

  • It operates completely in the kernel

  • Configuration is placed directly on the interfaces

  • It has no concept of connections or sessions

  • It has no facilities for user authentication

  • There is minimal logging from the kernel

  • It does not bind to a specific interface or address on the firewall, it accepts traffic to any address on the firewall on its specified port

WireGuard instances consist of a tunnel and one or more peer definitions which contain of the necessary keys and other configuration data.

WireGuard interfaces carry Layer 3 information and above.

Before WireGuard can be used, upgrade to the latest version of pfSense Plus or pfSense CE software and install the experimental WireGuard package from the Package Manager.